Image of the glider from the Game of Life by John Conway
Skip to content

Password Cards

I'm actually surprised that I haven't blogged this already. This is a topic that is right up my alley, so it definitely belongs here.

How many times have you been told that you need to use secure passwords? This includes using uppercase and lowercase letters, numbers and symbols. You're told to make your password hard to guess, lengthy and to not write it down. Further, you shouldn't use the same password on multiple sites, but keep them all separate.

Now, ask yourself this question seriously: Do I do this?

I didn't. Then I started seeing close friends and family member's Twitter, Facebook and Google accounts hacked. It was a sharp lesson for them to use strong passwords, and motivated me to get my passwords in order as I should. Unfortunately, this is a royal pain the rear. I probably use a dozen services on the web regularly, not to mention my operating system accounts for work and home. My list of passwords is quite lengthy. Is there a way to keep them straight?

Fortunately, there is. Welcome http://passwordcard.org. The idea is simple: generate a password card that has your passwords printed in the card IN PLAIN TEXT. Carry the card with you in your wallet or purse, and you have access to strong passwords, for every account you have, and should an attacker get access to your card, there are practically infinite possibilities that your password could be. There is a catch, though.

As you can see in the screenshot, there are 8 colored rows and 29 columns with various symbols across the top. On the site, you enter a number (a hexadecimal number actually) to generate your unique card. You can decide whether or not to include symbols and to have an area with only numbers. After generating your card, print it out, laminate it, and stuff it in your wallet/purse. Now, when creating new accounts choose a password starting from a certain column and row, and going 8/10/etc characters from there. For example, maybe you have a Facebook account. You could start at the smiley column on the dark blue line, and move 10 characters to the right (in this screeshot, that would be: "X#szN#g2e5"). This would be your Facebook password. Of course, all you need to remember is the "dark blue smiley" for your Facebook password, the direction of the password and its length.

Of course, you can travel any direction on the card that you wish. Maybe you want to go down, right, left or up. Maybe you want to travel in a diagonal fashion, maybe even rebounding off the walls at 90-degree angles. Swirl out or in. Not only direction, but length as well. Rather than a static 8 or 10 characters, maybe the length of your password is "at least 10 characters or including 3 symbols, whichever is most". You get the idea. It's probably best to keep the travel direction and password length the same for all passwords, so you don't have to remember too much. After all, we want this secure, but we want it easy to recall from memory as well.

So, in other words, all you need to remember is:

  • The hexadecimal number that generated your card (in case you need to regenerate it).
  • The starting point (symbol and color) for your password.
  • The directional path the password takes.
  • The password length.
  • Your wallet/purse.

Now, at this point, you can change all the account passwords that you have. Google, Yahoo!, Twitter, Facebook, OpenID, your Windows/Mac/Ubuntu system password, etc. I've done this with all my accounts that I commonly access. I admit that it's a bit of a pain to pull out the card from my wallet a lot when logging into various accounts. However, as I continue to login, I begin memorizing the password, and it becomes less of an issue. I've already memorized a few of them.

Because your wallet/purse is likely the most tracked item in your possession, minus maybe your kids, it makes sense to put your password card in it. It's secure. Further, you can access the site via secure HTTP, and they have a mobile site for Android/iPhone/Blackberry phones.

Now, as awesome as this is, I have a couple gripes

  1. I don't like that I must use a hexadecimal number to generate the unique card. I don't understand why any string of text would not work. The hexadecimal requirement is perplexing to me.
  2. Further, I live in the United States, and when including symbols in the output, the British Pound and Euro symbols are included in the output (as you can see above). I don't have immediate access to those symbols on my keyboard, as they aren't universal. So, it took a bit to generate a card for me that didn't include those symbols in the output.
  3. Lastly, this service isn't Free Software. IE: the code for generating the card has not been released. I imagine this would be rather trivial to code in Python or similar, but for the time being, its Software as a Service. I'm okay with that.

I've been using this for my passwords for a few months now, and I love it. I've showed family members, and it's generated good discussion. It's not a big deal for me to pull out the card, type in my password, and move on. If you're skeptical, give it a shot on one of your accounts, and see how it works. If you like it, move on to using more accounts. I think you'll find it's worth it.

{ 59 } Comments

  1. iheartubuntu using Google Chrome 6.0.472.62 on GNU/Linux | September 21, 2010 at 2:07 pm | Permalink

    Its a great idea really. Ive also heard of just using the keyboard and coming up with a 3 or 4 character code. Lets say "DOG" and then you would follow in a hexagon around each key on the keyboard.DOG becomes something like... DrfcxsedO0plki9oGyhbvftgBy capitalizing the D, O, and G then following around each letter and ending in d o and g again gives a nice easy to remember password. a simple 3 digit word becomes a 24 digit passcode. Not bad and no need to carry and special cards around. Obviously you wouldnt want to use your own initials. You can go forwards, backwards, forwards... whatever you want! Plus numbers might be included making it even more secure.You can come up with tons of versions of this too. You can pick one left, one right, one up, one down for each character. DOG becomes DsfecOip9lGfhtb and on and on.

  2. Andrew using Google Chrome 7.0.529.0 on Ubuntu | September 21, 2010 at 2:09 pm | Permalink

    You are right about protecting your passwords and having a different password for every website - usually the passwords are not cracked but guessed.

    I used to use a pattern for my passwords like: first 2 letters of the website, "#" if the website length is >=6 or "$" if it's <6, 4 letters from my username, the first and last letter of the website and the number of letters in my username + 20. This is just an example, there can be a lot of other stuff to use. I had this pattern written on a piece of paper without saying what it means or explaining anything obviously.

    Then I just used an GPG encrypted file and now I use KeePassX (and sync the database with Dropbox) because I got bored to wait quite a few seconds to be able to login to any website.

