So it’s a card the size of a credit card, printed with a simple substitution cipher for the 26 letters of the alphabet, laid out like a QWERTY keyboard, plus a unique static string printed in the place of the space bar.
The idea is that you use this to create passwords for the sites you are logging into, by compounding:
the ‘spacebar code’ (so that part will be the same every time)
A secret word, ciphered using the card (not obliged to be the same every time, but you can bet users will use the same secret word every time)
The name of the website, ciphered using the card
Maybe it’s just me, but this seems like a terrible idea. Sure, it creates a messy-looking long password that looks like the sort of thing that strong passwords look like, but two thirds of the password characters are going to be the same for every site, and the remaining one third has a meaningful and consistent relationship to a guessable string.
Pretty much (I mean, it’s not ROT-13, but it’s more or less as good as that), and their pitch appears to be ‘look, the passwords are, like, long and also they are, like random because we use a random number generator to make the cards’
Most people use a short combination of a dictionary word or two with a number or special character added, and reuse it all over the place. Using this card is way better than that.
The attack you’re implicitly describing against this card would require the bad guys to have collected my username (e.g. my email, so not too secret) and my PW from several sites. One site of which would have had to store them insecurely enough that it could be reversibly decrypted.
Armed with 1 or better yet two PWs in the clear, they could then attack the rest pretty easily. Assuming they knew I was using QWERTYCARD as my PW rubric.
The problem with password insecurity is not that people pick crappy PWs. Though they certainly do pick crappy PWs. It’s that they use the same PW on multiple sites (or equivalently use their FB, Google, or Apple creds as universal logins on multiple sites.)
All of those errors mean one compromised site or PW gives the bad guys the keys to your whole kingdom.
To the degree QWERTYCARD succeeded in getting people to use unique PWs, it’d be a net gain right there. Even if those PWs are less than fully cryptographically strong. It’d be usefully increasing the total strength of the user’s portfolio of PWs. My PW vault has just under 300 PWs in it. Duplication is a big problem for many people.
But as you say, as to any single PW on a single site, the tool gives a larger impression of improved security than it delivers actual improved security.
Indeed. That doesn’t seem to be much less secure than these Qwertycards, but it’s a lot easier and cheaper.
In my view, these cards create a fake sense of password strength. You think you have a good password because it’s an unintelligible string of characters, but from a real security point of view it’s very weak. The spacebar code is the same for all websites, so you’re importing all the problems from multiple use of the same password across sites. Most likely the same for the secret word, which will, for most users, not only be the same across all websites but an easy-to-memorise (and hence easy to crack) string. And the encryption of the name of the website is a simple substitution, which is, cryptographically, as weak as it can get.
An evildoer who gets access to a user’s Qwertycard will have little trouble getting access to pretty much all log-in credentials of that user across websites. So you need to take good care of that card. But then you can just as well write down your passwords in plain text on a piece of paper and carry that with you.
Yep, that’s the point exactly - it’s like the advice that was in circulation as little as a couple of years ago, about using an easy to remember word, and swapping out some letters for numbers; mypassword becomes myp455w02d - it provides only the feeling of security, which is actually counterproductive, because feeling secure stops people from seeking more actual, real security.
My guess is that if people use these cards at all, they’ll just use the spacebar string as their password. That is much easier than doing all of the manual cryptography.
On the other hand, anything that can get people to use a different password for different logins will greatly increase security.
Another problem that I see with this technique is that it disincentivises periodic changes of passwords. As long as you keep the same card - which I suppose most users will do for a long time -, changing your passwords requires finding a new “secret word” - something which, I suppose, most users won’t do on a regular basis. So they’ll be stuck with the same log-in credentials for a long period of time.
Do they? I realise that what is considered good practice in passwords varies over time, but I thought the advice to change them periodically is still maintained. What’s the theory behind advising against that? The idea that frequent changes make people pick bad passwords out of sheer laziness or forgefulness?
For diligent people using a PW manager, regular changes are harm-reducing. But for people doing it the old fashioned way with human memory and index cards, frequent changes are harm-producing.
A lot of advice has not kept up with the times. Then again, I suspect PW manager use is still down in the single digits percentage of all internet users.
Yeah, latest advice is that frequent password changes mean that people are nearly always in that phase where they are still adjusting to the new password, and they react to this by choosing simpler passwords, or ones that are easier to remember because they have meaning (which means they are prone to attack by guessing), or they write the password down and keep it close to the computer
