passwordcard.org: pick and remember secure passwords in a low techand free way

Discussion in 'Computer Security' started by Pepijn Schmitz, Jun 4, 2009.

  1. This is to announce the creation of a new website:

    http://passwordcard.org/

    The site is free and allows you to print a PasswordCard containing a
    grid of random letters and numbers, with colors for rows and symbols for
    columns. You keep it in your wallet and it allows you to pick very
    secure passwords, and remember them without a thief being any the wiser
    if your wallet gets stolen!

    Check it out.
    Pepijn Schmitz, Jun 4, 2009
    #1
    1. Advertising

  2. Pepijn Schmitz

    VanguardLH Guest

    Re: passwordcard.org: pick and remember secure passwords in a low tech and free way

    Pepijn Schmitz wrote:

    > This is to announce the creation of a new website:
    >
    > http://passwordcard.org/
    >
    > The site is free and allows you to print a PasswordCard containing a
    > grid of random letters and numbers, with colors for rows and symbols for
    > columns. You keep it in your wallet and it allows you to pick very
    > secure passwords, and remember them without a thief being any the wiser
    > if your wallet gets stolen!
    >
    > Check it out.


    But you still have to remember a symbol and a color and then remember to
    which site that combination is associated. A lot easier and without
    having to carry anything is to remember a simple algorithm in your head
    that lets you generate a password that is unique to every domain you
    visit. You pick strings of things you will always remember and then
    apply a fixed jumbling rule against each of them and then slap them
    together to make a password. The substring you use for the password.

    For <hostname>.<domain>.<tld>, pick a fixed number of letters from the
    domain either from the start or end of it. 3 or 4 are sufficient.
    Decide if you'll use them in the order in the domain, reverse them, or
    move 2 from the back to the front of the string, or whatever jumbling
    you want but it's a fixed jumble. If the domain is shorter than you
    fixed length selection from it, start borrowing letters from the TLD
    (top level domain; e.g., .com, .org, .net, etc). So if you always pick
    4 characters from the domain but you are visiting aa.com, you'd use
    "aaco" (if you start the selection from the start instead of the end).
    Don't include the period character, just alphabetic characters. For
    this example, say you always pick the last 4 characters from the domain
    and your fixed jumble rule is to reverse that string. When visiting
    www.ibm.com, you'd use "cmbi". When visiting forums.spampal.org, you
    use "lapm".

    Pick 2 to 4 characters that are significant to you. First & last
    initial, middle initial and first initial of mom's or dad's name, last 3
    letters of your dog's name, whatever. Again, this selection remains
    fixed so you can remember it. Again use a fixed jumbling scheme. You
    use lowercase letters for this selection. Some sites want some
    uppercase letters which means on your first attempt that fails then your
    second attempt capitalizes the first or last 2 characters (but which
    ones get capitalized remain the same). Say you use your name's initials
    which are "vgh" but the fixed jumble rule says to reverse these so you
    use "hgv".

    Pick some numbers that are significant to you. Birthmonth + middle 2
    digits of 4-digit birthyear, house number for your street address, the
    middle 2 digits of your social security number, or any other values you
    will always know. For this example, say you pick the middle 2 digits
    of your birthyear (say it is 1985) and the first digit of your house
    number from your street address (say it is 304). You end up with a
    numerical string of 983. The fixed jumble rule to reverse the string
    gives you 389.

    Now you have 3 strings of jumbled strings that you can slap together to
    make a password. Because the domain string will change with every
    domain you visit, the password will change so it is unique to that
    domain. When you splice these strings together, shove in a punctuation
    character between them (since some sites want a non-alphanumeric
    character included), like using a period character between the first two
    strings and a dash between the last two. With the above examples, and
    using the order for the strings of charstring.domainstring-numstring,
    the password when visiting ibm.com would be hgv.cmbi-389. The only part
    of the password that changes with each domain would be just the domain
    string part in your password so that's the only time you really need to
    apply your rule of which characters to use from the domain and apply
    what is your jumbling rule used on all the substrings. Yes, only a
    portion of the password changes for each domain but each password itself
    is a strong password. If you ever forget the fixed portions of your
    password scheme, you know the rules and the data you used to create
    them. These rules are fixed as are the data you use.

