Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Build Status

Passwords obviously are important and most people know by this time how to pick a good one.

For many people, the problem is not so much that their password is weak and too easy to guess or steal (though this is still a common problem.) The problem is that they use their same password over and over again -- meaning if it is compromised at any one of the sites where they use it, it can be misused at another one.

Mushpup is a simple javascript library I've created that leverages existing cryptography libraries to produce strong, unique passwords that can be securely retrieved from anywhere there's an internet connection.

Web Application

The Mushpup web application provides access to an interface to quickly retrieve passwords. It is available over the internet at the following sites:


Mushpup requires the SHA1 and Base64 algorithms. It currently uses the CryptoJS library.

<script src=""></script>
<script src=""></script>
<script src=""></script>


Automated tests can be run using grunt-cli:

cd mushpup
npm test

To set up grunt on Debian/Ubuntu:

  1. Clone the repository

    git clone mushpup
  2. Install Node.js (with npm).

  3. Install npm packages:

    npm install grunt-cli
    npm install phantomjs
  4. Install npm package dependencies:

    cd mushpup
    npm install

You should be good to test.

Local Server

To test in the browser locally, run Python's SimpleHTTPServer from the repository root:

python -m SimpleHTTPServer

Then browse to:

For information on mobile testing with Android using Chrome, see Remote Debugging Android Devices.


A Mushpup hash is a 24-character string of characters from which a user may reliably retrieve a site-specific password, based on a master password only she knows and a simple routine.


To generate a Mushpup hash using the Mushpup library:

var locus = $('input#locus').val().trim();
var pocus = $('input#pocus').val().trim();
var mushpup = Mushpup.mush(locus, pocus);


To start using Mushpup as a user, you need to do the following three things:

  1. Pick a Mushpup secret word (a master password only you remember)
  2. Pick a Mushpup number (between 8 and 16)
  3. Pick a side (left, right, or middle)

Then, whenever you need a password for a new site, follow this routine:

  1. Identify new site (e.g.
  2. Set your user name (e.g. klenwell)
  3. Set your locus value based form site/user (e.g.

Finally, to retrive the password:

  1. Input locus and Mushpup secret word in the Mushpup form.
  2. Using Mushpup number and Mushpup side, copy your password
  3. Paste it into the site login password field.


Never write your password down. Use mnemonics. If you want to record your Mushpup secret word, email yourself a hint. For example, if your secret word is SmithJenna23 and you use the middle 12 characters, you could use a clue like this:

  • MaidenYoungestsis#MJ#-m12

Use the following form for your individual Mushpup site passwords:

  • m{ }m12

This tells you that the locus is and your password will be the middle 12 characters of the resulting hash.

However, you can be even safer if you use your regular Mushpup number and side:

  • m{github}

Or, to remind yourself you used mushpup for your password, simply:

  • m{}


Javascript library for hashing passwords.







No releases published


No packages published