The concept is the same but the rules for using the card are different.
Some examples are explained on the site.

I found the idea interesting and might give it a try.

TechRepublic: Could you describe how LastPass works, specifically the interaction between the local LastPass client and LastPass.com?

Siegrist: LastPass installs an add-on in the browser to capture usernames and passwords as you enter them. The captured data is encrypted, saved locally, and sent to LastPass servers. That way access is not confined to just the one computer.

So, it still requires an addon in your browser. Which makes sense. Without installing a 3rd party utility, one way or the other, how does LastPass know to fill in my Google credentials when I am presented with their login form? You can’t get around it. One way or another, software must be installed, in the browser or otherwise, and some people might just not have permissions to perform such an installation on the computer they’re using.

When you go to a cyber-cafe or a new computer and login, first a hash is made locally to check if your account exists and your password is correct. If it is, then your data is downloaded and decrypted on the local computer you’re using; this includes LastPass.com where it’s done using JavaScript (that’s why there is a delay when you first login).

And here is an interview that explains how it works: http://www.techrepublic.com/blog/security/lastpass-is-it-the-password-manager-for-you/3291

However, I didn’t know that you could access your encrypted vault using the browser only, without any special software or extension to install. You say that JavaScript does the decrypting, without your key. I’m assuming that you visit the webpage, provide your account details, and your password is your key? Which was (hopefully) transmitted via HTTPS? Then your “vault” is available to you… how? Just on the web page, or stored in the clipboard, or something else? Curious.

And concerning the “security breach” – they couldn’t even confirm a break-in, it was just that a lot of data was transfered through their network, so they feared that something could have happened. In reaction to this, they instantly informed everybody about the problems and locked down all accounts, as long as the e-mail addresses weren’t confirmed. As soon as you confirmed your e-mail, you could re-set your password, or decide that it was strong enough to withstand a dictionary/bruteforce attack.

Until now, I’ve been happy with their level of transperency, and I decided to trust them. Especially because there are various possibilities for multi-factor-authentication.

Password cards are different here, because you carry everything you need in your wallet. There is no extra hardware or software required to get access to your passwords, they’re secure, and highly obfuscated. It’s 100% platform, hardware and software independent.

It also supports multifactor authentication, using either a YubiKey or a printout grid card.

Of course you need to trust them about their software, but they seem to be very transparent, even with security problems (their servers were possibly exploited some time ago, so they e-mailed everybody and set up a password reset process). And you only authenticate once (you can change this behavior) and then get access to all the passwords.

I also think the other people’s computer is completely a red herring – obviously having KeePass on your phone means you can use it anywhere, for any system.
I also agree that your card being stolen means you should switch to a new set of passwords – unless you are using a really unusual set of travel rules, most people’s use of the card will be simple – one of eight directions, bounce or wrap, 6-12 characters.

Here is an explanation of why putting your trust in the card is will not improve your memory as Plato put it:

“[Writing] will introduce forgetfulness into the soul of those who learn it: they will not practice using their memory because they will put their trust in writing, which is external and depends on signs that belong to others, instead of trying to remember from the inside, completely on their own…” [2]

[1] http://www.ribbonfarm.com/2010/07/26/a-big-little-idea-called-legibility/
[2] found that quote over there (worth reading btw): http://www.ribbonfarm.com/2011/03/10/the-return-of-the-barbarian/

- Losing the card being a single point of failure, i was looking for stuff that can’t be lost, hence my suggestion of the keyboard layout which has its own drawbacks, but which can be improved with little additional effort, such as doubling each letter (You said earlier entropy grows more quickly with password length) or turning every 3rd letter to uppercase or any other variation you can come up with, probably not as good than the card but It would add to unpredictability and entropy while only slowing the typing process a little.

While discussing password strength, let’s keep in mind that a even the strongest password is no match to a key logger or a session hijacker [1], a secure password policy has to be part of password security. Relying only on password strength is usually a recipe for failure in the long run.
Though it is worth mentioning that it all boils down on foreseeing what kind of threats you’ll have to deal with [2].

The memory improvement suggestion was part of finding a way to get rid of relying on an external support to remove this possible point of failure. What I meant was while there’s no additional benefit from relying on an external support, there are several from improving your memory (to be able to remember the card content, or any other material related to your password). Though I realize not everyone will go the extra length of this kind of mind training.

[1] as firesheep demonstrates http://codebutler.github.com/firesheep/
[2] a related funny story told at defcon 18 of a stolen computer being recovered: http://hackaday.com/2010/12/25/a-hackers-marginal-security-helps-return-stolen-computer/