  3. Ted Wise using Safari 533.18.5 on Mac OS | September 21, 2010 at 2:31 pm | Permalink

    Linux needs an answer to apps like 1Password, a password manager. Once you start using one it's very hard to go back. They integrate with your browser to remember and generate passwords as needed. As you've already discovered, the best way to use passwords is to generate site-specific ones. That's a laborious task to create and manage them unless you're using a password manager.

  4. Corfy using Firefox 3.6.10 on Windows XP | September 21, 2010 at 2:42 pm | Permalink

    I use KeePass (on Windows), KeePassX (on Linux) and KeePassMobile (on my cell phone). They all can use the same file. All I have to do is remember my one master password. And anytime I need a new password, I just generate a random password.

  5. Shane using Safari 533.3 on GNU/Linux 64 bits | September 21, 2010 at 2:49 pm | Permalink

    I wrote a blog post on creating a good password a while back. Maybe you'll find it interesting.http://drsjlazar.blogspot.com/2009/03/tidbit-creating-good-password.html

  6. Aaron using Google Chrome 6.0.472.62 on Windows XP | September 21, 2010 at 3:15 pm | Permalink

    @iheartubuntu- A good idea, but what about remembering passwords for several accounts?

    @Andrew- I too use KeePassX for all my passwords. However, KeePassX brings more to the table than just passwords. Usernames, URLs, notes about the connection, etc. Further, KeePaasX requires software built on top of infrastructure. The great thing about password cards, is no software, hardware or infrastructure is required. Generate, print and store, and you're ready to go, regardless of whatever computer you sit at. It's entirely platform dependent too.

    @Ted Wise- Wow. http://agilewebsolutions.com/products/1Password looks horrible in my browser. But, if you want a single password manager for your browser, there are tons of options for that. The problem comes in when using public computers as well as keeping the password secure and safe locally, and well as synchronization across browsers.

    Password cards work great, because they're 100% portable. They don't require any infrastructure to take advantage of, and remembering each password for each account is trivial. Plus, they extend well beyond the web, to local accounts for your computer, SSH/PGP/GPG keys, databases, etc. All you need is your card.

  7. Mark using Google Chrome 6.0.472.62 on GNU/Linux 64 bits | September 21, 2010 at 3:54 pm | Permalink

    When I saw this, I got my hopes up that a site was offering smart cards like what some military and government sites use. If I could get a few blanks that were compatible with the card readers that I already have that would be sweet. A little messing with PAM and BAM all I would have to do to log in would be insert my card, click my name, and hit enter. Of course that wouldn't help with websites, but if an attacker cant get into the computer then he can't get to any stored passwords either. I keep my computers hard drives encrypted so all I would have to do after that is force Chrome to store all my passwords.

    The password card concept sounds good, but if I ever use one, I think I'll just generate the card on my computer instead of using a 3rd party site. Perhaps by using the output of a ssh key generator or something and copying and pasting part of the output into OpenOffice or something.

  8. Mark using Google Chrome 6.0.472.62 on GNU/Linux 64 bits | September 21, 2010 at 4:01 pm | Permalink

    A few of those other somethings being easyrsa, or gLables. Pretty much anything that could come up with a good sized stream of random text or format it into a wallet sized card. Sure you won't get to replace your card unless you make a backup, but I know I wouldn't remember a random hex string a week or a month later anyway.

  9. Aaron using Google Chrome 6.0.472.62 on Windows XP | September 21, 2010 at 4:57 pm | Permalink

    @Mark- Smart cards are awesome, but they require specialized hardware and software to work. These cards require nothing more than the computer you sit at and you. Also, remembering specific hexadecimal numbers isn't that big of a deal. After all, "1" is a hex number, as is "1337" or "deadbeefcafe". Just because it's a hex number, doesn't mean you have to accept the random string it gives you. Make it easy on yourself.

    Also, I have no problems with a 3rd party site generating the card for me. After all, they aren't collecting my name, email address, sites I visit, etc. Of course, they have my IP address, but if you're that paranoid, you can use HTTPS with Tor, and no one will know who you are or where you're at, and you'll have your card. At which point, you can delete the cache from your browser, or use your browser's "porn mode" to generate the card, and there's nothing locally to trace the card back to you. The only reason I would like to generate it locally is to have greater flexibility on the card options itself, like preventing the Euro symbol, or outputting non-Latin characters for Chinese or Japanese.

  10. ethana2 using Google Chrome 5.0.375.127 on Ubuntu | September 21, 2010 at 5:16 pm | Permalink

    I just take english phrases and make my own 1337-derived filter on them.
    Here's an example
    heresanexample
    h3r354n3x4mpl3
    h3r354n34xmPl3

    Then i arrange my passwords in security tiers. Anything that can affect finances one one tier, everything else on another. Local machine and wifi passwords are formalities.

  11. Aaron using Google Chrome 6.0.472.62 on Windows XP | September 21, 2010 at 5:23 pm | Permalink

    @ethana2- Careful. A common method of attack on passwords is using 1337-derived words from common dictionary words. Replacing 3 for E, 4 for A, 8 for B, 5 for S, 0 for O, etc. Unless you mix up your characters, and even then, you're more vulnerable than you think.

  12. Eric Lake using Google Chrome 6.0.486.0 on GNU/Linux | September 21, 2010 at 5:33 pm | Permalink

    This is just brilliant. Thanks for posting it Aaron.

  13. anonymous using Google Chrome 6.0.472.62 on Ubuntu 64 bits | September 21, 2010 at 6:43 pm | Permalink

    "How many times have you been told that you need to use secure passwords? This includes using uppercase and lowercase letters, numbers and symbols. You’re told to make your password hard to guess, lengthy and to not write it down. Further, you shouldn’t use the same password on multiple sites, but keep them all separate."

    This is what pwdhash.com can do.

  14. Aaron using Google Chrome 6.0.472.62 on Windows XP | September 21, 2010 at 8:01 pm | Permalink

    @Eric Lake- No problem. I love it.