    Say your rules for building a password are:
    - For the domain substring:
    o Use last 4 characters of domain name.
    o If the domain name is shorter than 4 characters, borrow the
    remaining characters from the start of the top-level domain (.com,
    .org, etc).
    o Reverse this string. (Fixed jumble rule.)
    o If some uppercase characters are required by a site, they will be
    the last 2 characters in this string.
    - For the characters substring:
    o Use the initials for your middle and lastname, in that order.
    o Append the first initial of dad's name.
    o Lowercase is used for all characters.
    o Reverse this string. (Fixed jumble rule.)
    Example: Your middle and last initials are "gh" and dad's firstname is
    "brad". You start with "gh" + "b" = "ghb" and reverse to "bhg". This
    substring is always fixed but you know the rules needed to rebuild it.
    - For the number substring:
    o Middle 2 digits of your 4-digit birthyear.
    o Last 2 digits of your social security number.
    o Reverse this string. (Fixed jumble rule.)
    Example: Birthyear = 1984 and SocSecNum = xxx-xx-xx48. You start with
    "98" + "48", or 9848 but reverse to 8489.
    - The order for splicing together these substrings:
    o charstring + domainstring + numberstring
    o Use the dash character to punctuate between these strings.
    Example (using above examples): charstring = "bhg", domain is
    variable, and numberstring = 8489, and with dashes between these.

    When visiting the sites below, you would use the following passwords:

    www.intel.com: bhg-letn-8489
    forums.spampal.org: bhg-lapm-8489
    www.msn.com bhg-cnsm-8489
    www.live.com bhg-evil-8489
    experts-exchange.com: bhg-egna-8489 --> bhg-egNA-8489

    The password is strong but only a small part of it changes depending on
    the domain you are visiting. I show 2 passwords for the last example.
    This site requires some uppercase letters, and the rule was to
    capitalize the last 2 characters of the domainstring portion of the
    password.

    It's not really as complex as written up here. Once you come up with
    your algorithm to generate passwords on-the-fly, the only part that ever
    changes is the domainstring portion but you have a fixed set of rules
    for generating that portion of the password. If you forget the other
    portions, you know the common data used to build them.

    Sites may require that there be both lowercase and uppercase alphabetic
    characters in the password, that it contain some numbers, that it
    contain non-alphanumeric characters, and be over 6, 8, or more
    characters in length. The algorithm takes care of all of that. The
    algorithm is in your head. You only need to remember the algorithm
    (actually you just remember how to generate the domainstring part since
    the other parts remain fixed). You can pick shorter strings for each
    part to make a shorter password but I'd suggest not going less than 8
    characters. Some sites require 6, or more, 6 characters and I've hit a
    few that require 8, or more. You don't carry around a "card" in your
    wallet which doesn't cover all possible requirements for creating a
    password at different sites. You aren't remembering passwords but just
    a general rule on generating or recalling them. It's in your head so
    the "card" cannot be stolen or someone looks under your keyboard to find
    your sticky notes of passwords. When you travel, you don't have to
    remember to take anything with you (unless your head isn't attached).

    I've used a memorized algorithm for years. It is a bit simpler than the
    above examples (in length) but a little more complex regarding the
    domainstring part. My password is a strong one at each domain but it's
    easy for my to recall or regenerate. At worst, I had to make 3 guesses
    to hit my password at a domain (for those that want uppercase letters
    and others that don't like the punctuation characters and another wanted
    uppercase and wouldn't accept punctuation characters). Use whatever you
    want as the above is only an example of how you can use a unique
    password at every domain but not have to remember those passwords. The
    algorithm, once you choose one is fixed. The data used for 2 of the 3
    parts is fixed and well-known to you (you can have more parts for your
    algorithm), and 1 part (or more if you want) are variable to make the
    password unique to domain. You can come up with a wholly different
    scheme than I mentioned above but just make sure it is fixed enough for
    you to remember it and relies on data that you will always know. Other
    examples of passwords (that you can easily create and then remember) are
    http://www.microsoft.com/protect/yourself/password/create.mspx and other
    articles. I prefer a scheme where the password changes for every domain
    rather than coming up with just one password for everything.

