HPGen is a hash password generator for Java-enabled mobile phones. The concept was invented by Nic Wolff as a way of generating a large number of pretty secure passwords for all the websites people sign up with these days. I wrote a Java version because a mobile phone implementation seemed like an obvious thing to have.

Download and Installation

You can probably install HPGen by pointing the web browser on your phone to http://elvum.net/hpgen/hpgen.jad. It's only about 25kB, so it shouldn't break the bank even if you don't have a data tariff. Alternatively, some people have reported success in downloading http://elvum.net/hpgen/hpgen.jar to their PCs and then transferring it to the phone via a data cable or memory card. You might want to check your phone's instruction manual to see how to install software on it.

At the moment only an unsigned version of the software is provided, because that seems to be working for everyone.


HPGen is written using the most basic subset of Java available for mobile phones (MIDP 1.0), so if your phone supports Java applications, HPGen should run on it. No guarantees though - there are all kinds of exciting implementation quirks in the Java stacks on different handsets.

Licensing and Source Code

HPGen is made available to you under the terms of the GNU GPL version 2. The source code is available to download here. It uses two libraries to perform the actual hashing: Sam Ruby's SHA1 implementation, and Tim Macinta's MD5 library. I think I might have slightly modified them both. Anyway, they're included in the source distribution under their original licenses (BSD and LGPL 2.1 respectively).


How does HPGen work?

You enter a strong "input" password and the domain of the website you want to generate a new password for (eg "elvum.net"), and the software concatenates the two and passes them through a cryptographic "hash function" (by default, SHA1). Of course, you can put any text you like in the domain field - "hotmail", perhaps. The output of the hash is converted to text (by default, using BASE64 encoding) and the first eight characters (or so) are returned for you to use as a password for that domain.

How secure is HPGen?

The hash password concept is a reasonably secure way to generate strong passwords for different websites, but it can never be secure if you choose a weak input password, so make that a hard-to-guess one. The generated passwords are considerably more secure than using the same password for every website (or using an easy-to-guess password for every website), but since cryptography is subtle and implementations are prone to unsuspected weaknesses, I wouldn't advise using HPGen (or similar tools) to generate passwords for really important things, such as your online bank account.

As is good practice for security-related software, HPGen is open source, so you can check the source code and satisfy yourself that it isn't doing anything stupid or malicious.

HPGen stores a list of all the domains I generate passwords for: is that secure?

The whole point of hash password generation is that the security is provided by the input password. Storing a list of domains makes using the application much easier for people who only have numeric keyboards on their mobile phones. If you're worried, you can turn off domain name storing in the application's preferences menu.

Is HPGen compatible with some existing hash password generator that I already use?

Maybe - there are quite a few out there. If you use Nic Wolff's SHA1 password generator or Karim Cassam Chenaï's iPhone password generator then HPGen generates compatible passwords using its default settings. If you use Nic Wolff's original password generator, James Cridland's password generator or Johannes la Poutré's Greasemonkey script (or other implementations), then HPGen can generate compatible passwords if you change the hash function to "MD5" and the presentation format to "lower-case hex" in the HPGen preferences menu.

I want to convey my thanks to you for writing this marvellous software / roundly abuse you for making stupid programming mistakes / contact you for some other reason

That's not a question, frequently asked or otherwise. You can, however, contact me via the email address "hpgen" at this domain.