Thursday, 18 July Sitemap

Simple Secret Splitting

This page provides a very simple Secret/Password splitting solution. It can be used to protect a password that you want to store, transmit to someone else or share between two people who can recover it if they get together (e.g. as a backup so that passwords aren't lost). The two parts must never be stored or transmitted together. The calculations are performed in JavaScript within your browser so that your secret never leaves your machine and our servers never know what it is. The output is base-64 encoded so that it is easy to store, type, etc.

Simply enter your secret/password in the top box and click 'Encode' to obtain the two parts for storage or distribution. To recover the secret, simply type the two parts into the yellow boxes, in any order, and click 'Decode'.

Enter Secret:
Part 1:
Part 2:
Decoded Secret:

"The big lie of computer security is that security improves by imposing complex passwords on users. In real life, people write down anything they can't remember. Security is increased by designing for the way humans actually behave." - Jakob Nielsen

One way to use this would be to keep a copy of an administrator password or encryption key. In this case, you could write the two parts down on paper. Then you could store one in a safe in the office, and the other somewhere secure off site, or even in a secure location online. If doing this, protection of 'Part 1' is more important, as 'Part 2' is just the random string and contains no information about the original password.


How this works

This works simply by XORing your password or secret with a random string. The random string and the result of the XOR are both outputted. On their own they are useless, but by bringing them both back together they can be XORed again to retrieve the original secret.

Warning: Don't keep or transmit the two parts together. Also, due to base-64 encoding and the nature of the scheme, it is possible to work out the length of the original secret given 'Part 1', and we do not use cryptographically secure random number generators, so these two parts should still be protected.