What the heck! This page needs JavaScript, and it seems that JavaScript is not enabled. Maybe you want to use a different browser? ... Or, maybe, the JavaScript part of this page somehow got lost...
If you have received an encrypted piece of a password for emergencies, then the person who gave it to you has hopefully provided additional pieces to others or stored them in meaningful locations. Once you have three different pieces, you can use this page to reconstruct the password - provided it was encrypted and shared using the procedure described here.
If you have a password that in case of an emergency should be accessible to someone when you are not available, you can use this page to split the password into multiple encrypted pieces. These pieces can be shared, for example, with your friends. Only if three pieces are combined, the secret can be reconstructed.
Only simple math is used in the process, so that you can even do the calculations with pen and paper if necessary. Details and further information can be found in the section on the theory.
If you have received an encrypted piece of a password from someone for emergencies, then that person hopefully has given additional pieces to other people or stored them in meaningful locations. Once you have three different pieces, you can use this page to reconstruct the password - of course only if it was encrypted and shared using the procedure described on this page.
- Status: Empty
- Status: Empty
- Status: Empty
If the password data and validation data differ, the restored password may be incorrect. Possible reasons for this include that pieces were combined that do not belong together, or incorrect data in the pieces.
If you have a password that in case of an emergency should be accessible to someone when you are not available, then on this page you can split the password into multiple encrypted pieces. These pieces can be shared e.g. with your friends, so that only if three pieces are combined, the secret can be reconstructed.
Example description: This is Maria's user data from 2023 at her local bank, shared with her relatives for emergencies.
then scroll down.
When you give pieces to others, it's best to also provide a copy of this page. It is designed so you can simply save it as a file and open it again; it works entirely without an internet connection.
Below you will find the encrypted pieces of your password. Following that, there is a suggestion for how you can share the pieces with others in a way that they will still know what they have years from now.
DYNAMIC TEXT: The encrypted pieces ==> ==> You may need to scroll ==> ==>
Below is an example of how you could pass on the pieces – adapt it as needed.
With this document, you get an encrypted piece of a password.
DYNAMIC TEXT: Description
Together with this document I have sent you a file "sharing-passwords.html". Please keep both together in a safe place, for example in your password program. I have given them to you so that in an emergency you – together with two other people who have also received pieces – can reconstruct the password and take any further necessary steps. This is one of
DYNAMIC TEXT: Number pieces, created on
DYNAMIC TEXT: Date. For the reconstruction of the password, this text is not needed, only the following data:
[Replace this paragraph with the piece you want to share.]
The above piece was created using the web page https://gdiet.github.io/secret-sharing/sharing-passwords.html, of which the enclosed file "sharing-passwords.html" is a copy. The web page can be used without an internet connection and also has a function for restoring the password from three pieces.
In case you cannot use the website or want to manually verify the website's function, here is a description of the procedure for restoring the password from the three pieces:
* Three pieces are given, each with the fields a, b, c, and v.
* c and v are each a list of numbers.
* All c-values are used individually in sequence.
We will call the three a- and b-values and the first c-value a1, a2, a3, b1, b2, b3, c1, c2, c3. For each position in the c-list, the following procedure must be carried out accordingly:
In the following, we need modulo arithmetic operations, which calculate the remainder of an integer division. When a number x is divided by a number y, the expression x mod y gives the remainder of this division. For example, 5 mod 3 = 2, since 5 divided by 3 leaves a remainder of 2. You should handle signs like this:
-17 mod -7 = +17 mod +7 = = 3
-17 mod +7 = +17 mod -7 = 7 - (17 mod 7) = 4
Thus, the modulo is never negative.
Additionally, we need a division operation in the modulo 257 number range, which we will call "div257". This division is not the usual division, but a special one that works as follows: You check whether x is divisible by y without a remainder. If it is not divisible without a remainder, you add 257 to x and check again. Repeat this process until you get a number that is divisible by y without a remainder. The result of this division is the result of "div257". Examples:
12 div257 4 = 3 ... 12 / 4 = 3 is divisible without remainder
15 div257 4 ... 15 / 4 is not divisible without remainder
15 div257 4 ... 15 + 257 = 272
15 div257 4 = 68 ... 272 / 4 = 68 is divisible without remainder
From m and n, the number of the password at the current position is calculated:
s = (m mod 257) div257 (n mod 257)
s is a number in the range from 0 to 256. All numbers s = 256 are ignored, the other numbers are interpreted as a UTF-8 string. Commonly used UTF-8 characters are:
When you have calculated the password from the c-values, you can validate it with the v-values. For each v-value, calculate the number s as described above and compare it with the corresponding c-value. If the password data and validation data differ, the restored password may not be correct. Possible reasons for the differences are that pieces were combined that do not belong together, or that the data in the pieces is not completely correct.
(End of the example text on how to share the pieces with others.)
If you are interested in the mathematics behind the calculation...
... you can find the (possibly padded) UTF-8 numeric values (s-values) that represent the password here:
DYNAMISCHER TEXT: Password as Numbers (UTF-8) ==> ==> You may need to scroll ==> ==>
The p and q values, which were used to calculate the c-values (see The theory behind it all), are as follows:
DYNAMISCHER TEXT: Values of p and q ==> ==> You may need to scroll ==> ==>
And the following are the p and q values that were used to calculate the v-values for validation:
DYNAMISCHER TEXT: Values of p and q (Validation) ==> ==> You may need to scroll ==> ==>
Important: The s-, p- and q values are not needed when you share the password encrypted. Do not share them with others. It is not necessary to save them.
If you have a password that someone should be able to access in an emergency even if you are not reachable, there are ways to split the password into several encrypted pieces. You can share these pieces with friends, for example. Only when a certain number of pieces are combined can the original password be reconstructed.
This page is about a procedure and the theory behind it when three pieces are needed for reconstruction. There are also procedures that require only two pieces, and there are procedures where you can freely choose the number of pieces needed. However, these procedures are not the subject of this page. A well-known approach for "any number" is Shamir's Secret Sharing - you can find more information and an implementation here: https://gdiet.github.io/secret-sharing/share-compact.html
A System of Equations with Three Unknowns
First, let's assume that it is not about a password, but about a secret number s. If I have a system of equations with three unknowns, and one of them is s, then I can solve the system of equations for s without knowing p and q if I have three linearly independent equations.
If p and q are random numbers, and the three values each for a, b, and c are known, then the following system of equations can be solved for s:
With some effort or a math program, you get the following solution for s:
Now comes the condition of "three linearly independent equations": For example, if a1 = a2 = a3, then the denominator is zero, and we have a problem when dividing. Only if the denominator is not zero can we calculate s.
The following fifteen a/b value pairs have the property that any combination of three a/b pairs is linearly independent:
I determined these value pairs using a program that checks random combinations for independence:
val tuples = for {i <- 1 to 9; j <- 1 to 9} yield (i, j)
while (true)
val selection = scala.util.Random.shuffle(tuples).take(15)
if selection.combinations(3).forall {
case Seq((a1, b1), (a2, b2), (a3, b3)) =>
a1*b3 + a2*b1 + a3*b2 - a1*b2 - a2*b3 - a3*b1 != 0
} then println(selection)
Additional value pairs can be determined, but for now, we are not interested in them.
That looks pretty good so far. We can give up to 15 people each a set of independent a / b / c values, so that it always takes three people to reconstruct s. Or does it?
Additional Knowledge
Does it really take three people to gain information about the secret number s? In reality, this is not always the case. This is because people may be able to use additional knowledge about p, q, and s. For example, if it is known that p, q, and s are bytes, i.e., numbers in the range [0..255], and if a c value is 255, then the corresponding p/q values must be 0 and s = c. Or if it is known that only integers are used in the calculation, and if a person has a, b, and c all even, then this person knows that s is also even. These and similar considerations can be used to gain at least some insights about the secret value s from just one or two equations.
The Number Space mod 257
That's why we use a trick: We perform all calculations modulo 257 (mod 257), which gives us the number range [0..256] — a practical space for working with bytes.
Instead of 257, you could also use any other prime number. With mod 101, for example, we would have the number range [0..100], which can also be very practical depending on the application...
For negative numbers in modulo operations, we use the following rules:
-x mod -y = +x mod +y
-x mod +y = +x mod -y = y - (x mod y)
That way, the modulo is never negative. Example:
-17 mod -7 = +17 mod +7 = 3
-17 mod +7 = +17 mod -7 = 7 - (17 mod 7) = 4
For example, if someone knows the values a = 2, b = 2, c = 2, they still have no additional information about s, because
s = (a*p + b*q + c) mod 257
depending on the values of p and q, can be any number in the range [0..256].
Calculating in the Number Space mod 257
Addition : a + b in the number space mod 257 = (a + b) mod 257
Subtraction : a - b in the number space mod 257 = (a - b) mod 257
Multiplication: a * b in the number space mod 257 = (a * b) mod 257
Division : a / b in the number space mod 257 = ... ?
Division is a bit more involved: It is the inverse of multiplication, so "find the number c such that (b * c) mod 257 = a". You calculate c most easily like this: Check if a is divisible by b without remainder. If it is not divisible without remainder, add 257 to a and check again. Repeat this process until you get a number that is divisible by b without remainder. The result of this division is the desired number c.
For negative numbers:
-a / -b = +a / +b | in the number space mod 257
-a / +b = +a / -b = 257 - ( +a / +b ) | in the number space mod 257
Sharing Passwords
Now, let's see how to actually share passwords using the above tools:
Convert the password to numbers: Determine the UTF-8 code of the password. You get a sequence of numbers s in the range [0..255].
Extend the password to a minimum length: If you want to hide the length of the password, add 256 to the sequence as often as you like, for example at the end.
For each number s in the sequence, choose two new random numbers p and q from the range [0..256].
For each piece you want to create, calculate the number c for each number s in the sequence. Calculate in the mod 257 space and use the a/b pairs mentioned above.
For example, if you have the following values
a = 4, b = 7, p = 23, q = 218, s = 65
then calculate
a * p + b * q + c = s | mod 257
c = s - a * p - b * q | mod 257
c = (65 - 4 * 23 - 7 * 218) mod 257
c = (-1553) mod 257
c = 257 - (1553 mod 257)
c = 257 - 11
c = 246
To allow validation of the reconstructed password later, repeat the procedure with new random numbers p and q to create the v values.
For each piece, provide the values a and b as well as the list of c and v values. The piece can then look like this:
You have three pieces, each with a and b as well as the list of c and v values.
From these numbers, calculate the two lists of s values - the first list from the c values, the second from the v values. Use the formula for s that we derived above from the system of three equations, and calculate in the mod 257 number space.
Compare the two lists of s values. If they differ, the restored password may not be correct. Possible reasons for the differences, besides calculation errors, are that pieces were combined that do not belong together, or that the data in the pieces is not completely correct.
Remove all numbers equal to 256 from the list.
Interpret the resulting list of bytes as a UTF-8 string.