Image of the glider from the Game of Life by John Conway
Skip to content

Creating Strong Passwords Without A Computer, Part II - The PasswordCard

Previously, I used entropy as a backdrop for creating strong passwords. It's important that you read that article and fully understand it before moving on with the rest of the series.

Continuing our series about creating strong passwords without a computer, we look at a method I've blogged about in the past: The PasswordCard. The idea is simple: carry around a card with you, that has all of your passwords written down in plaintext, obfuscated with additional text surrounding the password. Let's look at it in more detail.

The Passwordcard Idea

The PasswordCard is a GPLv3 web application that generates a small credit-card sized card that you can fit into your wallet for password generation. The way you would generate a password is simple. Suppose you wanted to generate a password for an online account, such as an email provider. You could pull out your PasswordCard, determine a starting location, a direction, and a length, and use the resulting characters for your password. Because the PasswordCard is a two-dimensional table of characters, the direction of your password can take any direction, such as left, right, up, down, diagonally, spiral, or any combination of directions. Because the length of your password can theoretically be infinite, so too would be the search space, if someone were to get access to your card.

The PasswordCard uses the following character sets when generating a card on the site:

  • alphanumeric: "23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ"
  • alphanumeric plus symbols: "23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ@#$%&*<>?€+{}[]()/\"
  • numeric: "0123456789"

As such, you can expect the following entropy sizes per character when creating a card:

  • Alphanumeric (55 unique characters): 5.78-bits.
  • Alphanumeric plus symbols (76 unique characters): 6.25-bits.

When checking the box "check this for an area with only digits", it doesn't change the search space for the already existing alphanumeric output that is default when loading the page. It only creates 4 rows of digits for easy PIN generation. Your entropy per character is only increased when checking the box "check this to include symbols".

A Practical PasswordCard

Before beginning, let's use a sample card to work from. This is card 7327e6c258cb3d52, in case you also want to generate it for following along:

Sample PasswordCard

To generate a password, you would need to pick a starting location for your password. You'll notice that there are 29 columns and 8 rows. The columns are identified by symbols, while the rows are identified both by a color and a number. For each account, all you need to remember are 3 things:

  • The starting location (should be different for every account).
  • The direction (should be the same for each account).
  • The length (should be the same for each account).

This should be easier to remember than "NyFScbUJ>X7j?", but your brain might be wired differently than mine.

Because this PasswordCard is using both alphanumeric and non-alphanumeric characters on the card, and our entropy per character is approximately 6.25-bits, and further, because we established that we need a minimum of 80-bits of entropy in our passwords, we should generate at least a 13-character password off of the card.

Some PasswordCard Direction Ideas

Most of those who are using the PasswordCard to generate their passwords, are probably just reading the passwords left-to-right. I would not recommend this, as it's the lowest hanging fruit for an attacker, if they have access to a hashed password database, and your password card. Instead, I would recommend doing something non-standard for the password direction. Let's consider a few examples, each of them starting at ⊙4 on the PasswordCard:

Wall Bouncing

When hitting a wall, when either travelling diagonally or otherwise, when you hit a wall, you could "bounce" off the wall much like a pool ball would when playing billiards:

Sample PasswordCard showing a path bouncing off of the walls.

In this case, the password would be "f+zwWYB[5\C<u".

Wall Bending

Rather than bouncing off the wall like pool balls, you could "bend" along the wall, much like turning a corner when driving on a street:

Sample PasswordCard showing a path bending along the wall.

In this case, the password would be "f%efcEBnNQk7\".

Pac-Man Walls

Another alternative would be to treat the walls as a topological spheroid, much like Pac-Man. In other words, when you come to the edge of the room, you travel out the other side on the same row, or the same column, continuing in your direction:

Sample PasswordCard showing a path Pac-Man might take when traveling to the edge of our wall.

In this case, the password would be "f+zwrpt9n2B&y".

Spiral paths

My last example shows a spiral path, starting from the same location as the previous examples, this case moving clockwise:

Sample PasswordCard showing a spiral path.

In this case, the password would be "fY+%FqvGYerrz".

As a strong suggestion, whatever direction and length you take for your passwords, you should keep them consistent. If you decide to do a 13-character clockwise spiral for one account, you should do a 13-character clockwise spiral for all of your accounts. The only thing changing is the location of the password. This will greatly simplify identifying each password for each account. If you change up the lengths and directions, and well as the starting location for each account, you run the risk of having a very difficult time finding the correct password for that account. If your brain has that mental capacity, then the more power to you. Otherwise, I would keep it consistent.

A Couple Thoughts

The nice thing about the PasswordCard, is that all of your passwords are already written down for you in plaintext. However, if a password cracker were to get access to your card, they would need to know which starting location belongs to which account, the direction the password takes, as well as the length of the password. This is too many variables for an attacker to make efficient use of his time. His time would be better spent taking the character sets off of the card, and building an incremental brute-force search. Provided your password has sufficient entropy, you will likely thwart the attack.

