Mozilla Firefox plugin to generate unique passwords on each website

Michaël Lemaire 3ed7dcdc81 Version 1.1.0 1 month ago
out 3ed7dcdc81 Version 1.1.0 1 month ago
src 3ed7dcdc81 Version 1.1.0 1 month ago
.editorconfig 3ed7dcdc81 Version 1.1.0 1 month ago
.gitignore 3ed7dcdc81 Version 1.1.0 1 month ago 3ed7dcdc81 Version 1.1.0 1 month ago
activate_node 3ed7dcdc81 Version 1.1.0 1 month ago
manifest.json 3ed7dcdc81 Version 1.1.0 1 month ago
package-lock.json 3ed7dcdc81 Version 1.1.0 1 month ago
package.json 3ed7dcdc81 Version 1.1.0 1 month ago
tsconfig.json d49dad14a2 Fixed sitetag parsing for domains 5 months ago

HashLock - Secure passwords for Firefox


HashLock is an add-on for the Mozilla Firefox web browser, allowing you to use a different password on each website.

Important note : This is alpha software, and is not yet available on the official add-ons store. Use at your own risks.


Having a different password on each website is a strong security recommendation. This way, if a website is hacked, and your password is stolen, it can't be used on every website you've got an account on.

This add-on helps by generating a unique password for you, on each website you visit. The password is generated from 3 components :

  • The website main name (for example, if you're visiting, the part mozilla will be used)
  • A private key (only visible in the options page, you never have to type it)
  • A common password you have to type (it can be a trivial word like banana without security risk)

The private key is added as an extra layer of security. The only downside of it is you have to keep it in a safe place, and you get to have it if you're not on your usual computer.


Once reaching a beta stage, the add-on will be made available from the official add-ons store.

If you are a developer, you can clone the repository, and use these commands to test the add-on:

npm install
npm run build
npm run browser


On the first install, the add-on will generate a unique private key. This key is accessible from the add-on's options page. This key is very important and you should keep a copy of it in a safe place. Don't change this key once it has been used to generate a password, or the password will change too.

Now, when you have a password field on a website, all you need to do is type inside a simple keyword of your choice, followed by the dash sign # (for example, type foobar#). You can use the same keyword on each site (it is even recommended). Once you click outside the password field, a secure password, unique to this website, will replace the typed one. The field should get surrounded by a yellow frame, so that you know it worked.

The only thing you have to remember is the keyword you typed before the dash sign, and always use it.

The site tag used to generate the password is extracted from the site's domain (eg. will use example as site tag). If the site detection is wrong, or if the password has been created on another domain (for example, and share the same password), you can specify the site tag with the syntax foobar@sitetag#.

By default, generated passwords are composed of 12 alphanumeric characters. To generate different length, or character sets, the syntax foobar~12w# can be used. The number is the length of generated password, and the letter is either w for alphanumeric, d for digits or c for alphanumeric with a special character.

All syntaxes may be combined: foobar@sitetag~14d#.


Sources can be found, reviewed, or contributed to, on GitHub.