    @anonymous- Except again, this requires special software installed on specific computers. This isn't nearly as portable or reliable as a card in your wallet.

  15. iheartubuntu using Mozilla Compatible 5.0 on Ubuntu 64 bits | September 21, 2010 at 8:47 pm | Permalink

    For me, the keyboard idea Ive read about seems easier to remember than this system. It is easy to remember simple 3 digit codes like BUY for shopping accts and so on. Obviously you pick whatever 3 digit code you want, making it easy to remember.

    With the card system, you first need to carry a card around. You'll need to make back ups. Then you need to store the card number itself in a safe place. After that... I cant imagine trying to remember 10-15 different websites all with different password lengths, direction of the passwords, plus the symbol and the color of each password. OK, one or two, no problem. but 15?

    Also, dont you have an uneasy feeling about no source code for generating the password cards? If someone else controls that, arent you sort of giving them some proverbial 'keys' in a way? Lets say someone knows your logon name (facebook or whatever), but not the password, they are already halfway "in", arent they?

    I admit I dont use any "system" for passwords (yet), but my passwords arent exactly easy using upper and lower case, asterisks, dollar signs, and numbers. Ive yet to be hacked since when I first logged on..1993 or whatever. Social engineering is one of the first lines of defense IMO. Too many times I set up peoples computers and their passwords are ridiculously simple... "4321", or "truck", "car1111" or their first name plus dogs name. Unbelievable. And then people are shocked they get hacked.

    Now, if only I could crack my PDF books I purchased from Amazon back in 2002! Nothing in Ubuntu has been able to crack them! Although I have all receipts, Amazon wont help, saying its too long ago.

    Dont get me wrong Aaron! Anything we can do to secure our pages and generate better passwords is important and smart. We all have ways about it. You for example, have one up on my method... if you ever needed to give a password or recall it easily, you can just whip out your card and BINGO, figure it out. With my method, although no mental skill required to type it in, I would almost need a keyboard in front of me to recall a long password.

  16. Aaron using Google Chrome 6.0.472.62 on Windows XP | September 21, 2010 at 9:07 pm | Permalink

    @iheartubuntu- sorry about the line breaks not showing up. It only happens with Ubuntu users, regardless of browser. At first, I thought it was just the Firefox browser, but then I've seen Chrome affected as well. I don't know what the issue is. I've looked into it, made CSS changes, and done all I can to fix it, but to no avail. I wish it wouldn't happen.

    Now, if you don't mind me addressing each point you bring up. First, let me say that your system for generating passwords is pretty rock solid. The only potential flaw I see, is if someone knew your system, would it be difficult for them to get your password after a few tries? If I understand correctly, you pick a 3-character code, say "BUY". Then, for each letter, you type in the letters that circle it, right? So BUY would be (for me using the Dvorak keyboard):

    BxdhmUe.pyixkjYp456fdiu

    That's pretty intense, that's for sure, but isn't it predictable? I mean, they just need to guess from 8 characters to start from next to your letter, and circle either clockwise or counterclockwise. Of course, the likeliness of this happening is slim, I recognize. Also, what do you do for say, Amazon.com and Ebay.com? Would you use BUY for both sites? So, wouldn't this mean you have the same password for multiple sites?

    Again, I think your system is pretty rock solid, and deserves solid merit. However, I don't have any trouble remembering what column and color my password is for each account. I've got a dozen plus in memory, and it's trivial to pull out the card, if needed, and type away. Further, after using the card for the past few months that I have, I have many passwords themselves just memorized by heart. So, pulling out the card is becoming less of an issue. I will admit that it sucks initially though. Especially when you don't have your wallet immediately with you.

    I don't make back-ups with the card. I have a hexadecimal number that I know by heart. Should I need to regenerate the card, I can re-enter the hexadecimal number, print and shove in my wallet. And if the attacker has my card in his possession, it means nothing. Good luck figuring out the starting location for the password, the direction of the password, and the password length.

    About having an account username. I disagree that they are "halfway in". If they don't have your password, it means nothing. So what if they have your username? You have usernames with email addresses. user.name@gmail.com, and the username to the account is obviously "user.name". Yet, without the password, you're dead in the water. The username does nothing for you.

    At any event, we both agree that the stronger the password is, the more secure the account. And the more we can educated the uninitiated, the better off the Internet and system accounts will be. To each their own.

    At least your method doesn't require any special software or hardware (except maybe for remembering your password, you need to look at a keyboard (which would suck with my blank Das Keyboards)). I think a lot of comments are missing that point. This method is 100% platform independent. It doesn't require any special hardware (like Smart Cards) or software (like password managers). All you need is you, your card, and the computer.

  17. konrad using Firefox 3.6.10 on Ubuntu | September 22, 2010 at 1:44 am | Permalink

    To keep all my password I use gpg encrypted e-mails for each account. With apg/pwgen I generated them, store them as encrypted e-mails. Yes, I need access to an gpg enabled system,
    but it works for me. The most used password I remember.

  18. MarkC using Firefox 3.6.10 on Ubuntu | September 22, 2010 at 5:23 am | Permalink

    Have a look at PasswordMaker (http://passwordmaker.org/). It fails the "print it and put it in your wallet" test, but otherwise it's got plenty of options:

    * Firefox/Opera/Chrome extensions so it's available in your main browser
    * Android/iPhone versions for use on-the-go
    * Online version, in case you're using someone else's machine
    * Self-contained Javascript version that you can put on a USB thumb drive and run on a browser, even without an internet connection (ideal if you're paranoid about using the online version)

  19. lo0m using Google Chrome 6.0.472.62 on Windows 7 | September 22, 2010 at 6:09 am | Permalink

    To this day, i was using passwords like this. Pick a song name, eg. Shine On You Crazy Diamond, which becomes ShOnYoCrDi, which becomes Sh0nYoCrD1 for example.. it is easy to remember, you can use your favorite album for password generation a noone cares if you have a backcover copy on your table..