There are a couple disadvantages with the PasswordCard, however. The first is that this is not well suited for the blind. Unlike Diceware, which can be easily adapted for the blind, this is a bit more of a challenge. While I'm not asserting that it's impossible, it certainly seems difficult to practically reproduce. The second disadvantage is the use of the "€" euro symbol. The PasswordCard is developed by a Java developer in the Euro Zone. While it makes sense for him to include the character, it alienates those that don't easily have access to it on their keyboards, such as those using the basic ASCII character set. As such, you may want to refresh your browser, generating random cards until you find one without the "€" character in its output.

Lastly, you will definitely want to print a second card, and keep it somewhere safe as a backup, should you lose the original. Keeping the card in your wallet or purse makes the most sense, as your wallet or purse is likely the most protected object in your possession, next to your phone and keys. But, should you lose the card, you will want to get access to your passwords, which will mean getting access to your backup copy.

Conclusion

I personally like the PasswordCard. It's simple, small, and doesn't require me to carry a lot of items with me, such as dice and a large word list. My only concern is being able to choose a new starting location for each account. I'm not as random as I would think when finding a starting location, so I wrote a script to handle that for me. But it's clean, out of the way, and works really well. When I don't have an account password memorized, I can pull out the card, remember where it starts, and just start typing. Generation is quick, and remember password locations is easy. Highly recommended.

{ 5 } Comments

  1. Aaron | May 2, 2014 at 12:23 pm | Permalink

    If an attacker acquires your card, there are only 224 possible starting positions. If we assume the user limits direction possibilities to the toroid pac man style universe, there are 8 possible directions. Assume the user uses 1 to 16 characters. That's 224 * 8 * 16 possible passwords to brute-force. Add in the two spiral possibilities, and that only quadruples the search space. The other wall bounce, wall-bend options only increase the search space a little. Conclusion: IF your password card is discovered, brute-force search space is going to be VERY SMALL.

  2. Aaron Toponce | May 3, 2014 at 7:36 am | Permalink

    Your math is a little off, but you are correct. The search space is small. Probably half million, give or take. However, you are forgetting that if the card is lost then found, the attacker needs three things:

    1. Your account.
    2. Your username.
    3. Your password. (which he just found)

    For #1, this is possibly easy to find given they might have your wallet and can search for you online. If you're like me, you are very visible on the Internet and easily searchable. Finding many of my accounts shouldn't be difficult. Unless you left your card on the table at Starbucks, or at the library, in which case you're anonymous.

    For #2, they absolutely must know #1. For sites that allow you to recover your username, they'll email the account tied to the username, email an alternate account, call a phone, or ask security questions. If you are like me, you'll lock the security questions down, making them impossible to recover for an attacker - https://pthree.org/?p=2338. In the other two scenarios, you'll be notified someone is trying to recover your account.

    Finally, all 500k passwords must be tried for each online account once you've successfully identified which accounts and usernames the person owns. Many sites will lock accounts after a number of failed password attempts. This is assuming that the account does not support 2-factor authentication and that the user is not taking advantage of it. The 2-factor auth list is growing daily. See http://twofactorauth.org.

    The only value this password card has to an attacker, is in offline attacks, such as password database leaks, and that's assuming you have an account with the database used on the offline attack. Online attacks are just too ineffective and require too much time.

    So, while you're right the search space is small, the security really isn't compromised all that much for the convenience that the card provides, and there are extra measures you can take to secure your account, such as using 2-factor auth, hashing security questions, and keeping additional email addresses and phone numbers up-to-date.

  3. Jack Zielke | December 4, 2014 at 12:15 am | Permalink

    I like the idea of PasswordCard but I do not like the idea that the key is logged in his web server logs (key is in the get request). If you use the default non-ssl site any caching proxy between you and his server will also have the chance to log the key.

    He has the Java code freely available on the web site so you can generate the cards locally. If you do this you end up with text output in a terminal instead of a colorful card. I wrote a page in PHP that will generate a card that looks really similar but without handing the key to other people (if you run it locally). Running it from my site is no better!

    https://litterbox.boomkitty.com/pass/
    Go there, download card.tar.gz, decompress it on a local web server, enjoy your locally generated card. You can still go to passwordcard.org and generate the same card if you need to.

    I also added a passphrase option/suggestion.

  4. Peter Kreutzer | May 2, 2015 at 10:50 am | Permalink

    trying to get this code running on my home linux web server.
    have decompressed the archive
    -rwxr--r-x 1 root root 4619 Nov 25 18:49 card.php
    -rwxr--r-x 1 root root 5340 Nov 26 21:15 index.php
    -rwxr--r-x 1 root root 7680 Jul 20 2011 PasswordCard.jar
    -rw-r--r-- 1 root root 3107 Nov 24 05:21 template.png
    and can access it on the webpage.

    unfortunately the card stays empty when pressing generate button.
    i have checked the jar code on the server. So java is installed and card is printed on the stdout.
    Any idea what i am doing wrong

  5. user1 | April 3, 2016 at 1:01 am | Permalink

    @Peter Kreutzer

    Did you ever get this to work?
    I am experiencing the same problems as you describe??

Post a Comment

Your email is never published nor shared.