Your P@ssw0rds! no longer have to cause anxiety
Lisa Lock
scientific editor
Robert Egan
associate editor
Most people struggle to create and manage strong, unique passwords across many accounts. Password vaults may be helpful, but a single breach can expose dozens or even hundreds of passwords. To address these concerns, researchers at Texas A&M University created "HIPPO," a browser extension that creates passwords for each website without saving them.
Instead of storing passwords in a vault, HIPPO (Hidden Password, Password manager Online) uses one master password for users to remember; combines it with the website's address; generates the correct password only at the moment of login working in tandem with a server; and does not need to store it anywhere, not even on that server.
"From the site's perspective, nothing changes—the website still sees a normal password," said Dr. Nitesh Saxena, professor of computer science and engineering and associate director of the Texas A&M Global Cyber Research Institute.
He and his team published their findings in IEEE Internet Computing, showing users preferred the new approach. HIPPO is the result of the work the team started more than 10 years ago, resulting in many papers and a funding source.
Passwords that don't exist until you need them
Researchers set out to see how people would respond to using HIPPO by giving 25 participants a series of realistic tasks: logging into an account repeatedly, changing passwords when a site required it and using HIPPO as a browser extension. Of the participants, 30% reported not using a password manager, while the rest reported using one to varying degrees.
Participants rated HIPPO higher than traditional password tools for both ease and satisfaction during login. They also viewed it as significantly more secure and more trustworthy, even though it introduced the extra step of activating the extension before typing the master password.
That result surprised even the researchers.
"We went into this expecting a clear trade-off," Saxena said. "More security usually means more hassle. What we saw instead is that people were actually happier once they stopped worrying about remembering or typing a complex password."
How it works
When you log in, HIPPO combines your master password with the website's domain name and cryptographic protections to generate a randomized password unique to that site. Once you're logged in, the password is then discarded. There's no vault to steal, and no database on your laptop or browser or in the cloud.
"For everyday users, one of the biggest pain points is when a website demands an updated password," Saxena said. "That's where a lot of people get fed up. You're told to create something new, different, stronger, again and again. HIPPO handles that invisibly, so the user doesn't have to play password gymnastics every few months."
Decreasing password anxiety
In the study, participants updated passwords using HIPPO and rated the experience as just as easy as traditional password changes, but more satisfying. Behind the scenes, HIPPO quietly generated a new version of the password without asking people to rethink or reinvent anything.
Importantly, participants didn't feel like HIPPO was doing something mysterious or risky. Many described it using words like "secure," "random" or "hard to guess," paired with "simple" and "easy."
Some even said they would use it for sensitive accounts like banking or email—places where password anxiety tends to run highest.
Ditching storage
Password managers have been around for years, yet adoption remains uneven. Some people distrust them and master passwords can be forgotten. High-profile breaches of password vaults haven't helped public confidence.
Saxena says HIPPO sidesteps those fears by never storing passwords.
"There's something psychologically reassuring about knowing there isn't a digital 'safe' full of your credentials somewhere," he said. "Even if you trust the vault, it's still a single point of failure—it's like putting all of your eggs in one basket. HIPPO avoids that problem completely."
The study doesn't claim HIPPO is perfect. Participants occasionally forgot to activate it, and researchers acknowledge that smoother cues and automation would help. The study also took place in a lab setting and followed users for a short time; future real-world testing is planned.
Still, the takeaway was striking, Saxena said. "People not only tolerated a fundamentally different approach to passwords, they preferred it."
