How Single Pass Works

Single Pass works by creating an SHA-256 hash of the Single Pass password and the Service Name, like this:

hash = sha256(singlepass_password || ":" || service_name)

Each octet in the hash is effectively a random number. We then take the first 16 octets of the hash and use those values to perform a lookup in a table to allow us to select the desired character.

The table has a total of 62 characters. With a 16 character password, the password strength is effectively log2(62) * 16 = 95.27 bits strong. That means that there are 4.76 × 10^28 possible values a hacker would need to try in order to guess the generated password. If we were to take about 1,000 of the fastest commercial products used to crack passwords, (cracking 2,800,000,000 passwords per second) it would take up to 539 million years to crack Single Pass-generated password.

The table of characters employed is shown below:

'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',
'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r',
's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F',
'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
'U', 'V', 'W', 'X', 'Y', 'Z'

The logic for selecting a character in the table is straight-forward. We simply take an octet in the computed hash and modulo that value with the number of characters in the table (i.e., hash[i] MOD 62). We do that for the first 16 hash values (out of a total of 32 produced by SHA-256) to produce the service password.

The source code for the JavaScript employed on the Single Pass web site is available, as is a separate stand-alone Perl script that one may use off-line.

One important consideration is the character set employed. We utilize UTF-8 both on the Single Pass web site and the Perl script. If you use the software elsewhere and employ a different character encoding, then an SHA-256 hash will produce a different result than what we produce.