What does it do? Tabula helps you create and remember strong passwords for each site without having to store them anywhere.

How does it work? When you enter a master password below, a table of characters that's unique to your password is created. You then use this table to generate each site-specific password by starting at a memorable cell and following a pattern across the grid. When you need a site's password in the future, just regenerate this table using your master password, find the starting cell, and follow the pattern. This way you can remember strong passwords for every site without the risk of storing them anywhere.

Note: This project is still experimental, so it needs more scrutiny before I'd recommend using it. If you do, print out a copy of the table so you have a backup if I change the code.



The name Tabula comes from a cryptographic tool called a tabula recta, which is used to create ciphers. I came across this concept while reading a interesting blog post where the author describes using a tabula to generate his own passwords. I decided to make the technique more user friendly by automating a few steps, and this is the result.

The table of characters is created by seeding a random number generator (seedrandom.js) with your master password after passing it through scrypt. The end result is a unique table that will be re-created whenever you enter your master password in the future. This makes it easy to have many strong, site-specific passwords while just remembering a master password and a pattern.

The source code for this project is available on GitHub, and there are further details in my blog post about the project if you're interested.


These are the characters available in each set:

Letters, numbers, advanced symbols: AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&*()?,=[]_:+*'~;/.{}

Letters, numbers, symbols: AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&*()

Letters, numbers: AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789

Letters: AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz

Numbers: 0123456789


For web security, everything is included in a single HTML file that doesn't depend on any externally loaded scripts or make any network requests (your master password is never sent anywhere). As a result, you can still use this page when you're offline, or download the file and use it locally. Also, you could print out the table and only use the webpage in situations where you don't have access to a physical copy. Depending on interest, I'm considering building an Electron or React Native app to avoid the web security issues altogether.

In terms of cryptography, there are a few threats that I go more in-depth about in my blogpost. The main one I'm concerned about is the situation where someone's table or master password is revealed because this opens them up to a brute force attack. I'm looking for advice on how to reduce this risk.

The current sha256 checksum of this page is available on GitHub.