To echo what others have said, password rotation is actually a good idea for those who use password managers. A couple of years ago there was an idea floated to make a well-defined API standard that would allow you to change your password. Then managers could automatically change your passwords for you at every site that implemented the standard.
Still, it’s a pain and I grumble every time I have to do it.
I don’t think this is a completely terrible idea. Long, truly random passwords with a password manager or simply writing them down in a secure place are better, but those things aren’t always possible. Likewise, password phrases provide good strength but many sites have length limits.
The main thing this fights are dictionary attacks. People pick dictionary words as their passwords because they’re easy to remember, but this of course makes them easy to guess. People do common substitutions like O->0 and I->1, but these are also easily guessed. It comes down to entropy: an ordinary dictionary word has maybe 10-12 bits of entropy, and adding a few substitutions adds a couple of bits at most.
The random scrambling of this card means that simple substitution attacks no longer work. Arguably, most of the value of the card comes from it simply being a good password in and of itself, but the fact that allows producing variants easily means you can have unique passwords between sites. It would require several compromised sites with plaintext passwords before an attacker could really reverse-engineer your card.
So I would say that while it’s not an ideal solution, it is a meaningful improvement over the usual approach. It’s only $7, not like a huge cost anyway.
You still need to keep the Qwertycard just as secure as a card that has your passwords written down on it. If someone gets access to your Qwertycard, then the only thing between that person and all your log-ins is your secret word, and that is not a lot. So if the Qwertycard algorithm requres you to keep the card secure, then why import all the other problems that you don’t have with random passwords written down in plain text?
Not a lot, but perhaps enough. A card with full passwords can be exploited by any random thief. It’s not hard to guess typical usernames and email addresses given the other information in a wallet (and they might have been written down as well). But exploiting this card requires specialized knowledge. Yes, if you put it in the hands of a security specialist, they could whip up a decoder and perform a normal dictionary attack in no time flat. That’s just not a likely scenario. And there’s a limited time to get the card to a specialist before the victim realizes they’ve lost their wallet and starts changing their important passwords.
According to the OP’s link, the makers of Qwertycard also offer an “enterprise edition” of the product, which is a pack of a hundred unique cards for companies to distribute to their employees. I wonder how well that sells. I would imagine that any IT department worthy of that name would strongly veto the roll-out of these cards across the company.
Also if people are writing down their usernames and passwords, six weeks might represent the sort of duration after which they stop caring so much about the security of the written record (because they have by then memorised the content), so I guess there’s a weak justification for frequent change just so that carelessly stored written versions would likely be irrelevant
If their target market is incompetent IT departments, they’re going to make a mint. One place I worked, I kept getting my passwords rejected because they “do not meet length or complexity requirements”. So I kept on making it longer and more complex… until I finally eventually just told it to reset the password itself. It turned out that the “length and complexity requirements” consisted of “must have exactly six lowercase letters followed by one digit, and no other characters”.
Another place, they kept on telling us about making our passwords as long as possible, and using uppercase, lowercase, digits, and special characters… but all the system would actually accept were six-digit numbers (defaulting to the user’s birthdate).
One system I had to log into rejected my new password, telling me it was the same as someone else’s password, and that was forbidden.
Thanks, now all I need is their username!
Wow, that is so bad that I have a hard time believing that was the original intent. I.e. the error message is wrong. Maybe they meant that you can’t duplicate your own pw.
But then there really are programmers that are that dumb.
I think they must have decided it would be good to constrain the database field where they were storing the passwords (no doubt in plain form) to unique values - which would throw an error any time any update tried to create a duplicate, and rather than interpreting this as a design flaw, they just wrote a handler to show a human readable version of the DB error. Can’t prove that obviously, but that’s my hypothesis.
