Pinterest Stumbleupon Whatsapp

use same password everywhereThe golden rule when it comes to securing your online accounts What You Need to Know About Securing Your Twitter Account What You Need to Know About Securing Your Twitter Account Twitter accounts are juicy targets for scammers and malware distributors. Once someone compromises your Twitter account, they can send out tweets with links to scams and malware, bombarding your followers with their junk. Strengthen your... Read More is to never use the same password more than once. Even if you are guilty of breaking this rule for throwaway accounts, you should at the very least never use your most important passwords more than once.

But what if you could use just the one password everywhere, without having to sign up for a password management service LastPass Premium: Treat Yourself To The Best Password Management Ever [Rewards] LastPass Premium: Treat Yourself To The Best Password Management Ever [Rewards] If you've never heard of LastPass, I'm sorry to say that you have been living under a rock. However, you are reading this article, so you've already made a step in the right direction. LastPass... Read More or pay subscription fees? That’s exactly what KeyGrinder lets you do, and it’s completely free to use online and via the iPhone app.

If you have trouble remembering passwords but are concerned about storing the keys to your online life, you might want to try it out.

How It Works

KeyGrinder works using a very simple principle, and that is one already widely used to store passwords securely – hashing What All This MD5 Hash Stuff Actually Means [Technology Explained] What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More . In fact, KeyGrinder uses the same technique used by Stanford University project PwdHash which was designed to create theft-resistant passwords. The idea fuses the convenience of an easy to remember password with the security of using very strong, completely unique passwords.

use same password everywhere

When you use KeyGrinder to generate passwords, it takes your input (e.g. “password”) and the address of the website you are visiting (e.g. “”). By converting your password into a domain-specific hash of both your input and the website you are trying to access, each and every password for every domain you visit Considering A Personal Domain? Here Are Some Cool Uses For It Considering A Personal Domain? Here Are Some Cool Uses For It Even if you’re not a fan of blogging and don’t have an amazing new website to launch, a personal domain can be an awesome tool to own for fun or self promotion: from a customized... Read More will be entirely unique. Because these passwords are hashes, they’re also a strong combination of upper case, lower case and numbers and thus are naturally stronger than most memorable passwords How To Create Strong Passwords That You Can Remember Easily How To Create Strong Passwords That You Can Remember Easily Read More .


use same password everything

KeyGrinder is virtually identical to PwdHash, and both services generate the same passwords when given the same input credentials. Because certain websites have entirely different sub-domains for handling separate functions i.e. and, KeyGrinder uses only the “” part of the domain, which means you won’t have to remember each and every domain and sub-domain you use.

In fact, all of the following domain variations generated the same secure password: “”, “”, “”, “” “”. Note how the “http://”, “www.” and anything after the top-level domain (in this case “.com”) is ignored.

use same password everything

The length of each password will vary depending on the input password you supply, so for “” using “password” generates: GEGW8EGRbW. However, if you use “mypasswordisaverylongpassword” then you’ll get: CYbbtuHIZ24PVt0qHwMFXAAAAA. At no point will the generated password exceed 26 characters.

From Your iPhone & Browser

Having access to services like KeyGrinder or PwdHash on the web is handy, but when it comes to mobile usage accessing a website isn’t always the most convenient of operations. For this, there is the official KeyGrinder app, which used to cost $0.99 but now appears to be completely free. It offers identical functionality to the website, except from the convenience of a touch interface.

use same password everything

What’s more, KeyGrinder for iOS will remember the URLs you have used, so you can simply enter your master password and choose from your frequent sites before generating your hash and copying the password to your clipboard. You can then paste the hash into the service you need to login.

use same password everywhere

That’s pretty much it. Keep your online profiles completely safe, all the while using the same single password and your clipboard from a web browser or iOS device. Oh, and one of the best things about using a cryptographic solution like this for recalling passwords is the fact that they won’t be stored anywhere. For PwdHash there are Chrome and Firefox extensions available from the official site, and KeyGrinder’s homepage features a choice of bookmarklets which you can drag into the bookmarks bar.

