How Pagenii works

At the heart of Pagenii are cryptographic hash functions. These are mathematical functions that take input data, such as your name and keys, to calculate output data - a complex, random-looking password.

However, the password is anything but random. When fed the same input data, these functions will generate the exact same password. But if the input data is altered in the slightest way, such as changing the case of a letter or using a comma instead of a period, the result is a completely different password.


Name + Master password + Key + Length + Alphabet

Cryptographic Hash Functions


Generated Password

One of the biggest advantages of using Pagenii is that generated passwords are practically impossible to reverse, meaning someone who might happen to know or store your Pagenii-generated password can’t reverse calculate your name, master password or key from it.

And because passwords are generated using only these functions in real-time and within your browser, passwords are never stored elsewhere or transmitted over the Internet, meaning they can’t be stolen or intercepted. Only you can re-generate your password.

Some technical stuff

The password generation is based on hash functions from the SHA2 family, namely SHA256 and SHA512. Simply speaking, each of the inputs (name, keys, master password, etc.) is hashed, then all those hashes are concatenated and hashed again. And this last hash’s output is converted into the generated password. All of this happens on the user’s device or in the user’s browser. This means that none of the user’s input gets stored or transmitted over the Internet.

On a more detailed level, each time a hash is calculated, the hash function is iterated multiple times. Because the hash function’s output resembles random data, the generated passwords are strong passwords.

Of course, the strength of a generated password also depends on the chosen length and the chosen alphabet. For instance, any password of length 6 containing only lower case letters can rarely be considered strong. Even though generating a long password is usually better than a short one, increasing the length far beyond the total length of all the input does not necessarily produce a better password.

As an example, when using as input the data as shown in some of the examples and generating a password of length 1000, this password might still look very random and strong, but it would not be as strong as a password consisting of 1000 truly randomly chosen characters.

One can think of expressing the strength of a password as a number of bits. And passwords generated with Pagenii or similar approaches can only be as strong as the number of bits needed to represent the input of the user. This is one reason why Pagenii sets a minimum number of characters on the input fields.

Pagenii’s input and output is based on Unicode. Currently, all characters of the Basic Multilingual Plane (BMP) are supported (no surrogate pairs). This means that a range such as “a-z” specifies all lower case letters from “a” to “z”, because all these letters appear consecutively in Unicode. It also means that a user can choose ranges, characters or symbols from any (natural) alphabet as long as it is represented in Unicode’s BMP.

A highly recommended range is “!-~” which is the set of Unicode characters starting at “!” and ending with “~”. This set contains all letters and digits “A-Z”, “a-z” and “0-9” plus many special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ All of these 94 letters and characters are usually easily typable with a standard (US) computer keyboard.

One final note: Many statements on the properties and results of hash functions are probabilistic. There is no guarantee that the result of a hash function “looks like random data”. Similarly, there is no guarantee that it is impossible to reverse a hash function for a given output. Yet, hash functions are trusted to be used for encryption, e.g in online banking. More accurately described, the output of the used hash functions “looks like random data” with overwhelmingly high probability, and it is practically impossible to reverse a hash function for a given output. And since Pagenii uses SHA2 functions underneath the hood, these statements also apply to passwords generated with Pagenii.