I'm actually surprised that I haven't blogged this already. This is a topic that is right up my alley, so it definitely belongs here.
How many times have you been told that you need to use secure passwords? This includes using uppercase and lowercase letters, numbers and symbols. You're told to make your password hard to guess, lengthy and to not write it down. Further, you shouldn't use the same password on multiple sites, but keep them all separate.
Now, ask yourself this question seriously: Do I do this?
I didn't. Then I started seeing close friends and family member's Twitter, Facebook and Google accounts hacked. It was a sharp lesson for them to use strong passwords, and motivated me to get my passwords in order as I should. Unfortunately, this is a royal pain the rear. I probably use a dozen services on the web regularly, not to mention my operating system accounts for work and home. My list of passwords is quite lengthy. Is there a way to keep them straight?
Fortunately, there is. Welcome http://passwordcard.org. The idea is simple: generate a password card that has your passwords printed in the card IN PLAIN TEXT. Carry the card with you in your wallet or purse, and you have access to strong passwords, for every account you have, and should an attacker get access to your card, there are practically infinite possibilities that your password could be. There is a catch, though.
As you can see in the screenshot, there are 8 colored rows and 29 columns with various symbols across the top. On the site, you enter a number (a hexadecimal number actually) to generate your unique card. You can decide whether or not to include symbols and to have an area with only numbers. After generating your card, print it out, laminate it, and stuff it in your wallet/purse. Now, when creating new accounts choose a password starting from a certain column and row, and going 8/10/etc characters from there. For example, maybe you have a Facebook account. You could start at the smiley column on the dark blue line, and move 10 characters to the right (in this screeshot, that would be: "X#szN#g2e5"). This would be your Facebook password. Of course, all you need to remember is the "dark blue smiley" for your Facebook password, the direction of the password and its length.
Of course, you can travel any direction on the card that you wish. Maybe you want to go down, right, left or up. Maybe you want to travel in a diagonal fashion, maybe even rebounding off the walls at 90-degree angles. Swirl out or in. Not only direction, but length as well. Rather than a static 8 or 10 characters, maybe the length of your password is "at least 10 characters or including 3 symbols, whichever is most". You get the idea. It's probably best to keep the travel direction and password length the same for all passwords, so you don't have to remember too much. After all, we want this secure, but we want it easy to recall from memory as well.
So, in other words, all you need to remember is:
- The hexadecimal number that generated your card (in case you need to regenerate it).
- The starting point (symbol and color) for your password.
- The directional path the password takes.
- The password length.
- Your wallet/purse.
Now, at this point, you can change all the account passwords that you have. Google, Yahoo!, Twitter, Facebook, OpenID, your Windows/Mac/Ubuntu system password, etc. I've done this with all my accounts that I commonly access. I admit that it's a bit of a pain to pull out the card from my wallet a lot when logging into various accounts. However, as I continue to login, I begin memorizing the password, and it becomes less of an issue. I've already memorized a few of them.
Because your wallet/purse is likely the most tracked item in your possession, minus maybe your kids, it makes sense to put your password card in it. It's secure. Further, you can access the site via secure HTTP, and they have a mobile site for Android/iPhone/Blackberry phones.
Now, as awesome as this is, I have a couple gripes
- I don't like that I must use a hexadecimal number to generate the unique card. I don't understand why any string of text would not work. The hexadecimal requirement is perplexing to me.
- Further, I live in the United States, and when including symbols in the output, the British Pound and Euro symbols are included in the output (as you can see above). I don't have immediate access to those symbols on my keyboard, as they aren't universal. So, it took a bit to generate a card for me that didn't include those symbols in the output.
- Lastly, this service isn't Free Software. IE: the code for generating the card has not been released. I imagine this would be rather trivial to code in Python or similar, but for the time being, its Software as a Service. I'm okay with that.
I've been using this for my passwords for a few months now, and I love it. I've showed family members, and it's generated good discussion. It's not a big deal for me to pull out the card, type in my password, and move on. If you're skeptical, give it a shot on one of your accounts, and see how it works. If you like it, move on to using more accounts. I think you'll find it's worth it.