It’s an example of security through obscurity, which is not the best choice. But as pointed out, you can make your own rule - for example, AMazon, use A->B and M->N; or even further, go 2 letters or 1 backward (ZL). Or use the second and third letters of the site. Or use 3 letters, but ROT forward for the first, and back for the second and third. Again, the point is to have your own rule and not tell the whole world. Then, a hacker has to break several passwords to different sites to determine the pattern you are using and predict other passwords, which is less likely with a single data breach. The more different people make up different rules, the more randomly unpredictable a person’s passwords will be to others. Plus, many passwords are found through dictionary attacks, so adding a random assortment of characters makes discovering passwords a lot harder.
I suppose too, the most important point is to make your email password most secure and different from the others, since a lot of sites will send an email as part of the “I forgot my password” process.
While you’re right, this card doesn’t really have value over that from a raw security POV, it does add value as a teaching tool for a large swath of the user base. Anything that gets luddites away from using dictionary words, birthdays and proper names is a net win, even if it doesn’t correct every weakness.
My personal gripe is that there isn’t a better established (and implemented) standard for password rules across sites. The most secure approach is to use auto-generated unique high-entropy passwords with a password manager, but I find that close to 10-20% of websites have some silly restriction on passwords that essentially force you to manually enter it. I’ve seen some disable auto-complete, use multi-step forms which break auto-complete, have in-app screens which password managers don’t recognize, put max length conditions in the 12-16 character range, force you to use capital letters, numbers, and some pre-defined set of less special characters. I’m sure there’s more, but all this noise makes it impossible for password managers to be truly universal which makes using them diligently hard.
I wish every site allowed you to use a long pass phrase. I find this to be the best compromise of security and ease of entry when I need to resort to typing i.e. when signing into my password manager. I also wish my stupid company didn’t block the installation of password managers as browser extensions and didn’t also force me to change my password every 90 days. It’s almost like they WANT people to use the dumbest possible passwords.
I’m probably being a bit pedantic here, but it does in fact generate “super strong” passwords, at least from an entropy standpoint. These passwords will be effectively impossible to brute force attack, which is inherently good. Where it falls down somewhat is in it’s ability to prevent engineered attacks which is a valid concern. So I do think their marketing is worded in such a way that it’s honest and accurate. However the reality is that “strong passwords” /= “secure passwords”.
There are 2 key goals with password strength. First is protection from dictionary attack, and the other is lack of predictability. The QWERTY card is good for preventing dictionary attack. The important point here, though is to prevent someone else from seeing your card, and having a secure spare copy in case you lose the card. The problem with good complexity is that it is complex, which is why some people have simple passwords.
By having a rule of thumb for customizing passwords per website, you also remove a certain predictability. At least one hacked website does not become a means for users to use your credentials on other sites… unless they know your rule for customizing. So make up your own rule (not too complex) and don’t tell anyone. There are a few simple steps that help - adding extra characters inside your default password removes a simple dictionary attack. A simple dictionary attack might try combinations that add up to 3 characters after all possible entries, so if the root password is not intact then the odds it will be found are much lower. (Assume a bit over 2^6 characters - upper, lower, digits, punctuation) so adding 3 characters to the end of every dictionary entry to test means 2^18 (250,000) different combinations for each entry - and typically there are about 100,000 words to try. At a certain point it’s not worth the time unless the target is particularly juicy for the attacker. make it a phrase - i.e. Born2Bwild! -and the hack approaches impossibility.
If by “approaches impossibility” you mean “requires several hours, if given access to the hash”. Modern “dictionary attacks” include plausible combinations of words into phrases.
But the comparison here is reusing the same password across different sites. And a simple rule, especially one with some personal variation, is better than that.
Yes, something like this is no help if a malicious actor is targeting you personally. That’s not the case for the vast majority of people. Malicious actors are taking password databases extracted from low-value sites (forums, etc.) and using them with high-value sites (banks, etc.). They aren’t doing sophisticated processing of the passwords. They’re just trying to get some hits from people that had exactly the same password.
Two-factor helps, but if the password is the same as something that got harvested, then it’s equivalent to one-factor (with the one factor being the not-password). That’s not great. 2FA should have a strong password and a strong second factor.
I find this less credible. The number of variations when mixing and matching words, then throwing in abbreviations like 2 for “to” or “too”, random capital/non-capital, number for letter substitutions (4=A, 3=E, 1=I or L, 2=Z) the number of variations is quickly spiraling out of control. How many different versions of Born to be wild can you make up? then again, refrain from using titles - how about Get your motor running ? Shake it a baby now ? Or How that music used to make me smile ? Just far too many choices. they key is obviously to pick a good (more unguessable) choice.
The voice recognition password in a forgettable episode of Mission Impossible was “January Suborbital Denomination”. (Before they actually had such technology) What are the odds a dictionary attack would throw those together?
As long as they know the pattern, the rule - that can only be ascertained by seeing 2 or 3 different site passwords minimum. Everyone is free to make up their own variation rule, so it’s not like a fixed rule unless your IT department is beyond stupid.
From a friend who is deeper into electronic security than me, I’m told that any kind of common ‘leet speak’ h4x0r substitutions, and ‘still makes sense’ substutitions such as 3=E, 2=‘to’, B=‘be’ are now routinely included in dictionary attack methodologies; Born2BWild is not really much better than BornToBeWild.
