The primary object of HMACPass3 is to generate a secure password from a memorable password or passphrase so that we do not have to write down or save the secure password.

A common response to this concept is: "I don't need that, I use a password manager". Our response is: "So do we, but what do you use to open your password manager?"

Many passwords in password managers are not there intrinsically for security reasons but mainly for convenience - we do not have to remember them and the better managers make logging in to websites, for example, very easy. These passwords may not be particularly strong but adequate. Other passwords may need to kept safe and may be stronger than general website logins. A password manager is ideal for these passwords too; offering ease of use and security.

Whatever reason for keeping passwords in password managers the strongest password we use should be the one to open the password manager itself. It should be more than strong - it should be mega strong.

Whilst HMACPass3 may be used to generate passwords for website logins, for example, it is only used once to do so. The password is then added to a password manager. The main target for HMACPass3 is the password manager itself.

We use KeePass Password Safe and have a small TrueCrypt volume and whilst we could use KeePass to open TrueCrypt we find it easier to us HMACPass3.

NB: HMACPass3 is designed for Windows XP SP3 and above - it wil  not work on older versions of Windows. It utilizes cryptographic functions that originally shipped with Windows Vista and were subsequently introduced to Windows XP in SP3.

On opening HMACPass3 we are presented with this form.
The following is only a brief description of the form - full details are given in the help file which accompanies HMACPass3.

Password In

This is our memorable password or passphrase.

Although 'Password In' is displayed as a single line it is, in fact, a multi-line input box. After typing a word or phrase if we now press Enter then the input box seems to clear. It hasn't - imagine the input box as a window to our multi-line text - what we typed is now 'above' the 'empty' box. If we press the up arrow key we will go back to the text we just typed. 'Password In' then could be an address or a poem, for example.

Alternatively or in addition we can browse for a passfile which should be a file which could be edited in Notepad, for example. So, we can have just typed text, typed text plus a passfile or just a passfile; if no typed text.

Pin Word

This may be regarded as a secondary password but it has a special relationship with 'Password In' and described in detail in the help file. I normally include the name of the application receiving the secure password. This too is a multi-line input box. I only use a single line but a multi-line usage could be of the form 1st line: Group, 2nd line: Item in Group, for example.

The last two characters of 'Pin Word' must be '01' to '80' in Password mode which tells HMACPass3 how many charcters to use for our secure password. HMACPass3 can also generate binary keys in hexadecimal format in Passkey mode and in this case the last three characters of 'Pin Word' must be '008' to '512' which tells HMACPass3 the bit size to use for the key.

The mode is simply chosen from an entry in the System Menu which is intially set to 'To Passkey'. After selection the entry becomes 'To Password'. It is then a toggle entry.

Pin Number

This is a number between 1 and 9999. This has an computational function in generating the secure password and explained in the help file.


Once the input has been completed we simply click on 'CRUNCH' to generate our secure password. There are three methods of sending passwords to other applications. The safest way is 'via Hybrid' which sends packets of characters of random length alternating between keyboard emulation and Clipboard use. By using a special technique when using the Clipboard, also used with 'via Clipboartd', the overall method will frustrate both malicious keyloggers and Clipboard viewers. 'via Hybrid' will not totally circumvent a Clipboard monitor which periodically checks the Clipboard as opposed to a viewer which relies upon Windows notifications. However, being Hybrid, the best a monitor can do is get about half of the password packets. If half of the password is still infeasible for a brute force attack then we are 'home and dry'.


More imagination is required in practice than that used in the following examples:-

Password In: MyVeryEasyToRememberPassword
Pin Word: MyPasswordManager80
Pin Number: 800

This is the password that will be sent:


In Passkey mode we could use, for example

Pin Word: MyEncryptionProgram256

This is the key that will be sent:



The download is a zipped folder including HMACPass3.exe and HMACPass3.chm. There is no installation. Simply place the HMACPass3 folder in a convenient location and send a shortcut to HMACPass3.exe to your Desktop. You can then, if you wish, move the shortcut to, for example, a Quick Launch toolbar.