"A Proud Gentoo User"
Business picture


Lock You certainly know the problem of keeping track of your non-vital passwords for various sites (assuming that more important passwords, such as for your webmail, are already quite random). Some people write down these passwords, others use some mnemonic algorithm such as the inverse of the username, or username with some trailing domain-based characters. However, such solutions are often quite insecure.

With hex2passwd you can create passwords that are relatively random yet still based on mnemonics. Because its output looks random, attackers will have more difficulty finding the mnemonic you use. And, because the tool always generated the same password, you can use this tool to create all passwords you require.

Tool Usage

The hex2passwd tool takes the output of a checksum algorithm (which is a hexadecimal representation) and converts it into a string of characters. You can select how many characters you want and from what "pool" of characters you want to pick from (for instance, alphanumeric only, or numeric only, or ...).

For instance, to create a password of 8 characters from the (default) set [0-9][a-z][A-Z].!:

$ echo password | sha1sum | hex2passwd -n 8

You can also pick from an alternative set of characters, such as [0-9][a-w] excluding q:

$ echo passwd | sha1sum | hex2passwd -n 8 -1

or from [0-9]+-/*() (which resembles arithmetic):

$ echo passwd | sha1sum | hex2passwd -n 8 -2

To be fully flexible, you can even enter your own set of characters (as long as it is 16, 32, 64, 128 or 256 characters wide):

$ echo passwd | sha1sum | hex2passwd -n 8 -m thesearemyhiddencharactermapping

You can also scramble the mapping table first with a seed. This seed will first transform the mapping by switching values. Such seed can be used to "personalize" your password even more:

$ echo passwd | sha1sum | hex2passwd -n 8 -s 05


When using scrambling, the tool will look at the seed to introduce some switching in the mapping table.

Each bit in the seed decides if switching is needed or not. The first bit (least significant one) decides if the two halves of a map need to be switched. The second bit decides if the pairwise quarters of a map need to be switched, etc.

For instance, a seed of 05 (00000101) will result in:

Seed: 00000101

0:    ...
0:    ...

Character Maps

A character map contains the list of characters you want to use for your password generation. A map must be at least 16 characters wide, and always a power of 2 (so 16, 32, 64, 128, 256). You can create maps with the same character occurring multiple times if you want (although this renders the password a little less secure as some characters then have a higher chance of occurring inside the password).

If you want to use a set of characters with different length, I recommend introducing a different character as a non-character. For instance, if you want a password to contain only numbers ([0-9]) you can use a map 0123456789...... and discard the periods in your password:

$ echo passwd | sha1sum | hex2passwd -n 10 -m 0123456789......

With this example, your resulting password would then be 32328332.

Why hex2passwd

Password Lists

You can use hex2passwd to substitute a password list file for all your favorite sites.

For instance, you devise a mnemonic for your passwords (such as domainname-username-sequence), decide upon a seed (say 14) and charactermap thequickbrownfoxjumpedoverthelazydogbutgotkilledbymockingbirdies. Now, your password list file just contains the sites with username:

$ cat passwordlist
seed = thequickbrownfoxjumpedoverthelazydogbutgotkilledbymockingbirdies

To find out your site password, just use your mnemonic, charactermap and seed:

$ echo bugs.gentoo.org-myaccount-1 | md5sum | hex2passwd -n 10 -m thequickbrownfoxjumpedoverthelazydogbutgotkilledbymockingbirdies -s 14

Personally, I prefer the default character map (that's why I made it default), which would create:

$ echo bugs.gentoo.org-myaccount-1 | md5sum | hex2passwd -n 10 -s 14

Because your mnemonic is unknown, the hashing algorithm you use is unknown (you can use md5sum, cksum, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, ...), your scrambling seed is unknown and your charactermap is unknown, I would be fairly surprised if your passwords can still be guessed.

And if you often rotate your passwords, just rotate inside your mnemonic a sequence number (example where mnemonic also contains a generic password) of which you keep track in your site listing (or just try on the site until you've found the correct password again):

$ echo mocking-bugs.gentoo.org-myaccount-1 | md5sum | hex2passwd -n 10 -s 14
$ echo mocking-bugs.gentoo.org-myaccount-2 | md5sum | hex2passwd -n 10 -s 14
$ echo mocking-bugs.gentoo.org-myaccount-3 | md5sum | hex2passwd -n 10 -s 14
$ echo mocking-bugs.gentoo.org-myaccount-4 | md5sum | hex2passwd -n 10 -s 14

Download and Run

You can download the sourcecode on this site. The code is GPLv3 licensed.

To compile and install:

$ gcc -o hex2passwd -std=c99 -Wall hex2passwd.c
$ sudo cp hex2passwd /usr/local/bin

Examples are given in the Tool Usage section.

Original Idea

The idea to build this software came from the definition of rainbow attacks, where an algorithm is used to convert a cryptographic hash of a password back into a(nother) password to chain a set of passwords together.