browser extension

3 Articles

Don’t Trust Password Managers? HIPPO May Be The Answer!

April 15, 2026 by 52 Comments

The modern web is a major pain to use without a password manager app. However, using such a service requires you to entrust your precious secrets to a third party. They could also be compromised, then you really are in trouble. You could manage passwords with local software or even a notebook, but that adds cognitive load. You could use the same password across multiple sites to reduce the load, but that would be unwise. Now, however, with the HIPPO system, there is another way.

HIPPO is implemented as a browser extension paired with a central server. The idea is not to store any password anywhere, but to compute them on the fly from a set of secrets. One secret at the server end, and one the user supplies as a passphrase. This works via an oblivious pseudorandom function (OPRF) protocol. Details from the linked site are sparse, but we think we’ve figured it out from other sources.

First, the user-supplied master password is hashed with the site identifier (i.e., the domain), blinded with a random number, and then processed using an OPRF, likely built on an elliptic-curve cryptographic scheme. This ensures the server never receives the raw password. Next, the server applies its own secret key via a Pseudorandom Function (PRF) and sends it back to the client. Obviously, its private key is also never sent raw. Next, the client removes the blinding factor (using the same random number it used when sending) from the original key, producing a site-specific high-entropy secret value that the extension passes to a Key Derivation Function (KDF), which formats it into a suitable form for use as a password. Finally, the extension auto-fills the password into the website form, ready to send to the site you want to access. This password is still unique per site and deterministic, which is how this whole scheme can replace a password database. Neat stuff!

This advantage to this whole scheme means there’s no vault to compromise, no storage requirements, and it generates a strong password for each unique site, meaning no password reuse and a low chance of brute-force cracking. The obvious flaw is that it creates a single point of failure (the HIPPO service) and shifts the risk of compromise from vault cracking the master password, infiltrating the server, or compromising its secret key. It’s an interesting idea for sure, but it doesn’t directly manage 2FA, which is a layer you’d want adding on top to ensure adequate security overall, and of course, it’s not a real, live service yet, but when (or if) it becomes one, we’ll be sure to report back.

Confused by all this? Why not dig into this article first? Or maybe you fancy a DIYable hardware solution?

This Sentence‌‌‌‌‍‌ Isn’‌‌‌‌‍‌‬t Just ‌‌‌‌‌‬‌‌a‌‌‌‌‍‬‬‍ Sentence‌‌‌‌‍‌‌‌‌‌‌‬‌‌‌‌‌‌‍‬‬‍‌‌‌‌‍‍‌‌‌‌‌‌

October 10, 2019 by 22 Comments

Some sentences have more than meets the eye, and we’re not talking about interpretive nonsense. Rather, some sentences may contain up to four paragraphs’ worth of hidden text, invisible to readers.

Thanks to Zero Width Obfuscation, it is possible to use Zero Width Characters – Unicode characters that are invisible even when you try to highlight them. They’re typically used for abstract foreign languages that require separators that don’t take up an entire space. In this case, they’re used to obfuscate and de-obfuscate hidden messages sent through text.

[inzerosight] published a browser extension that identifies, de-obfuscates, and obfuscates these messages for you on the web. It does this by querying each page for the Unicode of the Zero Width Characters (U+FEFF, U+200C, U+200D, U+200E, U+2060, U+180E) and highlighting where they’ve been spotted. The encoding replaces each Unicode character with a permutation of two of the Zero Width Characters, essentially doing a find and replace across the text message.

I’m just waiting to see how long it takes for Zero Width Obfuscation to become the next Konami Code Easter Egg.

Hyperlinking Comes To GitHub Via Extension

June 14, 2019 by 8 Comments

If you are browsing GitHub it is very tempting to open up the source code to some project and peek at how it works. The code view is easy to read, but the viewer lacks one important feature: the ability to click on an included file and find it. The Octolinker extension fixes that oversight.

If you want to try it without installing the extension, there is a mock-up demo available. Even though the demo wants you to click on specific things, if you don’t play by the rules it will still do the right thing and take you to either the code on GitHub or an appropriate page. You can even substitute the demo URL for github.com and try it out on any GitHub page without the extension.

Continue reading “Hyperlinking Comes To GitHub Via Extension”