I found this site yesterday and absolutely jumped at it: Your PasswordCard
The intention of the card is explained on the page, but I’ll recap it here: when you load the page, it generates a matrix of random numbers, letters (both upper and lower) and optionally symbols. By picking a character somewhere in the matrix and counting off a certain number of characters, voila! You have a perfectly random password.
You can then print out the card and freely write down the starting location and length (and even direction) of the password, storing it anywhere you like. The only way it will make sense to anyone is if they have access to the card. I could mention here that my bank’s password is yellowstar7 and it would mean absolutely nothing without the physical card (or the 16-character seed, but if you’ve got that then you’ve probably got the card anyway). And, of course, a single card is useful for many, many unique passwords.
Password management software is more convenient than looking up a code on the card, but it’s also at risk, as is any computer hooked up to the internet regardless of security measures. I’ve always been leery of trying it for that reason. Additionally, if I needed to access a website when I’m away from home, I’d be screwed. While I could keep a list in a cloud, like Google Docs, that obviously has its own issues. Having this little card solves all that, as I can keep the card in my wallet and put a list of password directions in the cloud without worrying about it becoming compromised. Plus, it has the added geek bonus of looking like something out of an adventure game.
And when you accidentally lose your card, then what happens? As a physical mnemonic you still remain dependent upon an outside, physical entity to gain access. A better mnemonic would be a passphrase based on a sequence of words (and numbers) further reduced to a password. It’s real easy to remember and doesn’t require an outside mnemonic.
For example, use the Gettysburg Address. Or, more specifically the first sentence of the Address:
Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.
Select only the first six words as a passphrase:
Four score and seven years ago …
Reduce that mnemonic to numbers (where appropriate) and the first letter of the remaining words:
4sa7ya
Add in the year it was delivered (1863), and capitalize just the vowels:
4sA7yA1863
You have a 10-character password. Easy to remember if you remember the simple mnemonic and the rules you established for creating the password.
But then it’s dependent on memory, and you need to remember which login uses which passphrase if you don’t want to use one for all your different sites, which should be standard practice. There’s also important sites I don’t want an easily-guessed password for but I only need to access once or twice a year. It’s quite likely that by the time I need to log back in I’ll have forgotten what password I’ve used.
As for accidentally losing it, that’s what an extra card and list of directions stored in the safe is for, as well as the 16-character seed. The latter is less useful, of course, because it’s dependent on the website remaining active indefinitely, but it’s still a way to retrieve the card.
I currently have ~300 passwords and such stored in SplashID on my iPhone, so it would probably not be so useful for me, especially because each password often has other metadata associated with it (Web site URL? Database identifier? Username? Account#?)
But for someone who has a limited number of passwords to remember (e.g. 10 or 20), this is a nifty trick.
I could be wrong, but I don’t think you are supposed to be able to freely write down your color/symbol combination. I think the color/symbol combination is something that’s easy for you to remember so that you aren’t tempted to write it down. What the author is referring to as “written down” is the card itself, which is supposed to be useless without the attacker knowing the color/symbol combo.
If I understand it correctly, I believe this is a sort of simple multi-factor authentication scheme – the possible factors being: a) something you know; b) something you have; c) something you are. In the case of this Password Card, you have a) and b) – the color/symbol combo, and the card itself, respectively.
(To qualify as multi-factor, only 2 of the factors are required. Otherwise known as two-factor authentication)
So if you write down the color/symbol, it is no longer something you know, but something you have – thus reducing the system to a single-factor scheme.
Or, I can be totally off base and not know what I’m talking about. I’ve had some small amount of training in IT security but I’m not an expert by any means.
No, you’re on target. Still, if the attacker gets the combo or the card, either is useless to them without the other. And in my particular situation, at least, a physical possession is more secure than anything that might be on a computer.
Plus, if someone managed to get a hold of the combos (a feat in itself), they’d not only need the card or the specific 16-char seed but also the knowledge that it’s not a password itself. Yellowstar7 or yellow7star sure looks like something a lazy-ish person would come up with.
