Instead of having to store a number to regenerate your card, the card is (re)generated from a "master" password that you can memorize and never write down. You do not even need to print out your card, as you can generate your card online at any time.
I have a friend who uses this service; he has a complicated "master" password and simply uses the site domain ("qht.co" for example) for the second field in order to generate the password to use on each site (HN).
For those who have personal policies of regularly changing passwords, just regularly change your "master" password and be sure to update your passwords on all affected sites (keeping your second field the same).
Thanks for the mention. Its always fun hearing people use passwordchart - I built it in a day in 2006 after reading a story on Slashdot that gave me the idea.
This is a stupid password scheme. You still need to remember some weird piece of information (a symbol and colour? wtf?), and if you put that as the password hint for your websites, they will be able to figure out your password if they have the card.
A thief could still very easily brute force your password if you actually follow the instructions on the card. I suppose you could get creative with how you interpret the card.
Maybe, but agree that if a thief find this "weird" cards by taking your wallet, the chance that he find what it means.. and to actually find a way to brute force is really low.
Compare that to a plain paper with a password written on it!
The problem I see is: it's still a bit complicated (i.e. too complicated for the "usual" folks). I see a lot of the security stuff failing for most people because it's just not easy enough.
In this sense, Lastpass (passwords stored online) or Roboform (passwords stored locally) is imho better in that it makes it easy to use secure, one-time passwords for each website.
SuperGenPass is a bookmarklet which seems really nice - it has a different password for each website and 1 password that you use to create the different passwords.
I use password composer (http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordCompos...) which does an md5 hash of the url and the master password of your choosing to generate a unique password for each website. The extensions for chrome and firefox make it very convenient to use.
My personal password scheme is to string together a few random things. 2 or more random things I happen to be thinking about that day (often abbreviated weirdly to prevent having actual words in my password) with random special characters between them and/or at the beginning or end.
This may not be as secure as a random SHA1, but it's so random (and usually pretty long) that I think it's pretty solid.
One bad thing is that I have taken to having one password for all of my "really don't care about this" websites. Only for stuff where if it were compromised, I really wouldn't care (though I might care a little), but it's still not a great practice, and that password is weaker than my other ones.
You think it's pretty solid - but it may not be. Computers are fast these days - passwords even loosely based on real words and common substitutions can be brute-forced - so not saying your system is bad (it's probably what most of us do, more or less) - but this passwordcard idea seems equally valid - you are still free to use it however you want, and without physically obtaining it, someone would have no idea where to start. If they did physically obtain it - they'd still have to know how you used it (which is up to you) - and that's assuming you didn't add some other out of band information (which you are free to do).
I started doing this a while ago. I have some keys to access a building which needs a security code to disable the alarm, so I wouldnt forget it I wrote it on the key tag mixed in with a series of other numbers.
Alternativly I use KeePass to store all my passwords and for the master password I combined all the passwords Ive used over the years, so its about 15 characters long and easy to remember.
Same. The KeePass iPhone app is very convenient when used in conjunction with the Dropbox public folder.
However, I will occasionally need to set a new temporary password for an online account when I do not have r/w access to my KeePass file. In this case, I tend to use the same simple password until I have the opportunity to change it, so the Password Card / Chart can still come in handy.
I don't like how (i) the card is pseudo-randomly generated and (ii) the people as passwordcard.org potentially have access to the key used to generate it -- it certainly would cut down on the size of the password space that ~they~ would need to search to steal your password; or the space that someone who steals data from them would need to search.
Of course, like the site says, a chain is as strong as its weakest link, so saving passwords in chrome/firefox or using the same one for all of them, or being victim to a phishing attack are all still just as vulnerable as they were before
Well, you can choose sentence that are easier to remember.. It helps if that sentence is related to the website in question.. so for instance.. "I Like To Visit Hacker News" -> iltvhn.. I kind of type the password while saying the sentence in my head. However, as I said, I usually change i for 1, and a for @.. 1ltvhn. :p (Don't try this pass on my account please!)
But what happens when you have to use somebody else's computer? How are you going to log into your super secure email using a stolen cellphone to warn the president about the terrorists, if you have to run back home, log into firefox then get the password?
While that scenario might not be realistic, for this type of thing, you have to plan for worst case scenario of needed to access you services now, without extra tools. Memorizing the password will always be the best, and if you are in situation where you accounts need passwords so difficult you cannot remember them, then you likely will also need to connect to those services at a moments notice. Start with a simpler password and work your way up in length and complexity over time, your memory can get longer with practice!
I have a workable but annoying solution to this. I have a master email account for every website I'm signed up on. I have the password for that email account memorized and that passwords isn't saved on my computer. If I need access to photobucket when I'm away from my computer (and 1Password) I can reset my photobucket password to a memorized password. Then when I can get access to 1Password, I can login in and change it back.
Instead of having to store a number to regenerate your card, the card is (re)generated from a "master" password that you can memorize and never write down. You do not even need to print out your card, as you can generate your card online at any time.
I have a friend who uses this service; he has a complicated "master" password and simply uses the site domain ("qht.co" for example) for the second field in order to generate the password to use on each site (HN).
For those who have personal policies of regularly changing passwords, just regularly change your "master" password and be sure to update your passwords on all affected sites (keeping your second field the same).