    You don't need software. You don't need cards. You don't need anything
    other than your brain.
    VanguardLH, Jun 4, 2009
    #2
    1. Advertising

  3. Pepijn Schmitz

    ©Ari® Guest

    Re: passwordcard.org: pick and remember secure passwords in a low tech and free way

    On Thu, 4 Jun 2009 15:37:38 -0500, VanguardLH wrote:

    > When visiting
    > www.ibm.com, you'd use "cmbi". When visiting forums.spampal.org, you
    > use "lapm".


    Yeah, no passcracking will ever figure that out.

    lol
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
    ©Ari®, Jun 5, 2009
    #3
  4. Pepijn Schmitz

    VanguardLH Guest

    Re: passwordcard.org: pick and remember secure passwords in a low tech and free way

    John Smith wrote:

    > VanguardLH wrote:
    >> Pepijn Schmitz wrote:
    >>
    >>> This is to announce the creation of a new website:
    >>>
    >>> http://passwordcard.org/
    >>>
    >>> The site is free and allows you to print a PasswordCard containing a
    >>> grid of random letters and numbers, with colors for rows and symbols for
    >>> columns. You keep it in your wallet and it allows you to pick very
    >>> secure passwords, and remember them without a thief being any the wiser
    >>> if your wallet gets stolen!
    >>>
    >>> Check it out.

    >>
    >> But you still have to remember a symbol and a color and then remember to
    >> which site that combination is associated. A lot easier and without
    >> having to carry anything is to remember a simple algorithm in your head
    >> that lets you generate a password that is unique to every domain you
    >> visit. You pick strings of things you will always remember and then
    >> apply a fixed jumbling rule against each of them and then slap them
    >> together to make a password. The substring you use for the password.
    >>
    >> For <hostname>.<domain>.<tld>, pick a fixed number of letters from the
    >> domain either from the start or end of it. 3 or 4 are sufficient.
    >> Decide if you'll use them in the order in the domain, reverse them, or
    >> move 2 from the back to the front of the string, or whatever jumbling
    >> you want but it's a fixed jumble. If the domain is shorter than you
    >> fixed length selection from it, start borrowing letters from the TLD
    >> (top level domain; e.g., .com, .org, .net, etc). So if you always pick
    >> 4 characters from the domain but you are visiting aa.com, you'd use
    >> "aaco" (if you start the selection from the start instead of the end).
    >> Don't include the period character, just alphabetic characters. For
    >> this example, say you always pick the last 4 characters from the domain
    >> and your fixed jumble rule is to reverse that string. When visiting
    >> www.ibm.com, you'd use "cmbi". When visiting forums.spampal.org, you
    >> use "lapm".
    >>
    >> Pick 2 to 4 characters that are significant to you. First & last
    >> initial, middle initial and first initial of mom's or dad's name, last 3
    >> letters of your dog's name, whatever. Again, this selection remains
    >> fixed so you can remember it. Again use a fixed jumbling scheme. You
    >> use lowercase letters for this selection. Some sites want some
    >> uppercase letters which means on your first attempt that fails then your
    >> second attempt capitalizes the first or last 2 characters (but which
    >> ones get capitalized remain the same). Say you use your name's initials
    >> which are "vgh" but the fixed jumble rule says to reverse these so you
    >> use "hgv".
    >>
    >> Pick some numbers that are significant to you. Birthmonth + middle 2
    >> digits of 4-digit birthyear, house number for your street address, the
    >> middle 2 digits of your social security number, or any other values you
    >> will always know. For this example, say you pick the middle 2 digits
    >> of your birthyear (say it is 1985) and the first digit of your house
    >> number from your street address (say it is 304). You end up with a
    >> numerical string of 983. The fixed jumble rule to reverse the string
    >> gives you 389.
    >>
    >> Now you have 3 strings of jumbled strings that you can slap together to
    >> make a password. Because the domain string will change with every
    >> domain you visit, the password will change so it is unique to that
    >> domain. When you splice these strings together, shove in a punctuation
    >> character between them (since some sites want a non-alphanumeric
    >> character included), like using a period character between the first two
    >> strings and a dash between the last two. With the above examples, and
    >> using the order for the strings of charstring.domainstring-numstring,
    >> the password when visiting ibm.com would be hgv.cmbi-389. The only part
    >> of the password that changes with each domain would be just the domain
    >> string part in your password so that's the only time you really need to
    >> apply your rule of which characters to use from the domain and apply
    >> what is your jumbling rule used on all the substrings. Yes, only a
    >> portion of the password changes for each domain but each password itself
    >> is a strong password. If you ever forget the fixed portions of your
    >> password scheme, you know the rules and the data you used to create
    >> them. These rules are fixed as are the data you use.
    >>
    >> Say your rules for building a password are:
    >> - For the domain substring:
    >> o Use last 4 characters of domain name.
    >> o If the domain name is shorter than 4 characters, borrow the
    >> remaining characters from the start of the top-level domain (.com,
    >> .org, etc).
    >> o Reverse this string. (Fixed jumble rule.)
    >> o If some uppercase characters are required by a site, they will be
    >> the last 2 characters in this string.
    >> - For the characters substring:
    >> o Use the initials for your middle and lastname, in that order.
    >> o Append the first initial of dad's name.
    >> o Lowercase is used for all characters.
    >> o Reverse this string. (Fixed jumble rule.)
    >> Example: Your middle and last initials are "gh" and dad's firstname is
    >> "brad". You start with "gh" + "b" = "ghb" and reverse to "bhg". This
    >> substring is always fixed but you know the rules needed to rebuild it.
    >> - For the number substring:
    >> o Middle 2 digits of your 4-digit birthyear.
    >> o Last 2 digits of your social security number.
    >> o Reverse this string. (Fixed jumble rule.)
    >> Example: Birthyear = 1984 and SocSecNum = xxx-xx-xx48. You start with
    >> "98" + "48", or 9848 but reverse to 8489.
    >> - The order for splicing together these substrings:
    >> o charstring + domainstring + numberstring
    >> o Use the dash character to punctuate between these strings.
    >> Example (using above examples): charstring = "bhg", domain is
    >> variable, and numberstring = 8489, and with dashes between these.
    >>
    >> When visiting the sites below, you would use the following passwords:
    >>
    >> www.intel.com: bhg-letn-8489
    >> forums.spampal.org: bhg-lapm-8489
    >> www.msn.com bhg-cnsm-8489
    >> www.live.com bhg-evil-8489
    >> experts-exchange.com: bhg-egna-8489 --> bhg-egNA-8489
    >>
    >> The password is strong but only a small part of it changes depending on
    >> the domain you are visiting. I show 2 passwords for the last example.
    >> This site requires some uppercase letters, and the rule was to
    >> capitalize the last 2 characters of the domainstring portion of the
    >> password.
    >>
    >> It's not really as complex as written up here. Once you come up with
    >> your algorithm to generate passwords on-the-fly, the only part that ever
    >> changes is the domainstring portion but you have a fixed set of rules
    >> for generating that portion of the password. If you forget the other
    >> portions, you know the common data used to build them.
    >>
    >> Sites may require that there be both lowercase and uppercase alphabetic
    >> characters in the password, that it contain some numbers, that it
    >> contain non-alphanumeric characters, and be over 6, 8, or more
    >> characters in length. The algorithm takes care of all of that. The
    >> algorithm is in your head. You only need to remember the algorithm
    >> (actually you just remember how to generate the domainstring part since
    >> the other parts remain fixed). You can pick shorter strings for each
    >> part to make a shorter password but I'd suggest not going less than 8
    >> characters. Some sites require 6, or more, 6 characters and I've hit a
    >> few that require 8, or more. You don't carry around a "card" in your
    >> wallet which doesn't cover all possible requirements for creating a
    >> password at different sites. You aren't remembering passwords but just
    >> a general rule on generating or recalling them. It's in your head so
    >> the "card" cannot be stolen or someone looks under your keyboard to find
    >> your sticky notes of passwords. When you travel, you don't have to
    >> remember to take anything with you (unless your head isn't attached).
    >>
    >> I've used a memorized algorithm for years. It is a bit simpler than the
    >> above examples (in length) but a little more complex regarding the
    >> domainstring part. My password is a strong one at each domain but it's
    >> easy for my to recall or regenerate. At worst, I had to make 3 guesses
    >> to hit my password at a domain (for those that want uppercase letters
    >> and others that don't like the punctuation characters and another wanted
    >> uppercase and wouldn't accept punctuation characters). Use whatever you
    >> want as the above is only an example of how you can use a unique
    >> password at every domain but not have to remember those passwords. The
    >> algorithm, once you choose one is fixed. The data used for 2 of the 3
    >> parts is fixed and well-known to you (you can have more parts for your
    >> algorithm), and 1 part (or more if you want) are variable to make the
    >> password unique to domain. You can come up with a wholly different
    >> scheme than I mentioned above but just make sure it is fixed enough for
    >> you to remember it and relies on data that you will always know. Other
    >> examples of passwords (that you can easily create and then remember) are
    >> http://www.microsoft.com/protect/yourself/password/create.mspx and other
    >> articles. I prefer a scheme where the password changes for every domain
    >> rather than coming up with just one password for everything.
    >>
    >> You don't need software. You don't need cards. You don't need anything
    >> other than your brain.