    But as of now, I have my card, too.. :-)

  20. Mark using Google Chrome 6.0.472.62 on GNU/Linux 64 bits | September 22, 2010 at 7:44 am | Permalink

    @Aaron
    I do have smart card readers for when I need to get something done after work. Now if only I didn't have to wait on Firefox in order to use them. The reason why I haven't set them up for login is that it would require me to use my government issued card. That could give the government access to my system if I used the government keys and trying to write my own onto the card would probably be a mistake.

    I do concede your point about any potential attacker having to guess your patterns. Especially that the site that generated the card would have just as much trouble cracking your passwords as the punk who stole your wallet.

  21. Aaron using Google Chrome 6.0.472.62 on Windows 7 | September 22, 2010 at 7:46 am | Permalink

    @MarkC- Interesting concept. The infrastructure to generate your password is pretty intense. That's a lot to remember, in case you need to regenerate it.

  22. Aaron using Google Chrome 6.0.472.62 on Windows 7 | September 22, 2010 at 7:47 am | Permalink

    @konrad- I also use a GPG encrypted mail for the starting location for each of my passwords. Just in case I forget where they started, if I have access to my email, I can decrypt the mail, and remember where it started. However, I haven't had to do this yet.

  23. Martijn using Firefox 3.6.10 on Ubuntu | September 22, 2010 at 7:54 am | Permalink

    Hi Aaron, I got inspired by your blog post, and did this: http://martijn.sudo-s.net/node/80

    Feel free to let me know what you think of it.

    Kindest regards,

    Martijn

  24. Aaron using Google Chrome 6.0.472.62 on Windows 7 | September 22, 2010 at 8:11 am | Permalink

    @Martijn- Ah, very nice. But, looking over your code (I haven't generated a card yet), are the cards completely random? You should probably generate a unique card for a given input of text, in the event you need to regenerate it should you lose the original.

  25. MarkC using Firefox 3.6.10 on Ubuntu | September 22, 2010 at 9:00 am | Permalink

    Yes it's got an intense choice of options for increasing your password entropy, but they're pretty much all optional. The only thing I ever have to tweak is the character set for sites with restrictive policies. It would be nice if there was a means to hide most of the options, just so the thing doesn't look so imposing.

    Even if you're paranoid enough to change every setting, memorising them probably isn't any worse than learning the start point, direction and length of your card-based code once you get beyond a few sites.

    99% of the time I'm on my own machine, which remembers the settings for me. For the remaining 1% I can have them written down somewhere, on the basis that knowing that information isn't much use without the master passphrase anyway.

  26. LaserJock using Google Chrome 6.0.472.62 on Ubuntu | September 22, 2010 at 10:32 am | Permalink

    I like the idea, but what do you do for keeping track of usernames?

  27. acathur using Firefox 3.6.10 on GNU/Linux | September 22, 2010 at 12:22 pm | Permalink

    i've been a happy user of the lastpass service for about a year now, together with their extension for firefox there's no need for anything else similar imo.

  28. Martijn using Firefox 3.6.10 on Ubuntu | September 22, 2010 at 12:31 pm | Permalink

    @Aaron,

    yes, it's completely random. Feeding it an input text, is on the "todo if possible" list for a possible next release. Frankly I dont' know if it can be (easily) done as is.
    OTH, if you loose your gpg keys, you're screwed, so maybe people should just print 2 copies and store one in a safe place.
    Anyway, if anyone wants to ammend the code, that's perfectly fine!

  29. Paul Kishimoto using Google Chrome 6.0.472.62 on Ubuntu | September 22, 2010 at 7:16 pm | Permalink

    This is very neat indeed. I was doing something similar without even considering if anyone else had done it.
    My cards are hand-written, and instead of generating them from an input text, I have made duplicates that I store in a safe place. An alternate method would be to use, e.g. the Wikisource text of Hamlet's soliloquy on Yorick's skull as of such-and-such a date, run through base64, then wrapped at a certain width and truncated.
    Another thing — so long as the card is private, you can store an index of passwords ("google.com: dark blue smiley 10") in a non-obvious public place (e.g. a pastebin) In order to recover the passwords, someone needs both the card (or the method by which you generated it) and the index.

  30. Brandan E. Lloyd using Google Chrome 7.0.531.0 on Ubuntu | September 22, 2010 at 8:47 pm | Permalink

    Steve Gibson of grc.com has an online Perfect Paper Passwords [1] solution available. This seems to do something similar. It allows you to customize the character set. He details the system in his Security Now! podcasts [2] [3] [4].

    Though his solution is not open source he lists a few open source implementations [5] on his site.

    1. https://www.grc.com/ppp.htm
    2. http://www.grc.com/securitynow.htm#113
    3. http://www.grc.com/securitynow.htm#115
    4. http://www.grc.com/securitynow.htm#117
    5. https://www.grc.com/ppp/software.htm

  31. Aaron using Google Chrome 6.0.472.59 on GNU/Linux | September 23, 2010 at 6:56 am | Permalink

    @LaserJock- I never have a hard time for usernames, because I use the same one on practically every site. But, this card does fail at that. It's password-only.

    @acathur- Except, as discussed, that requires on special software to make possible. Software which you might not have when sitting at a different computer.

    @Paul Kishimoto- Yes, you could store how the passwords are found on a different medium, but I wouldn't recommend it if it's not encrypted. Knowing is half the battle, and if an attacker knows you have a password card, and figures out you've written down the locations to the passwords, you're screwed. If you never write that information down, and just keep it in your brain, he's screwed (unless he wants to physically beat it out of you somehow).

