Why calc.pw?

Security experts say it is best to have different passwords for all the services you use. The reason for that is that every service can be hacked. When an attacker gets access to the passwords of a service he is able to try these passwords with other services. When you use one password for all services then losing your password means losing the control over all of these services.

Over time several schemas have been developed to prevent this by telling you how to generate a new password for every new service. Google advertises a solution where you take an easy to remember sentence like "I love sandwiches." and get a password from it by replacing characters by numbers and special characters so that the final password could be "1loves@nDwich3s". There are, however, some problems with this. First of all you have to find good sentences for each and every service and then you have to be able to link a sentence to the corresponding service. Will you remember in a year that you used "I love sandwiches." for that online shopping website you only used once?

Another way that is used quite often is to find a really secure password and then attach a service-dependent information to it. So let us say your master password is "Very57r0ngP455w0rd" and you need a password for your online banking account then your service password could be something like "Very57r0ngP455w0rd_banking". There are several ways to get to the service-dependent part of the password. But this method has also a problem: As soon as an attacker learns the password of one service he can easily deduce the possible passwords of other services you use.

The third method today is to generate and use totally random passwords. However, these are very hard to remember, especially when you have more than a few of them. Because of that password databases emerged that are encrypted with a master password and let you store and retreive all your precious random passwords. But when this database is lost you actually lose access to all of your services. In addition to that this database has to be available everywhere which led to strange solutions like putting all your passwords in the cloud where NSA, CIA and so on have access to it.

Finally XKCD proposed a password schema in a rather funny way. Their idea is to just put some random words together. This - according to them - is secure enough for most purposes. But even this has some problems. Several password forms enforce a maximal password length which greatly reduces the number of possibilities. And like before: Nowadays you have dozens of different accounts. For all of these accounts you would have to find random word combinations and you would have to find a way to link these to the actual service you are using the password for. So, which service would be "correct horse battery staple" for?

calc.pw works somewhat differently. It uses a master password and a service-dependent information from which it generates a service password with the help of cryptographic methods (SHA-1 and Arc4). From this service password neither the master password nor the service-dependent information can be deduced. Therefore an attacker who found one of your passwords is not able to generate the passwords of the other services you are using. If that happens you just have to change the compromised service password while all of your other services stay save.

Content:

  1. Why calc.pw?
  2. How does calc.pw work?
  3. How do I have to enter the information?
  4. How does the password generation work?
  5. How was calc.pw built?
  6. How was calc.pw programmed?
  7. What is that about these keyboard layouts?
  8. Who is the person behind calc.pw?
  9. Downloads
© 2013-2017 Kenneth Newwood (@weizenspreu)
no-www.org extra-www.org IPv6 ready
Datenbank: 25 Abfragen | Generierung: 0,24373 Sekunden Top