    >
    > The best part about it is the birth year and social security numbers
    > you're using, oh ya, the last name is great to.
    > o;drg[9oygh[084y5uj45h80[etg8[9ehye[08'ghe[98rgh


    647
    589

    Which one is from my social security number? And which digits did I
    use?

    Which one is from my birthyear and house number, and which digits of
    each?

    Or did I pick numbers from completely different sources, like the first
    2 digits of my zipcode and a digit at the end of my areacode? You can't
    tell from WHERE those digits were used.

    hldc

    Which 2 chars were for my first and last initials? Which 2 were for my
    father's first and middle initial? And which ones are reversed? And
    which one was inserted in the middle of the other? You can't tell which
    is which and where it was put in the string.

    You do NOT pick sufficient characters from any one source of your data
    that would uniquely identify it. You jumble the order so you know the
    jumble but no one else does. You still end up with strong passwords in
    which no part of it can be identified with any data you used to compile
    the password but only a portion of the password is altered based on the
    domain you are visiting.

    Come up with whatever algorithm you like for generating strong
    passwords. The password doesn't have to all change its characters for
    different sites, just enough to make it easy for YOU to figure out how
    to make it unique and associated with a particular site. I gave
    examples. I assume you can figure out how to pick your own pieces of
    data, how to jumble each piece (but a fixed jumble of for each piece),
    and in what order you like to concatenate those pieces. It's really not
    hard to do, and once you do it to come with YOUR own scheme, the only
    part you have to be concerned about is the section that changes
    according to the site. It definitely beats using bunched up words or
    something very familiar and sufficient in length that anyone with some
    of your personal data could run through a script to process a few
    thousand possibles.
    VanguardLH, Jun 7, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Axl
    Replies:
    6
    Views:
    1,190
    gmccx
    Sep 29, 2003
  2. Dan
    Replies:
    3
    Views:
    454
    mike555
    Apr 26, 2005
  3. thingy
    Replies:
    6
    Views:
    418
    Lawrence D'Oliveiro
    Nov 21, 2006
  4. Replies:
    0
    Views:
    580
  5. Replies:
    0
    Views:
    650
Loading...

Share This Page