I teach my clients a variation on this using the first letters of a phrase and first and last letters of the name of the site plus an easily associated number that changes (age of oldest child, the age of a S/O…
So a phrase: The Babylon Project was our last best hope for peace.
so for amazon it might look like
AtbpwolbhfpN25
The capitals letters are the first and last letters of the name of the site. You can step it up a notch replacing characters with symbols in the phrase like a t becomes a plus a=@ s=$ but this is still something that creates easily memorable gibberish looking passwords. A favorite movie line, a bible passage, anything that sticks.
As was mentioned above, far from bulletproof, but better than 95%+ of what people do.
The typical “change your password” that I encountered in corporate IT was 3 months. Too often and you always had problems with forgotten pws and lockouts.
The main problem with regular password changes is that people develop a system that becomes predictable. One place kept 30 iterations of password history, so passwords became like Fluffy-Cat01, Fluffy-Cat02, etc. Repeat after 30. Teaching people to come up with a password not prone to dictionary attacks and remember it - better. 2-factor is best, except that if you lose your phone or forget it at home, you are helpless all day. (Oh, wait - that’s true anyway, nowadays)
Another problem is - every site wants a password. Either you have a big long list, or you reuse the same word. Simplest system I saw was - for sites where security is less important, have one password. (i.e. discussion boards… 
) For sites with more personal information, have another password (i.e. medical sites). For sites that deal with your money, email, or other highly highly dangerous matters, have a third password or better yet, customized passwords. Be sure none of these different levels of passwords are relatable to each other. (I.e. if the generic pw is “Sunny2Day!” don’t use “Cloudy2Day!” for the other password…)
The QWERTY card seems like a good idea on top of proper password management - but since I’m not a touch-typist, it would be much more work to encode/decode. Unless you eventually memorize your password (harder with regular changes) decoding every time would be a pain. I suspect the effort would cause people to choose simpler, more easily guessed source passwords.
The major benefit as pointed out is that it obfuscates dictionary attacks - but would still need a well-formed initial password. It reduces dictionary to trying every combination - AAAAA, AAAAB, etc. I assume each person gets a relatively unique card. To decode the card, the hacker would need a good assortment of coded passwords - usually they only get one. Best strategy is to somehow get a copy of the user’s card. Another point is it assumes that a limited number of people use the cards, so a minor form of “security through obscurity” which is not a durable strategy.
A similar example of security through obscurity. But again, it needs the hacker to understand the pattern, so explaining it may not be productive - and the more people who know the same “one simple trick” the less it looks like a clever trick. In, say, a work situation where you tell everyone the same trick, it may become easier for malicious coworkers to guess each others’ passwords.
Why? What is the benefit of doing that?
It’s a simple rule that produces repeatable results, and is likely to be different between different sites. The goal is to produce passwords that are unique per site, so that breaking one of them doesn’t break all of them.
But if the rule is known, then knowing one does break all of them.
The rule would be worthless if everyone used it, but not everyone uses it. As the joke goes, you don’t have you run faster than the bear; you just have to run faster than your friend.
At the least, it does add a couple of bits of entropy. There will be a few variations of the rule and a hacker would have to try all of them. Better than nothing (though nowhere close to as good as totally random PWs from a password manager).
As has been said, I am certain that for people of a certain naiveté level, this gizmo will be a vast, vast improvement over whatever they’re doing now.
But all of it is useless when the scammer calls up your mom and she just gives away her SSN, bank account numbers, and everything else. Short of taking away the computer and ripping out the phone lines (and the doorbell, I guess), I haven’t found a solution for that one yet. Worrying about password strength
can seem a bit quaint.
But they’re unique in a way that actually helps a malicious actor to determine where they should be tried, if the list ever falls into the wrong hands.
I agree that this is a fair point of view. Still, I find the advertising of the makers of this card misleading. They’re selling it as a secure device that produces “super strong” passwords; they’re not selling it as something that produces “rather weak passwords, but still an improvement for those who are doing even worse so far”, which would be more accurate.
Hee. I agree completely, and also apologize for the overly personal nature of the rest of my post, which is not relevant here.