Kardix
Back to home

Technology

How Kardix Works

A clear explanation of deterministic generation, labels, local SHA-256 processing, privacy, and important limitations.

1. Deterministic generation

Kardix does not create a random password and save it. It calculates credentials from the exact passphrase, label, and optional extra password you enter. All three inputs are framed separately before derivation. The same inputs and the same algorithm reproduce the same output. Changing one character produces a different result.

2. Why the label matters

The label separates accounts. A label such as “Netflix” and a label such as “Google” produce different credentials even when the passphrase is identical. Use a stable, memorable label and type it the same way every time.

3. SHA-256 key derivation

Before credentials are formatted, Kardix uses the browser’s built-in SHA-256 function. SHA-256 is fast and is not memory-hard, so security depends heavily on using a long, unique passphrase that is difficult to guess. The algorithm is public by design; security must come from the strength of the secret, not from hiding how the tool works.

4. Separate outputs

Independent derivation contexts are used for username, password, recovery PIN, security answer, and recovery ID so one field is not simply a visible slice of another. Long identifiers make accidental collisions extraordinarily unlikely, although no finite system can promise mathematical zero collision risk.

5. Local processing

The passphrase, label, and optional extra password are processed in your browser. Kardix clears the input fields after submission and does not intentionally store them in localStorage, cookies, or a server database. Generated values remain visible until you reset or leave, and copied values can remain in your device clipboard.

6. Important limitations

Kardix is not a password vault, account provider, or recovery service. If you forget the passphrase, label, spelling, or algorithm version, the original result may be impossible to reproduce.

  • A weak passphrase can still be guessed offline.
  • Browser extensions or malware can read what appears on screen.
  • QR codes expose the encoded value to cameras and screen capture.
  • Changing the algorithm can change future results.

7. Recommended workflow

Use a long random multi-word passphrase, assign one stable label per service, verify the generated credential, and keep an independent emergency recovery plan. Never rely on a single unrecoverable method for critical accounts.

Threat model

Kardix is designed to avoid a central cloud vault, not to protect a compromised device. It cannot defend against keyloggers, malicious extensions, screen capture, clipboard monitoring, phishing, or someone who already knows your inputs. Security decisions should be based on this limitation.

Version stability

Deterministic tools must keep their algorithm and formatting stable. Record which Kardix version you used for important accounts and verify generated credentials before replacing an existing password. Future improvements should provide a migration path rather than silently changing established outputs.