CarryPass Public Challenge

This is not about proving CarryPass is unbreakable. It's about showing that a stateless password manager can remain secure — even when fully open and the master password is known — because guessing the right inputs is computationally hard.

Challenge Status

Challenge Goal

CarryPassRocks2025

Let’s assume the user owns an account at carrypass.net, and this master password was used to generate a login credential for that service.

Your task is to determine the exact combination of service input, password length, charset, and security number — and enter the correct variant of the generated passwords to solve the challenge.

Reflection

Congratulations — you’ve successfully derived one password using CarryPass. But here's the key difference compared to a traditional vault:

If this had been a vault-based password manager, cracking the master password would give you access to every stored password.
But because CarryPass is stateless and deterministic, this one password you cracked tells you nothing about any others.
Each password is independently derived from exact service-specific inputs and settings — without a central vault to compromise.

This is what makes CarryPass resilient by design: you cracked one door, not the building.

Submit Your Solve

Congratulations on completing the challenge! To have your solution evaluated, please send an email with the required information listed below.

📩 Email: info.carrypass@proton.me

📜 Please include the following in your email:

Your alias (e.g., netseclover67 or John D.)
Whether you'd like your alias mentioned in the PrivacyGuides Showcase (yes/no)
The flag you received
A link to a screenshot of the success screen (e.g., Imgur link, or uploaded to the email)
The settings used to derive the password:
- Service name
- Password length
- Character types used
- Security level
The final password you derived

🔒 We only use this information to validate challenge submissions. For more information, please see our Privacy Policy.