Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
PasswordCard (passwordcard.org)
29 points by ihodes on July 8, 2010 | hide | past | favorite | 30 comments


This site reminds me of another site that has been online a lot longer: http://www.passwordchart.com/

Instead of having to store a number to regenerate your card, the card is (re)generated from a "master" password that you can memorize and never write down. You do not even need to print out your card, as you can generate your card online at any time.

I have a friend who uses this service; he has a complicated "master" password and simply uses the site domain ("qht.co" for example) for the second field in order to generate the password to use on each site (HN).

For those who have personal policies of regularly changing passwords, just regularly change your "master" password and be sure to update your passwords on all affected sites (keeping your second field the same).


Thanks for the mention. Its always fun hearing people use passwordchart - I built it in a day in 2006 after reading a story on Slashdot that gave me the idea.


This is a stupid password scheme. You still need to remember some weird piece of information (a symbol and colour? wtf?), and if you put that as the password hint for your websites, they will be able to figure out your password if they have the card.

And it can be brute-forced too.

Just use something like 1Password or LastPass.


A thief could still very easily brute force your password if you actually follow the instructions on the card. I suppose you could get creative with how you interpret the card.

Security is tricky.


Maybe, but agree that if a thief find this "weird" cards by taking your wallet, the chance that he find what it means.. and to actually find a way to brute force is really low.

Compare that to a plain paper with a password written on it!

But yes.. security is all about trade of.


The problem I see is: it's still a bit complicated (i.e. too complicated for the "usual" folks). I see a lot of the security stuff failing for most people because it's just not easy enough.

In this sense, Lastpass (passwords stored online) or Roboform (passwords stored locally) is imho better in that it makes it easy to use secure, one-time passwords for each website.


SuperGenPass is a bookmarklet which seems really nice - it has a different password for each website and 1 password that you use to create the different passwords.


I use password composer (http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordCompos...) which does an md5 hash of the url and the master password of your choosing to generate a unique password for each website. The extensions for chrome and firefox make it very convenient to use.


If one chases down some of the links on that page, one gets to a number of interesting/useful resources.

Thanks for the link. I'd run across some of those some years ago but since lost the references.


My personal password scheme is to string together a few random things. 2 or more random things I happen to be thinking about that day (often abbreviated weirdly to prevent having actual words in my password) with random special characters between them and/or at the beginning or end.

This may not be as secure as a random SHA1, but it's so random (and usually pretty long) that I think it's pretty solid.

One bad thing is that I have taken to having one password for all of my "really don't care about this" websites. Only for stuff where if it were compromised, I really wouldn't care (though I might care a little), but it's still not a great practice, and that password is weaker than my other ones.


You think it's pretty solid - but it may not be. Computers are fast these days - passwords even loosely based on real words and common substitutions can be brute-forced - so not saying your system is bad (it's probably what most of us do, more or less) - but this passwordcard idea seems equally valid - you are still free to use it however you want, and without physically obtaining it, someone would have no idea where to start. If they did physically obtain it - they'd still have to know how you used it (which is up to you) - and that's assuming you didn't add some other out of band information (which you are free to do).


I started doing this a while ago. I have some keys to access a building which needs a security code to disable the alarm, so I wouldnt forget it I wrote it on the key tag mixed in with a series of other numbers.

Alternativly I use KeePass to store all my passwords and for the master password I combined all the passwords Ive used over the years, so its about 15 characters long and easy to remember.


Same here. I save it on my dropbox account, just in case I needed access to my password when I am away from my computer.


Same. The KeePass iPhone app is very convenient when used in conjunction with the Dropbox public folder.

However, I will occasionally need to set a new temporary password for an online account when I do not have r/w access to my KeePass file. In this case, I tend to use the same simple password until I have the opportunity to change it, so the Password Card / Chart can still come in handy.


1Password works well also.


yep, also store mine on a dropbox account, safe and secure.


I don't like how (i) the card is pseudo-randomly generated and (ii) the people as passwordcard.org potentially have access to the key used to generate it -- it certainly would cut down on the size of the password space that ~they~ would need to search to steal your password; or the space that someone who steals data from them would need to search.


Of course, like the site says, a chain is as strong as its weakest link, so saving passwords in chrome/firefox or using the same one for all of them, or being victim to a phishing attack are all still just as vulnerable as they were before


This would be kind of annoying to pick that card every time I want to enter a password.. no?

I Like To Take The First Word Of Easy To Remember Sentences. (iltttfwoetrs) and put some random i->1 and a->@ and o->0.

This way, it's fairly secure and easy to remember.


See, that method never worked for me. How many easy to remember sentences are there where I know every word exactly?


Well, you can choose sentence that are easier to remember.. It helps if that sentence is related to the website in question.. so for instance.. "I Like To Visit Hacker News" -> iltvhn.. I kind of type the password while saying the sentence in my head. However, as I said, I usually change i for 1, and a for @.. 1ltvhn. :p (Don't try this pass on my account please!)


Personally, after some silent wonderment, other reasons don't.

(I'm sorry, that was awful.)


Passwords are securely structured with only random data.


applause


works until you recall it as "iltttfloewoetrs" :)


Just install the PwdHash Firefox add-on, and keep using the same password everywhere (just prefix it with F2) https://www.pwdhash.com/


Well I am good with Sticky Password. Use it, everything is automatic, I am all set.


or... you just use something like firefox's master password.

you can use as many passwords as you can think of, but only have to remember 1 of them.


But what happens when you have to use somebody else's computer? How are you going to log into your super secure email using a stolen cellphone to warn the president about the terrorists, if you have to run back home, log into firefox then get the password?

While that scenario might not be realistic, for this type of thing, you have to plan for worst case scenario of needed to access you services now, without extra tools. Memorizing the password will always be the best, and if you are in situation where you accounts need passwords so difficult you cannot remember them, then you likely will also need to connect to those services at a moments notice. Start with a simpler password and work your way up in length and complexity over time, your memory can get longer with practice!


I have a workable but annoying solution to this. I have a master email account for every website I'm signed up on. I have the password for that email account memorized and that passwords isn't saved on my computer. If I need access to photobucket when I'm away from my computer (and 1Password) I can reset my photobucket password to a memorized password. Then when I can get access to 1Password, I can login in and change it back.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: