FAQ | Check PW - Confirm a Secret without Revealing it.

Frequently Asked Questions

Q: This all seems unnecessary. Why can’t User A just say the first letter of the passphrase? If that’s what User B has, User B can say the next letter and so on. With this simple method you don’t need any fancy website, and not much has been compromised by sharing one letter! Likewise, the bank customer can give the first initial of the mother’s maiden name. If it’s really the bank, that should be sufficient and if it’s a scam not much information has been revealed.

A: This is a poor solution to the problem.
The thinking is that we can release a little information. It’s small enough to be safe, but large enough to confirm the passphrase.
But this approach is flawed because:
If the bank will accept the first initial of a last name in place of the complete last name, then an Evil Operator who gets the first initial will now have enough to steal the customer’s identity.
On the other hand, if the first initial is insufficient to steal the customer’s identity, by definition the bank will not accept it either.

Q: But why would anyone trust your website with the data they are trying to hide? If User A doesn’t trust User B, why would he trust your website?

A: Because the site is very dumb and transparent. It performs one simple task and then forgets what it just did.
When the passphrases or secret data is entered, the site doesn’t know if it just received a bank account password, the military’s nuclear launch code, or a random 10-year old’s favorite breakfast cereal. The site will receive many inquiries continuously and the data is meaningless out of context.

Q: Why can’t the users just each write their answer on a piece of paper and then turn them over to see if they match?

A: Are you kidding me?! Have you been reading any of this? Our objective is to confirm a match without sharing the secret. The paper method reveals the secret. In fact, an Evil Operator can write nonsense or leave his paper blank and get the secret code when the other user turns over his paper.

Q: Why can’t User A and User B just independently run the secret phrase through a SHA256 Hashing function and compare the results? I thought a hashed value can’t be decrypted.

A: This can sometimes work.
If the data string is a strong, random password, such as a4vz}9{79AG6MD then using the hash method is fine.
However, if the secret phrase is a last name, for example, this is a bad method. The flaw in this method is that an Evil Agent can just hash 100, or 1,000 or 1,000,000 last names and compare that value to your hash value to see which one matches.
You actually can use a hashing function in conjunction with this site. The two users could first independently hash the passwords and then run the hashes through the site. This way, our site does not see the secret phrase, just the hashed phrase. It’s not necessary because, again, our site receives lots of data inputs and no context. The inputs could be from bots talking to each other or anyone. We have no idea and we don’t ask. And then we delete the data. But have at it, hash your phrase before you enter it, it makes no difference to us.

Q: Why isn’t there a chat or communication feature on the site? That would be convenient.

A: To protect the User.
A communication app on this site would be like putting bleach in the refrigerator next to the milk--it makes a mistake more likely. We don’t want anyone to accidentally put their secret phrase in the communication app and send it to User B. We are looking out for you.

Q: If an Evil Agent had almost figured out the secret code and they were down to two possibilities, couldn’t they use this service against an suspecting victim to figure out which of the two is correct?

A: Yes, they could. But in this case, the Evil Agent could likely have tried both possibilities anyway. This case suggests significant breaches took place earlier. Don’t blame us.

Q: Couldn’t an Evil Agent who knew one piece of information (mother’s maiden name, for example) use your site to falsely bolster their credibility and then scam the User out of other information?

A: Possibly. But then, they could do that without our site, too. An Evil Operator could tell a User I know your mother’s name and address and social security number so I am clearly legitimate, please can you tell us your password now? I’ll bet that sometimes works, unfortunately. But, as in the previous FAQ, that problem didn’t start with our site.

Q: Couldn't someone clone your site and use it to steal my secret?

A: Good question. If you are concerned about this, it would be better if YOU go to checkpw.com and have User B scan your code. Or you could both go to checkpw.com and then one of you could enter the other's session code. We can't think of a way to break the security if you do either of these. But if you are scanning User B's QR code, make sure that the address your web browser wishes to open is actually checkpw.com followed by a session code. Then you're good.

Q: How do you make money from this site?

A: Right now we don't. If it takes off, maybe we'll put some ads on the bottom of the screen, or sell the movie rights, maybe get a book deal...

Q: Does the NSA, FBI, or CIA or any spy agency have a secret "cheat code" that shows a green check no matter what the other User inputs and then steals the secret code?

A: No secret codes. Zero. If you are a Reuters or AP reporter and want to do a story on this site, we will be happy to give you all the coding, change logs, and all communications between the members of our team so you can feel confident that this never happened.

Q: There’s already a site that does this.

A: Please tell us about it. We looked and found nothing like CheckPW.com. We even paid someone to do research in three languages and he couldn’t find anything like it either. But let us know what you have in mind! Use the contact app on this site to get in touch.

Check PW