  32. Paul Kishimoto using Google Chrome 6.0.472.62 on Ubuntu | September 23, 2010 at 7:28 am | Permalink

    @Aaron: part of the reason I've stored them is a "truck number" issue; I've used my password card for things that others might need to access if my brain, er, weren't available or functioning.
    As I said, the list is in a non-obvious place. Even if the attacker knows that it exists, its location is another in-my-brain detail. Only those to whom I give the list (or it's location) AND the card (or the instructions to generate it) can produce the passwords.

  33. acathur using Firefox 3.6.10 on GNU/Linux | September 23, 2010 at 9:50 am | Permalink

    @Aaron: it's a web service actually, all you need is a browser. (btw passwords are encrypted locally)

  34. Fabian Rodriguez using Firefox 3.6.9 on Ubuntu 64 bits | September 23, 2010 at 3:52 pm | Permalink

    "...Because your wallet/purse is likely the most tracked item in your possession, minus maybe your kids..." you got that right :D

  35. ali using Firefox 3.6.10 on Windows 7 | September 25, 2010 at 10:24 am | Permalink

    thanks

  36. Chris using Firefox 3.6.10 on Ubuntu | September 25, 2010 at 1:59 pm | Permalink

    Hmm. 29 x 8 starting points x 8 directions. Unless you get real fancy with the sequencing, 1856 variations is a really limited search space, even for each length (of which 8-12 are most likely). Better make sure you don't lose your card to someone who knows your name.

  37. anonymous using Firefox 3.6.10 on Windows 7 | September 26, 2010 at 3:27 am | Permalink

    It is not secure. It is not infinite number of possibilities, and the number of possibilities is decreased considerable. Even extended version of your trick won't give much. The possibilities for a 10 character password is lets say 80^10. The extended way would be going through a path of length 10 on the graph for the card. The possibilities for starting point is 30*10, and for next character you have 8 choices, so that will give 30*10*8^10. Even if one uses an even more extended version, it is still not good enough. You reduce the entropy of the password considerably by having the card.

    A secure password manager generating pseudo-random passwords with a strong mater password is way better. One can use password which are practically impossible to find, (passwords of length 128). The only problem with it is that there is only one point of failure, if someone gets your master password, everything is gone.

  38. Aaron using Google Chrome 6.0.472.62 on GNU/Linux | September 26, 2010 at 10:17 pm | Permalink

    @Chris- No, not by a long shot. You're off by a factor of 10, a full order of magnitude, if you place the restrictions of the passwords that you do. You're assuming that passwords can only travel in straight lines, and that once you hit a "wall", you stop. If that's the case, there are over 11,000 unique passwords on a single card. Still, a small search space, but remove your restriction, and the combinations of unique passwords can get substantially larger.

  39. Aaron using Google Chrome 6.0.472.63 on GNU/Linux 64 bits | September 29, 2010 at 4:43 pm | Permalink

    @anonymous- Okay. Let's start simple.

    1) Your password can be of infinite length given the password card, right? This means there are infinite choices of the passwords that the account could have.
    2) Entropy is generated much more quickly through password length, than with choosing more characters. Case in point, consider that you are only working with the standard English alphabet [A-Za-z]. Look at the entropy gained going from a 6-character password to a 10 character password. Then, look at the entropy gained by keeping the password 6 characters, but expanding the number of characters from [A-Za-z] to alphanumeric and punctuation. Much more entropy is gained as the length of the password increases, not as you change your character set for the password.

    Lastly, using password managers require special software on special computers. No matter how it's implemented, it's not 100% portable. You are not guaranteed that you will always have access to your password manager on every computer you visit. You are with a password card.

  40. Sean using Google Chrome 6.0.472.53 on GNU/Linux 64 bits | October 3, 2010 at 3:15 pm | Permalink

    If any of you are interested I wrote a quick random password generator. http://password.generator.org.za it was just to see if I could do it. I would appreciate some ones feed back on it criticisms and compliments welcome. But I must say password card sounds like a very unique idea. I like it.

  41. Jason Bunting using Firefox 3.6.12 on Windows 7 | November 29, 2010 at 4:13 am | Permalink

    Sorry for the tome! :)

    Maybe someone addressed this in the comments, I currently don't have time to read them all.

    First: I currently use and love KeePass, and sync my KeePass database file between a handful of computers and my Droid using DropBox, as well as back it up via Mozy.

    Now that you know my bias, I will proceed.

    Quoting from http://passwordcard.org:

    ---
    "How does it work?

    Your PasswordCard has a unique grid of random letters and digits on it. The rows have different colors, and the columns different symbols. All you do is remember a combination of a symbol and a color, and then read the letters and digits from there. It couldn't be simpler!"
    ---

    Sorry, but "[a]ll you do is remember a combination of a symbol and a color?" Oh, is that all? And I am supposed to do that for all of the websites and computers I have accounts on? Improbable. I currently have a couple hundred passwords kept in KeePass, how am I going to "remember a combination of a symbol and a color" to replace each of those? Even if I only had 25 credentials to remember, that's quite a few - I don't want to fill my brain with that stuff, I would rather remember one master passphrase and let KeePass, or a similar app, remember everything for me.

    Besides, you have to then take into account the special exceptions, like websites that don't allow for very strong passwords. So much for remembering a single length! Then you will have those websites that don't allow you to use the username you are used to using. Bam! Another exception. I want the maximum protection, and I currently generate passwords, whenever possible, that are 16 characters long and can contain nearly any character a keyboard will allow me to type - especially since I never have to actually type the password, KeePass does it for me! And I generate a unique password for each and every website/server/etc. that I use. And my passphrase is not going to break under a dictionary attack, as it contains no recognizable words or even fake words (e.g. p@ssw0rd). Granted, if my master passphrase were revealed, guessed, etc., I would be done for. However, I don't see how that is going to happen easily. I rarely have a need to use any computer that isn't under my direct control on a daily basis, and when I do, I typically don't use my master passphrase for anything on such a computer. Again, I am rarely ever away from my personal computers/devices, and thus don't expose my passphrase to as much risk as one might otherwise.

