WhipPass Logo
(learn more)

One Whip, Many Passwords

WhipPass takes the combination of a website address and a master password (whip) and uses a hashing algorithm (see Technical Stuff) to produce secure passwords that are unique to the website you’re logging into.

You only need to remember a single master password, your whip. Combining your whip with the URL of the site you want to access produces a unique, secure and consistently repeatable password for that site.

The hashing algorithm is implemented in JavaScript and executed on the client-side, so your whip is not saved or even transmitted over the internet.


Site: google.com
Whip: MyS3cr3tP@ssw0rd
Whipped Password: tAaj9kpUWzPTvyjh+R


Site: facebook.com
Whip: MyS3cr3tP@ssw0rd
Whipped Password: +rr9wFM4DMI3VcDLNw

The Problem with Passwords

We all sign up to many different accounts and services on the internet. Virtually every single one requires us to provide a unique password to access the service.

Coming up with passwords for every service that are unique and secure is hard. It’s been proven over and over again that people often use the same password across multiple services.

The obvious problem with having the same password across multiple services is that if the security of one service is compromised, a rogue agent could gain access to all of your accounts. This is a very common occurrence (estimated to be as high as 55%) and happens more often than expected.


You might be thinking “Oh no, not me. I keep my passwords locked up in a password vault!”. Unfortunately, password vaults are only as strong as their security protocols, transmission methods and encryption techniques. Password vaults also make a very obvious target to hackers. The best place to store your passwords, is nowhere at all. 

WhipPass does not store your whip (master password) or any of your whipped (hashed) passwords. The only place your whip is stored is in your head. WhipPass does not transmit your whip or any of your whipped passwords either. The hashing is performed on the client-side, so it’s never transmitted and consequently cannot be intercepted. 


Once you start using WhipPass, you’ll wonder how you’ve managed to cope without it.

It just makes sense.


Only one password to remember, your Whip


WhipPass creates a unique password for each service


Your Whipped passwords stays consistent for each service


Your passwords are not stored anywhere, so can’t be compromised


The more complex your whip, the more secure your whipped passwords


Use WhipPass across all platforms where you need to use passwords


WhipPass is based on the Web Password Hashing project originally implemented by the Security Laboratory at a leading American University (not named due to licensing restrictions).

The project, referred to as PwdHash, is essentially a password generation scheme which calculates a hash of the user’s master password and the domain-name of the website on the client-side in order to create a strong, site-specific password that the user doesn’t need to remember. (Read more: Original PwdHash project page)

PwdHash uses the HMAC-MD5 algorithm as the hashing function. Find out more below.

Technical Stuff

In cryptography, a hash-based message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. (Source: Wikipedia).

Any cryptographic hash function, such as SHA-256 or SHA-3, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-MD5). The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.

In other words, the length and complexity of your Whip (master password) determines the quality of the whipped (hashed) password.

The Standard version of WhipPass uses “HMAC-MD5” as the cryptographic hash function and the secret cryptographic key is your “Whip“.

Advanced Features

About a decade after the initial release of the PwdHash algorithm, the Cambridge University Security Group released a research paper proposing an improved version of the original algorithm. This version is based on a key-derivation function rather than a hashing function, proposes the use of the “PBKDF2-SHA256” key derivation function and suggests allowing control over the user-specified salt and iteration count.

In basic terms this can be expressed as DK = KDF(key, salt, iterations), where DK is the derived key, KDF is the key derivation function, key is the original key or password, salt is a random number which acts as cryptographic salt, and iterations refers to the number of iterations of a sub-function (read more about Key Derivation here).

The Advanced version of WhipPass is an alternative to the Standard version and provides a significantly higher level of security through the utilisation of the “PBKDF2-SHA256” key derivation function and allows control over the user-specified salt and iteration count (read more about PBKDF). The browser stores the “salt” and “iterations” as cookies, so they do not have to be entered every time you use WhipPass.