True. the majority of attacks probably do not involve a human looking at passwords and trying to reverse engineer the user’s method for generating them.
Very low, because that’s not a plausible phrase. “January Suborbital Denomination” is in the same category as “Correct Horse Battery Staple”: Sets of random words concatenated. But “Born to be Wild” is not random words; it’s words chosen because they make sense together.
To try this out yourself, try typing both phrases on your smartphone. Autocomplete will help out a lot with “Born to be Wild”, so you’ll need very few keystrokes to type it. “January Suborbital Denomination” will need a lot more.
If a password database is downloaded the passwords won’t be subject to rainbow table or dictionary attacks. But that is about it.
Passwords are usually hashed rather than encrypted, so the weakness of partial matches of substrings is probably not exploitable.
However: There is a significant flaw. If the attacker knows that a card has been used, and is able to obtain just one clear text password this all goes south. An attacker seeing a pain text password might also be able to guess from the structure of the password that one of these cards has been used. The presence of say a dictionary word exactly 8 characters in from the start might be a giveaway. (So the user’s own private sub-password must be well formed, which is a weakness.)
If an attacker obtains a password, and knows it was generated by a card, they now have the space-bar code, the user’s private sub-password, and knowing the site the password was used for, they have a start on the substitution code for the site specific part. That is not good.
This is sufficiently weak that a standard attack automation system would reasonably use this pattern as part of its regime of possible attack combinations, whether they knew a card had been used or not. Once one password is known the security for other sites is very low, and diminishing.
My point was, by the time you try all possible combinations the number of permutations spirals out of reasonable limits. “borntobewild” contains 12 characters. Just trying every permutation of capital and lower case gives 2^12 possible choices. There are 4 vowels and an “L”, so another 2^5 possible Leet or Texting shortcut variations. We haven’t even calculated the effect of spaces (if allowed) or punctuation in the middle or at the end. And that’s just one random phrase. Born to be Wild could spawn “Get Your Motor Running” or “Get Out on the Highway” (Hiway?) “Lookin(g) for adventure” and “Goin My Way”. Not to mention words made from the first letters of a line or two.
The point being, if you don’t use your pet’s name or one word from the dictionary, if how you choose your password is unpredictable and you don’t cleverly tell everyone your system, if you add in sufficient random alterations… then it’s about as safe as something can be when it’s only a password.
A systemic alteration based on website name is as safe as the likelihood that a hacker won’t discover your trick - by hacking multiple sites. But then, if they’ve hacked the whole password, then a single password wouldn’t be safe. the other problem is that many sites make you sign up with them, even for something as mundane as news articles - so you need either one generic password or a system for customizing them - or a new password for every site and a way to remember them. I’ve already seen the reverse problem, that “remember my password” as a simple shortcut results in people forgetting passwords. If you’ve changed emails in the meantime, yo are doubly screwed. Unless (as I’ve also seen) it’s your email password you’ve forgotten.
And also makes it impossible for a human to remember, at which point you might as well use the random string of characters your browser auto-generates.
One problem with that card is that it uses special characters that might not be allowed on all sites. Frustratingly, some sites have a small, fixed set of special characters allowed in passwords, like !@%^ or something. Whatever special characters are printed on your specific card may or may not be allowed on the sites where you’re trying to log in.
That’s not really a problem with the card, though, so much as a problem with sites with idiotic password policies. There’s no good reason for not allowing all 95 characters on the keyboard (though, yes, I’m aware there are some reasons; they’re just bad reasons).
Or just follow it by a random integer between 0 and 4095. That’s going to be far easier to remember than embedding a random 12-bit number in the capital/lowercase state of the letters.
I think a lot of people here are making faulty assumptions about the threats of password cracking.
There’s almost no chance that any secret agent or any evil hacker is going to be looking at your cracked password by hand and thinking “aha, I figured out the pattern, I can figure out what this guy’s other pattern is”
The vast majority of lost accounts/hacking/password cracking relates to large scale automation. Some database gets compromised and they figure out your credentials on that site are someone@zzzmail.com password eyeholes5. So they use bots to try to log into thousands of other sites using someone@zzzmail.com/eyeholes5. When it works, they add your hacked account to a list and then do whatever malicious act they want - trying to steal your information, use your e-mail to send out spam, whatever. But no one ever looks at your password personally and tries to figure out if they can see a pattern to hack into your other accounts, they’re just throwing automation at the problem.
So if you have even a simple customization, like, say, you make your password eyeholes5amazon for amazon and eyeholes5ebay for ebay, that’s going to stop 99%+ of attempts of bots trying to use your account info from a compromised site to figure out what your credentials are on other sites. Humans would figure it out pretty quickly, but the vast majority of password cracking has no human intervention/insight.
Now, if you take that per-site customization and add a little twist to it - say, you put the last 2 letters of the site in reverse order - like “eyehole5ya” for ebay, that’s easy for you to remember but wouldn’t be obvious to casual human intervention. Or make up a more sophisticated twist that you’ll remember.
While I agree it is most likely better than the security practices of a lot of people, it is unbelievably weak. Coding this into a rainbow table is minutes of work, if the algorithm to generate the “space phrase” is leaked: All their clients credentials are compromised. This is not a robust solution.
Given that good password managers exist selling this is almost criminal.
People should use a password manager and 2FA.
‘30s crypto is not a replacement for that.