    I don't know, I guess I just don't "get it."

    In a comment you said, "Lastly, using password managers require special software on special computers. No matter how it’s implemented, it’s not 100% portable. You are not guaranteed that you will always have access to your password manager on every computer you visit. You are with a password card."

    That one excerpt is full of red herrings:

    "Special software on special computers" - KeePass is open-source, implemented to run on the most common OSes (KeePassX for Linux/Mac), including mobile (iPhone, Android, PalmOS, Blackberry, etc.). I don't know how "special" this software is, especially if you have it installed or can get it installed rather quickly. Besides, isn't a physical card is, in an abstract sense, a "special" material object" I think it is. In fact, if you don't have this "special software," you are up a creek without a paddle. Am I right? If you lose it, you have to get another, and hopefully you remember your hex key in order to get an exact copy (and hope the website is up and running - oops!). Well, how is that different from my having to download a "special" bit of software onto my "special computer?" Not much, if you ask me. Honestly.

    "No matter how it’s implemented, it’s not 100% portable." That sounds like a really good sales pitch, but let's examine it more closely: what aspect of portability is really that important to us when we are discussing the management of passwords that are going to be entered into a computer? I believe that, essentially, as long as we can get to it when we need a password, we can consider a password tool as satisfying the need for portability, right? I mean, what's the point of having it if we are not going to need it for a password? I can't see one. Maybe as a conversation starter? Novelty? :) With my KeePass data available to me via my Droid, I think I can consider it as portable as a card in my wallet.

    "You are not guaranteed that you will always have access to your password manager on every computer you visit. You are with a password card."

    Seriously?

    I used to use RoboForm (for over 5 years now) - but their current Android solution sucks (it uses a bookmarklet). However, they have this really cool solution for everything else - you can run it on your desktop, and anytime something changes, it syncs with the cloud via their website, where you have an account. So, I can be on just about anyone's computer, and as long as they have internet access, I can get to my passwords. And even if they don't, I can get to it with my Droid if necessary. Coming back to KeePass - so, I have KeePass on my Droid, which I keep within 10 feet of me nearly all the time, so I have, effectively, as much a guarantee that I will have access to my passswords as anyone with a PasswordCard does. Sure, I could lose my Droid, but you could lose your wallet; etc.

    Lastly, and I didn't see this done, let's actually quantify things a bit here:

    With KeePass, I need the software (1), my KeePass database (2) and a consistent secret (my passphrase, 3).

    With the PasswordCard, I need the card itself (1), an established/consistent password pattern (2), the hex key used to generate the card, in case I lose it or need another one (3), and my memory of which "combination of a symbol and a color" was used for a particular site/computer/etc. (4), as well as any exceptions to the established pattern, in those cases where a site or computer's password policy is restrictive in ways others are not (5).

    I hope I didn't miss anything; assuming I didn't, it seems to me that KeePass wins. Additionally, if we were to place a weight on some of these needs, I think PasswordCard would really lose - I mean, having to remember so many website + symbol + color combinations isn't a minor thing. The psychic weight of that alone is enough to dissuade me, I have a hard enough time remembering the soccer schedules of my two kids! Not to mention the fact that, if you were to sustain a head injury, you may really be screwed. My wife has access to my passphrase, so she could easily assist in recovering my passwords. But to try to get my wife to remember a bunch of website + symbol + color combinations that are not her own would be a big stretch. How do you backup the information needed to make a PasswordCard reliable?

  42. Aaron using Konqueror 4.5 on Fedora | November 29, 2010 at 5:05 pm | Permalink

    The problem with KeePass is its lack of perfect portability. While it can install on any of the major operating systems, it requires that you have access to the software. Inevitably, you are going to access your parent's computer, the computer at the library, school, or some other public establishment, and you might not have permission to install KeePass to get access to your DB (provided you can). If you NEVER touch another computer, this issue is moot. If you do, it can be a headache, if your passwords are actually strong (read: at least 72bits of entropy).

    The PasswordCard requires your wallet. No software, no synchronizing DBs between computers (which can be a pain in its own right). Just you wallet. Also, I think you're making a bigger issue about remembering the location of your password than it really is. Consider the following passwords for the following accounts:

    Twitter: J^Q>Z++y_2$;
    Facebook: V@Fu!b5Ujrbx
    Gmail: j074q=YV]>Rw
    OS: n\R<cD$T|B7x
    Bank: keDsa,D7!)SE

    Now, you could remember each of those on your head, or you could remember than Twitter is the blue "!". Facebook is the white ":)". Gmail is the green "?". Your operating system password is the yellow star. Your bank is the green "$". For each password, you know you go left 12 characters, and wrap around the card if necessary. I can remember that. And should you lose your card, you have the hex number that securely generated it, so you can regenerate. Should someone get access to your card, they need to know your password length, the direction of travel and its starting location. Because the direction and path your password could take is infinite, there are infinitely many possibilities your card could take.

    Again, KeePass is sweet. I use both the Windows version and KeePassX with Debian/Ubuntu/Fedora, and keep my DB in a VCS for centralized synchronization. And the passwords I use on my card are in the DB. But, should I find myself in a situation where I don't have access to the software, I have my wallet with me, probably the most secure item on me.

  43. Aaron using Konqueror 4.5 on Fedora | November 29, 2010 at 5:07 pm | Permalink

    Oh, I should mention. They also have an Android app. :)

  44. rocky using Opera 9.80 on GNU/Linux 64 bits | March 9, 2011 at 12:30 pm | Permalink

    This password card is a "not so bad" idea. There are a few drawbacks, that instantly come to mind:

    - Many websites put *cough*stupid*cough* restrictions on what characters can be used in a password (my bank website has a 6-8 numbers only password policy, can you believe this ?), some don't let you choose your password. For those the card is pretty much useless.