Download: KeyGrinder for iOS @ AppStore


Remember – no password is infallible, sites get hacked and credentials leaked. If you use the same password in more than one location then you’re already playing with fire, and KeyGrinder might just be the free solution you’ve been looking for. You should still never ever reveal, write down or store your master password in plaintext. If you’re planning on using PwdHash or KeyGrinder, then it’s probably a good idea not to advertise this fact too publicly either.

What do you use to keep your online identities safe? Do you like the idea of KeyGrinder or do you use another service to safely store your keys? Let us know in the comments, below.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Keith Smith
    January 9, 2013 at 7:41 am

    There's some good discussion here, particularly about the constant use of a single password being a weak point. So, how about simply modifying your standard password for each site you use by adding letters around it, for example let's say my password is sameoldpassword and I could modify it by adding FB for Facebook to Make FBsameoldpassword or FsameoldpasswordB or similar. I am sure that there was a previous MakeUseOf article on this previously.

    Again, just another layer for those who use the same password over again.

    One question I do have is, to use this service you are inputting your password for it to be hashed so are you sure that it is not being stored on the server ...?

    • Tim Brookes
      January 9, 2013 at 8:09 am

      Thanks for contributing, and you're right - there's some great points being raised.

      Two points:

      1) Using a password surrounded by letters like FB for Facebook, TW for Twitter etc is a dangerous technique. Those passwords are in no way unique - they're slight variations on the same key/phrase. If you intend to hash it afterwards (using KeyGrinder or other similar tool) then it makes sense, yes. But if you're just going to use "mypasswordFB" for one and "mypasswordTW" for another, what happens when a site you frequent (LikedIn last year, the entire Gawker comments system the year before that) gets hacked and your passwords are leaked. It doesn't take a genius to work out "mypassword" is your main key and you're suffixing/prefixing initials or names onto it.

      It is more secure than using a single password everywhere - just not that secure in the grand scheme of things.

      2) Regarding KeyPass/storing: Even if it was being stored on the server it wouldn't matter because your username is never required or entered. If a thief has a long list of passwords and hashes, he still then has to guess the usernames which is probably not going to happen.

      • Keith Smith
        January 9, 2013 at 5:58 pm

        Thanks Tim, thoroughly agree with point 1) and point 2) is good, hadn't thought of that.

  2. Alexander
    January 8, 2013 at 1:37 pm

    I like lastpass better than this, and it think this can get confusing sometimes :/

  3. Alan Wade
    January 8, 2013 at 1:18 pm

    I have used LastPass for a long while now and nothing I have read here makes me want to change that.
    Like Chris, I am more happier with the randomly generated passwords for all my security needs.

  4. Chris Hoffman
    January 8, 2013 at 12:37 pm

    The problem with these types of solution is that, if a site becomes compromised and leaks your password, you can't change your password for just that website without going through the trouble to change it everywhere.

    If you use LastPass (or another password manager, but I use LastPass), you can just generate a new random password for each that website.

    • Chris Hoffman
      January 8, 2013 at 12:38 pm

      Yikes, sorry for the typos. Wish we had an edit feature!

    • Tim Brookes
      January 8, 2013 at 5:11 pm

      True, but then what if a thief finds your LastPass master key?

      • ReadandShare
        January 8, 2013 at 9:28 pm

        Some websites force you to change your password every x months. I just cannot imagine that the only way to change a password for one website is to change the PwdHash master password -- because that will mean changing passwords for ALL my other websites?? There has to be some kind of 'manual override' -- although each one will mean additional memorizing... until we are back to using a password manager again?

        • Tim Brookes
          January 9, 2013 at 7:54 am

          Yeah, it's not perfect. You could always use a couple of passwords, which even if you did write down (i.e. in passwords.txt) would still be indecipherable because they'd be hashed in the end anyway.

          I'd argue that KeyGrinder is a serious contender for the password manager/Last Pass throne. I like the idea of an autocompleting password service, but to me the idea of all my identities stored behind a single "master" password (or in a file, with a password like KeyPass) is concerning to say the least.

  5. Anonymous
    January 8, 2013 at 6:44 am

    I agree with Richard. That's exactly what I thought. It would be safer for the password to be totally random rather than actually being related.

