Domain: passwordcard.org
Stories and comments across the archive that link to passwordcard.org.
Comments · 11
-
Re:I believe I have a pile of I-told-you-sos to se
There's always this: http://www.passwordcard.org/en
As mentioned, writing down your passwords (which this is just a fancy version of) makes them harder to crack online, but opens you up to a different set of attacks, especially any that involve physically overpowering you.
-
If not a password manager, then a password card
Writing down passwords isn't an automatic fail—it just means you need good physical security on whatever you write them down in. A notebook is bad advice, but writing them down on a wallet card or similar wouldn't be too bad.
Something like LastPass is probably your best bet, since it works everywhere (including Chromebook); though it isn't free if you want to use the mobile app, it is pretty inexpensive. Of course, if LastPass has an outage, you're gonna have a bad time.
As a security professional, I often recommend Password Cards (passwordcard.org) as a free, low-tech solution that hits a good balance among cost, security, and ease of use. The site generates a printable card (which is easy to make a backup of!) that has a row of symbols and then several rows of random text elements in color-coded rows. All you need to remember for each site is a symbol+color combo; then you simply start from that grid point and type the required number of characters. You could even safely note down the symbol+color for each site, because as long as you keep the card safe in your wallet, that information isn't useful.
It's not perfect, but it's quite good, free, and simple.
-
Password store
Well, I keep a plasticized Password Card [1] for keeping the passwords that actually matter, along with a PGP passphrase, which is used to open up my password store [2]. The program itself is available on any major distribution, and its really easy to install if its not; it's also very easy to use. The only "disadvantage" is that there's no Windows version. [1] https://www.passwordcard.org/e... [2] http://www.zx2c4.com/projects/...
-
Take away 'what you know' and your pass is secure.So we have passwords because we need to meet the security criteria 'what you know,' because its impossible for the server to know 'what you are' or 'what you have.'
Well, that doesn't mean you can't rely on biometrics or physical keys as passwords... It just means the server doesn't KNOW you're using one of those methods.
The easiest is to visit password card and print off a password card. This is your new PHYSICAL INTERNET KEY!
It generates a string of completely random letters, numbers, and symbols. These are in a grid, so you don't have to remember your whole password - just where your password begins. This defeats the number one security flaw: laziness. Eventually everyone gets lazy. So getting in the habit of *secure laziness,* like using a password card, prevents stupid passwords like 110v3k1tt3ns.
The importance of the password card is in the dictionary. Yeah, yeah, its hard to guess a 4-8 word sentence of random words. But its easy to compile a list of known passwords and use them for all future brute-forces. Every successful brute-force makes *every single subsequent attack* easier. The only way to combat that fact is with truly random passwords using every possible character-set, and never ever using the same password for more than one thing.
Using a password card allows you to have one single 'key' to get into every secure location, without ever re-using a password. Its easy for you, difficult for hackers.
-
Non electrical means
I use a card from http://www.passwordcard.org/
Printed it out, laminated it with tape, and keep it in my wallet which is with me at all times. It's extremely handy and needs no internet access to use.
-
My recommendation: password cards/charts
Earlier this year, I switched to a system akin to the password card or the password chart.
When you do this, there is much less to memorize, and you can create random, secure passwords for anything. I don't need any software to make it work, as everything I need is printed on a business-card size piece of paper which I carry in my wallet. If, for example, I am using a friend's computer to log in to a website, I can whip out my card and have my password right away.
The passwords I use are as secure as anything I could possibly memorize, and are different for each website. They can't be stolen all at once by malware. I can't lose them to a hard drive crash. If the card itself is lost or stolen, it's just a bunch of random symbols unless you know the secret of how it works.
-
Re:And when you get to the end...
http://www.passwordcard.org/en is probably a great idea. Some other poster mentioned this on slashdot already, so don't say I'm stealing his thunder.
-
Generating and remembering passwords
I've become a recent convert to the idea of using a password card or
password chart to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers. -
Yes, yes...
"Omg, what am I going to do about my eight char password I use half across the Internets?"
Well...
One could print out a passwordcard.
Then one might start using passwordmaker, to whatever phone/OS one fancy. By which time one (sh/c)ould check if ones passwords are long enough and while this "one" is at it, have a look at these tricks from an almost "tl;dr-ish" list. Now, apply elbow grease and a bit of go figure. "Problem solved? Moving on?"Oh, who am I kidding? Then all those (fear) mongering polemics would have to starve and we cant have that now can we? *fancifying tinfoilhat*
-
Use passwordcard.org
It's not perfect, but it's easy. You carry a card around (or a mobile phone app) and remember mnemonics like "Smiley Green 16" and "Heart Pink 12" for each site, which amount to x,y,length for looking up your password on the card.
If you lose the card you can regenerate it, but finders have no way of knowing how to look up your password. If you write your mnemonics on a sticky note attached to your monitor, it doesn't matter because no one has your card.
Also the Android app means no card needed. At no point do you give your passwords to any third party.
Not affiliated with the author, just a fan.
-
Re:Baffled
My playground is a 5000-user community at a small university. The students are actually the computer savvy ones, it's faculty and staff that click on phishing scam links and have their weak passwords guessed.
Have you tried this thing?
Seems sound conceptually but I'm sure there's some flaw I'm missing. I thought I might try it because I have so many passwords at work.