    - Obviously losing the card would be a somewhat unpleasant experience, but what if the website is offline ? or the service closes ? That would prove to be really unpleasant. We would be better off with an opensource card generator.

    - I type passwords often and regularly, so I like when it's quick and streamlined. Having to draw the card to read characters make the process of password typing tedious and annoying.

    - You could apply the exact same logic to your keyboard layout, pick a key, length and direction(s), except that you don't need to remember the hexa code, the card or your wallet. (Or you could use your public gpg key instead of your keyboard layout).

    - The password card method makes little to no improvement to your memory skills (could even worsen your memory). whereas learning how your memory works and training it will not only help you with remembering passwords but also make for lots of improvement in your daily life. There are many guides (here's a starting point [1]) and techniques around some are quick to learn such as the pure link system [2] other takes more dedication such as the memory palace [3].

    [1] http://www.wikihow.com/Improve-Your-Memory
    [2] http://www.wikihow.com/Build-a-Memory-Palace
    [3] http://www.wikihow.com/Memorize-Lists-Using-the-Pure-Link-System

  45. Aaron using Google Chrome 11.0.686.3 on GNU/Linux 64 bits | March 9, 2011 at 3:39 pm | Permalink

    @rocky- Regarding your drawbacks:

    - The code powering the site is licensed under the GPLv3, and is available for download at https://www.passwordcard.org/algorithm.html. Implement it in your own server, if you are concerned with the main site going down. This is a recent update since I put up this post.

    - After drawing out your card a few times, you will begin to memorize the password. I rarely pull my card out anymore, as I have all the main passwords that I used committed to memory.

    - You could choose such a pattern on your keyboard, but such patterns are subject to scrutiny, and likely compromised. Instead, the characters on the card are securely and cryptographically chosen, so the likelihood of a collision approaches zero. Best to use secure random entropy over predictable patterns on a keyboard.

    - Yes. Improving your memory is great, but I fail to see how you not wishing to improve your memory skills is a fault of the password card.

  46. rocky using Opera 9.80 on GNU/Linux 64 bits | March 10, 2011 at 10:57 am | Permalink

    @aaron
    - About not having to draw the card after a while, depending on the password policy, you may have to change your password on a regular basis and you'd have to start all over again.

    - Losing the card being a single point of failure, i was looking for stuff that can't be lost, hence my suggestion of the keyboard layout which has its own drawbacks, but which can be improved with little additional effort, such as doubling each letter (You said earlier entropy grows more quickly with password length) or turning every 3rd letter to uppercase or any other variation you can come up with, probably not as good than the card but It would add to unpredictability and entropy while only slowing the typing process a little.

    While discussing password strength, let's keep in mind that a even the strongest password is no match to a key logger or a session hijacker [1], a secure password policy has to be part of password security. Relying only on password strength is usually a recipe for failure in the long run.
    Though it is worth mentioning that it all boils down on foreseeing what kind of threats you'll have to deal with [2].

    The memory improvement suggestion was part of finding a way to get rid of relying on an external support to remove this possible point of failure. What I meant was while there's no additional benefit from relying on an external support, there are several from improving your memory (to be able to remember the card content, or any other material related to your password). Though I realize not everyone will go the extra length of this kind of mind training.

    [1] as firesheep demonstrates http://codebutler.github.com/firesheep/
    [2] a related funny story told at defcon 18 of a stolen computer being recovered: http://hackaday.com/2010/12/25/a-hackers-marginal-security-helps-return-stolen-computer/

  47. rocky using Opera 9.80 on GNU/Linux 64 bits | March 12, 2011 at 11:32 am | Permalink

    I just figured out that If I'm vocal about this memory thing, it's because It seems to me that relying on an external support is a civilized way of managing passwords by making the process legible [1].

    Here is an explanation of why putting your trust in the card is will not improve your memory as Plato put it:

    “[Writing] will introduce forgetfulness into the soul of those who learn it: they will not practice using their memory because they will put their trust in writing, which is external and depends on signs that belong to others, instead of trying to remember from the inside, completely on their own…" [2]

    [1] http://www.ribbonfarm.com/2010/07/26/a-big-little-idea-called-legibility/
    [2] found that quote over there (worth reading btw): http://www.ribbonfarm.com/2011/03/10/the-return-of-the-barbarian/

  48. NetMage using Google Chrome 11.0.696.60 on Windows XP | May 6, 2011 at 5:13 pm | Permalink

    It seems to me a lot of people (and Aaron) are missing the obvious when it comes to limited character sets and Euro/Pound currency symbols: just skip (and don't count) any symbols that don't work in your path for the site in question, and substitute your currency symbol for any Euro/Pound symbols that aren't on your keyboard (why no Yen symbol?).

    I also think the other people's computer is completely a red herring - obviously having KeePass on your phone means you can use it anywhere, for any system.
    I also agree that your card being stolen means you should switch to a new set of passwords - unless you are using a really unusual set of travel rules, most people's use of the card will be simple - one of eight directions, bounce or wrap, 6-12 characters.

  49. Danilo using Google Chrome 12.0.742.112 on GNU/Linux | July 22, 2011 at 7:15 am | Permalink

    LastPass is pretty awesome. It integrates with your browser, the passwords are stored and encrypted locally, there are mobile apps and there is an online version.

    It also supports multifactor authentication, using either a YubiKey or a printout grid card.

    Of course you need to trust them about their software, but they seem to be very transparent, even with security problems (their servers were possibly exploited some time ago, so they e-mailed everybody and set up a password reset process). And you only authenticate once (you can change this behavior) and then get access to all the passwords.

  50. Aaron using Debian IceWeasel 5.0 on GNU/Linux 64 bits | July 22, 2011 at 7:32 am | Permalink

    Yes, people seem to like LastPass, even though they had a massive security breach not too long ago. Aside from their lack of security competency, LastPass isn't a truly portable solution. It requires downloading and installing software, whether it be your phone or your computer. If you use a computer other than your own, you may not have the permissions to download and install that software, leaving you without your passwords.