  6. ReadandShare
    January 8, 2013 at 1:47 am

    I am not getting it either. Say my master password is "IThinkIAmSoSmart!!". Anyone or any keylogger that gets hold of this singular password can then try it on any number of popular website accounts -- and bingo -- they're in!

    From a security viewpoint, how's this adding anything versus just using "IThinkIAmSoSmart" directly on all my web accounts?

    • Tim Brookes
      January 8, 2013 at 5:10 pm

      I understand what you're saying entirely - it doesn't work if the thief knows you're using this service and your master password. But think of it from a "X site got hacked point of view" - if a hacker gets into a database of users and finds your password, it's entirely unique and thus not going to lead to more of your profiles going under.

      That's how it's better than using a single password on all of your web accounts.

      • ReadandShare
        January 8, 2013 at 9:24 pm

        That is true. Thanks.

  7. Richard Steven Hack
    January 8, 2013 at 1:35 am

    Correct me if I'm wrong here, but let's look at this closely.

    I use a constant password, say, "herewegototown" and that gets mixed with "" using a FIXED hash algorithm (which presumably is a KNOWN algorithm since unknown algorithms are by definition insecure.)

    I then use the SAME fixed password which gets mixed with "" (or whatever Microsoft is calling itself these days) used the SAME FIXED algorithm.

    This means any hacker who knows the KNOWN algorithm, plus the target site, has only to guess your original constant password. He can then do the same thing for every other target site. He only has to guess ONE variable, your original constant password. Everything else in the resulting password is based on fixed variables.

    And everyone knows we suck at picking those original constant passwords, right?

    How is this different from simply using one constant password? Everything about this situation is fixed: your password, the target site, the algorithm. The only thing that changes is the RESULTING password for each site.

    This is not secure. It's no more secure than the initial password you choose to use.

    The ONLY way to be secure is to generate a password which is completely different for each site and which does NOT take into account the name of the site or any other information which could be known to or guessed by a hacker.

    • Lisa Santika Onggrid
      January 8, 2013 at 3:35 pm

      Yeah. The only workaround is to use different word entirely for the site's name, so if it's you can use instead, to avoid easy guess. If you still use that lame password for the account, it's still useless. Perhaps someone could enlighten us to why this is more secure than ordinary method?

      • Tim Brookes
        January 8, 2013 at 5:00 pm

        It's better than using an ordinary password in that every generated password is unique, so if one falls the whole lot doesn't fall. It's only useless if a hacker knows your original password (keyloggers yes) and the algorithm used to get to that password. As far as I'm aware, that algorithm has not been made public, and so there is little chance of deciphering a password from the hash.

        No password is crack-proof, even randomly generated LastPass/1Password efforts. You could argue that if someone got your LastPass or other password manager credentials then they would have access to every password you have. KeyGrinder isn't perfect, but for a lot of users who it adds a whole extra layer of security that simple

    • Tim Brookes
      January 8, 2013 at 5:05 pm

      What you said is largely true, but it relies on:

      The hacker knowing your original password.
      The algorithm OR the fact that you're using this service.

      The algorithm is not public, so that's a no-no. You should also probably keep any cryptographic services you're using quiet, else that's akin to telling a prospective burglar the model and location of your home alarm system.

      It's not infallible, but then no password is. KeyGrinder generates unique hashes, which means if one site falls the rest of your accounts do not. I know that there are a huge percentage of people using the same password everywhere, and this adds another layer of security for those people.

      • Hari
        January 9, 2013 at 3:11 pm

        Security by obscurity is never good, it would be only a matter of time before someone reverse engineers the algorithm to generate a rainbow table lookup of all the hashes. Besides, how would you change your password using this method? You either to change your master password or the domain, and since the domain remains the same, you have to change your password, and guess what, you no longer have a matter password and back to square one of remembering multiple passwords, and even harder problem than the original. LastPass is much better!

  8. Scott
    January 8, 2013 at 12:26 am

    What about special characters (#, $, %, etc.) ? And why a 26 character maximum ?

    I would much prefer just letting LastPass generate looooong (80+ character) passwords with special characters. That way I don't have to remember anything except my LP password. ;-)