C-CR.IT (say "secret") algorithmically generates passwords based on the name or domain of a site, and a master key you provide.
To generate a 12-character, high-quality password for one of your online accounts, type in the name or the domain of a site you need to create a password for, type in a Key (your C-CR.IT master password), select an algorithm, and click Keep It C-CR.IT! The next time you need that password, just come back to C-CR.IT and enter the same information: C-CR.IT will return the same generated password. Changing either the Site, Key, or Algorithm will create a different password, so for each additional account you can just change the Site field, and use the same Algorithm and Key. Unless you use the "original" algorithm, the password generation happens in your web browser, and none of your information is ever sent to the C-CR.IT server.
You have to create an account to do just about anything online these days, and no one wants to spend time coming up with a unique, high-quality password for each Site. Inevitably, many of us end up defaulting to a couple of passwords that we reuse across our many accounts. But this means that when hackers steal user account information from your video game forum, your cellphone company, or your social network, they've not only stolen one of your accounts, they've stolen the ability to access all of the accounts where you used the same password. You're left wondering if you can possibly remember the dozens of places you used the same password, hoping that none of your financial or email accounts are on that list.
The only solution to this problem is to use a different password for each of your accounts—and then find a way to keep track of them.
Some people use password managers to solve this problem. Of course, if you use an online password manager, you run the risk of that service suffering from a security issue. There are other password managers that run on your own computer, but these often require you to buy additional copies of their software for each device (phone, work PC, etc) you want to use it on. And, of course, the only way these programs can sync your passwords is through an online service, with all of the vulnerabilities of an online password manager. What happens when you need to log into an infrequently-used account from a computer without their software installed? And with both online and local password managers, what happens if such a company goes out of business?
C-CR.IT is different. You go to https://c-cr.it, type in the name or URL of the Site you're creating an account for, and a Key (your C-CR.IT master password), and we use that info to algorithmically generate a strong, 12-character password for you. Best of all, this generation is handled entirely in your web browser: the Site, Key, and generated password are never sent to back to our servers. C-CR.IT uses industry-standard SHA256 cryptographic hashing to generate your password, so (using the details provided below) if C-CR.IT suddenly disappeared or turned evil one morning, someone would be able to set up a compatible service quickly and easily. There's no software to install or fees to pay.
Let's say you used C-CR.IT to create a password for your Beenz.com account, and now you hear that yours is one of thousands of passwords leaked due to a security issue. First, rest easy! Your Beenz password is unique, so your Audiogalaxy and Webvan accounts are safe. You'll need a new Beenz password, though, and now you have a few options: change the Site name (say, from "Beenz" to "Beenz2"), change your algorithm (say, from A to B), or change your Key. We think the first two options are preferable, because they're easier to remember.
C-CR.IT makes it easy to be safer online, but it's not the right security tool for everyone. If you believe your account information may be personally targeted—say, because you're an activist, a spy, or a scandal-prone celebrity—you may not want to use C-CR.IT (or, for that matter, any password manager), especially for your most important accounts. If someone found out your usual C-CR.IT Key, what you generally put in the Site field, and what algorithm you use, they could use that information to access any account of yours that has a C-CR.IT-generated password. The odds of this happening are very low, but if someone were willing to dedicate a lot of time and/or resources to you in particular, they may be able to discover this information (in one way or another).
Algorithm | SHA256 Rounds |
---|---|
A | 1100 |
B | 1200 |
C | 1300 |
D | 1400 |
C-CR.IT was made by Sean W. Mahan, with continual usability assistance from his wife Laura, and the design vision of JL.