    Password cards are different here, because you carry everything you need in your wallet. There is no extra hardware or software required to get access to your passwords, they're secure, and highly obfuscated. It's 100% platform, hardware and software independent.

  51. Danilo using Google Chrome 12.0.742.124 on GNU/Linux | July 31, 2011 at 4:57 am | Permalink

    Aaron: That''s not entirely true. You can connect to your passwords by using the browser, without downloading any tools. If you open your "vault" that way, the data gets downloaded to your client and decrypted using JavaScript, so your key doesn't get sent via the network.

    And concerning the "security breach" - they couldn't even confirm a break-in, it was just that a lot of data was transfered through their network, so they feared that something could have happened. In reaction to this, they instantly informed everybody about the problems and locked down all accounts, as long as the e-mail addresses weren't confirmed. As soon as you confirmed your e-mail, you could re-set your password, or decide that it was strong enough to withstand a dictionary/bruteforce attack.

    Until now, I've been happy with their level of transperency, and I decided to trust them. Especially because there are various possibilities for multi-factor-authentication.

  52. Aaron using Google Chrome 14.0.835.8 on Mac OS | July 31, 2011 at 3:50 pm | Permalink

    Danilo: To each their own. To me, storing your passwords in the cloud is an accident waiting to happen. Heck, substitute "passwords" for "data" as well. I don't buy into the whole cloud storage thing on many levels, but others do, so meh. It works well for you, and that's all that matters. Doesn't work for me.

    However, I didn't know that you could access your encrypted vault using the browser only, without any special software or extension to install. You say that JavaScript does the decrypting, without your key. I'm assuming that you visit the webpage, provide your account details, and your password is your key? Which was (hopefully) transmitted via HTTPS? Then your "vault" is available to you... how? Just on the web page, or stored in the clipboard, or something else? Curious.

  53. Danilo using Google Chrome 12.0.742.124 on GNU/Linux | August 1, 2011 at 8:26 am | Permalink

    Aaron: Here is an excerpt from somewhere on their website:

    When you go to a cyber-cafe or a new computer and login, first a hash is made locally to check if your account exists and your password is correct. If it is, then your data is downloaded and decrypted on the local computer you're using; this includes LastPass.com where it's done using JavaScript (that's why there is a delay when you first login).

    And here is an interview that explains how it works: http://www.techrepublic.com/blog/security/lastpass-is-it-the-password-manager-for-you/3291

  54. Aaron using Firefox 5.0.1 on Mac OS | August 1, 2011 at 11:07 am | Permalink

    TechRepublic: Could you describe how LastPass works, specifically the interaction between the local LastPass client and LastPass.com?

    Siegrist: LastPass installs an add-on in the browser to capture usernames and passwords as you enter them. The captured data is encrypted, saved locally, and sent to LastPass servers. That way access is not confined to just the one computer.

    So, it still requires an addon in your browser. Which makes sense. Without installing a 3rd party utility, one way or the other, how does LastPass know to fill in my Google credentials when I am presented with their login form? You can't get around it. One way or another, software must be installed, in the browser or otherwise, and some people might just not have permissions to perform such an installation on the computer they're using.

  55. Danilo using Google Chrome 12.0.742.124 on GNU/Linux | August 2, 2011 at 4:46 am | Permalink

    Ah, yes of course, to auto-fill login fields you need the plugin. But you can still access the passwords and copy them without the plugin.

  56. Chtulhoo using Firefox 6.0.2 on Windows XP | September 12, 2011 at 11:53 pm | Permalink

    Another alternative I found : http://pcard.furies-innoruuk.net/ (yeah, the website name is... awful)

    The concept is the same but the rules for using the card are different.
    Some examples are explained on the site.

    I found the idea interesting and might give it a try.

  57. Brx using Google Chrome 17.0.942.0 on Ubuntu 64 bits | November 27, 2011 at 1:08 pm | Permalink

    I created a single html page app for password card generation that let you use any keyphrase you want. It also prints the letters on both the sides of the card, so you can have even more password. Plase take a look and let me know https://github.com/brx75/pwcardgen/tree/master/js

  58. seth using Google Chrome 21.0.1180.89 on Mac OS | September 10, 2012 at 10:08 pm | Permalink

    I can confirm that Lastpass does not require any downloads what so ever to access passwords. Once a week I access a work computer to deposit a check into my bank account (via scanner) and I do not have to install any plugin. I goto the lastpass.com, enter login and I'm in my vault. From there I copy and paste passwords. I actually also use the grid authentication (which is similar to the password card, but it changes every time) which protects me from any key logger. Even if someone got my master password (created using diceware, so its long), they would either need my grid which is in my wallet, or my laptop. (Either of which, I'd miss)

  59. Jeff using Google Chrome 30.0.1599.116 on < | November 10, 2013 at 7:53 pm | Permalink

    I know this is an older article but I wanted to say thanks for writing it. It was very well written and helpful.

{ 4 } Trackbacks

  1. [...] the Ars Technica article mostly mentioned STORING your passwords, not how to create strong ones. I’ve already written about this before, and I think it’s the perfect solution. http://passwordcard.org is the exact solution for [...]

  2. [...] da ist mir bzw. anderen eine nette Seite [...]

  3. [...] system for using different passwords on every account. First, generate and print a password card. I’ve blogged about this before. Essentially, your passwords are stored in plain text on the card itself. You pick a row color and [...]

  4. Aaron Toponce : The Yubikey | October 30, 2012 at 12:18 pm | Permalink

    [...] Google released their two-factor authentication, I immediately enabled it. After discovering the Password Card, I’ve been using it religiously to select the passwords for all of my accounts. Just in case [...]

Post a Comment

Your email is never published nor shared.

Switch to our mobile site