I acknowledge it’s nowhere near the top of the security list, but it’s a damn sight better than the meager combination of three logins and passwords I was mixing and matching and trying to track in my head. I’ve got just enough logins to where that’s difficult to track mentally, and not enough to justify a heavy duty manager. This is a nifty way to ensure easier and better security.
Testing some of the passwords generated with the card I’d printed showed them to be no better than weak. So I’m wondering if the card is any advantage?
Microsoft’s password checker seems to want really long passwords; it says a password should be at least 14 characters long. I just tested it, and it goes to Medium at 10 characters, and only goes to Best when a password is 20-22 characters long, even if you include non-alphanumeric symbols in the password (which the password card can also generate if you want). Sure, that’s a great password, but it certainly seems like overkill for personal use. A brute-force cracker is still going to take at least months, if not years, to break even a 10-character random password with symbols, and each single symbol adds an order of magnitude to the time necessary.
I saw a chart outlining the time necessary to crack various passwords of complexity and length recently, but I can’t seem to find it now.
After a little more fiddling with Microsoft’s checker, I discovered that it’ll give a Best rating for ‘abcdefghijklmnopqrstuvwxyzab’ and ‘passwordpasswordpasswordpassword’. It seems to be based primarily on length, with some adjustments made for how varied the characters you use are.
Pick a phrase with a proper noun and a number, reduce to initials or numerals, capitalize the proper noun’s initials.
Dead simple to produce, dead simple to remember. In some cases, the phrase is related to whatever the password is for.
I am a network admin - the number of passwords I am required to remember is ridiculous, without even beginning If I were to write them down anywhere, I would be extremely disappointed if I weren’t fired.
The Password Card idea is a bit lame, because it needlessly introduces vulnerabilities without giving a stronger password. Who wants to refer to a cheat sheet every time they log in?
“Larry Mudd has 99 cents in his account!” would be a damned easy phrase to remember for online banking, and it reduces to “LMh99ciha!” which is as strong a password as one derived from the card method – without the pain of being dependant on external reference materials, and easily retrievable with memory alone.
The password card also provides an apparantly strong password which is nevertheless more vulnerable if the card is discovered, because it reintroduces the “common word” weakness that it is meant to avoid - you can bet your ass that the distribution of colour/symbol combinations has a disproportionate representation of “Pink triangle,” “Yellow Star,” “Green dollar,” “blue diamond,” etc over truly random combinations. That’s how people are.
Now generate six different ones. Now change each of them every 90 days, on a staggered schedule, and no re-using previous passwords and no adding an integer (password1, password2).
Now don’t use them for a month or two and then try and recall all of them early on a Monday morning.
[ul]
[li]My personal e-mail[/li][li]Two bank accounts[/li][li]My credit card[/li][li]Domain log-in for my user account at work[/li][li]Domain log-in for my administrator account at work[/li][li]Staples[/li][li]Corporate Express[/li][li]InSite IT supplies[/li][li]FTP to our corporate website[/li][li]Content management web interface for our corporate website[/li][li]NCIX personal & work[/li][li]BCIT student log-in[/li][li]Our 3rd-party Records Mangement service[/li][li]Print-tracking report manager[/li][li]Photocopier accounting management[/li][li]Mail meter accounting management[/li][li]Document request management console web interface[/li][li]Virtual merchant[/li][li]The Straight Dope[/li][li]Remote access to my home computer[/li][li]…and whatever the hell else I am not remembering right now.[/li][/ul]
Most of these passwords have to be replaced frequently and have complexity and uniqueness requirements. This method is the only one which allows me to hold them all in my head, in their entirety – precicely because the passwords are derived from phrases which have direct associations with whatever they are for.
If I had to to associate all of those with some combination of colours and symbols which had no reference to anything else, and keep an index of those combinations in my head, I would be boned. Much easier to remember an associated phrase.
