Kardix
Back to home

Security

Security Guide

Practical steps for using passphrases, labels, QR codes, and clipboards more safely.

Choose a strong passphrase

Use at least five or six unrelated random words, preferably generated by a trusted random method. Length and unpredictability matter more than substitutions such as replacing “a” with “@”. Never use names, birthdays, quotations, or a password already used elsewhere.

Protect the label

Labels are not treated as secret, but they must be consistent. Use a clear service identifier and avoid frequently changing spelling. An attacker who knows a label and one generated result can test passphrase guesses offline, so the passphrase must carry the security.

Understand QR risk

A QR code is another visual form of the same secret. Anyone who scans, photographs, records, or remotely views it can obtain the encoded value. Display it only in a private environment and close it immediately after use.

Clipboard safety

Copying a credential places it in the operating-system clipboard. Other applications, keyboard tools, remote-support software, or malware may read it. Paste promptly, overwrite the clipboard afterward, and avoid copying on shared devices.

Device and browser safety

Use an updated browser on a trusted device. Avoid unknown extensions, public computers, remote screen sharing, and pages served over insecure HTTP. A compromised device defeats local processing.

Recovery planning

Kardix cannot recover forgotten inputs. Critical accounts should have verified recovery email, security keys, backup codes stored offline, or another independent recovery route.

Phishing check

Before pasting a generated password, verify the exact domain and the browser security indicator. Password generation cannot protect you if you enter the credential into a fake website.

Device checklist

  • Install browser and operating-system updates.
  • Use device encryption and a strong screen lock.
  • Remove unnecessary browser extensions.
  • Avoid public or shared computers for sensitive accounts.
  • Keep recovery codes separately from your passphrase.

Account checklist

  • Use a stable, exact label for each service.
  • Enable multi-factor authentication or passkeys.
  • Verify recovery email addresses and phone numbers.
  • Review active sessions after suspicious activity.
  • Test recovery before an emergency occurs.

Understand the limitation

Kardix cannot identify a mistyped label, restore a forgotten secret, or revoke credentials after exposure. For critical accounts, use independent recovery methods and consider whether a conventional audited password manager better matches your needs.