

PasswordCard - ihodes
http://www.passwordcard.org/

======
1331
This site reminds me of another site that has been online a lot longer:
<http://www.passwordchart.com/>

Instead of having to store a number to regenerate your card, the card is
(re)generated from a "master" password that you can memorize and never write
down. You do not even need to print out your card, as you can generate your
card online at any time.

I have a friend who uses this service; he has a complicated "master" password
and simply uses the site domain ("news.ycombinator.com" for example) for the
second field in order to generate the password to use on each site (HN).

For those who have personal policies of regularly changing passwords, just
regularly change your "master" password and be sure to update your passwords
on all affected sites (keeping your second field the same).

~~~
dugmartin
Thanks for the mention. Its always fun hearing people use passwordchart - I
built it in a day in 2006 after reading a story on Slashdot that gave me the
idea.

------
swombat
This is a stupid password scheme. You still need to remember some weird piece
of information (a symbol and colour? wtf?), and if you put that as the
password hint for your websites, they will be able to figure out your password
if they have the card.

And it can be brute-forced too.

Just use something like 1Password or LastPass.

------
tensor
A thief could still very easily brute force your password if you actually
follow the instructions on the card. I suppose you could get creative with how
you interpret the card.

Security is tricky.

~~~
d0m
Maybe, but agree that if a thief find this "weird" cards by taking your
wallet, the chance that he find what it means.. and to actually find a way to
brute force is really low.

Compare that to a plain paper with a password written on it!

But yes.. security is all about trade of.

------
jessor
The problem I see is: it's still a bit complicated (i.e. too complicated for
the "usual" folks). I see a lot of the security stuff failing for most people
because it's just not easy enough.

In this sense, Lastpass (passwords stored online) or Roboform (passwords
stored locally) is imho better in that it makes it easy to use secure, one-
time passwords for each website.

~~~
brfox
SuperGenPass is a bookmarklet which seems really nice - it has a different
password for each website and 1 password that you use to create the different
passwords.

------
nt
I use password composer
([http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordCompos...](http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/))
which does an md5 hash of the url and the master password of your choosing to
generate a unique password for each website. The extensions for chrome and
firefox make it very convenient to use.

~~~
pasbesoin
If one chases down some of the links on that page, one gets to a number of
interesting/useful resources.

Thanks for the link. I'd run across some of those some years ago but since
lost the references.

------
jackowayed
My personal password scheme is to string together a few random things. 2 or
more random things I happen to be thinking about that day (often abbreviated
weirdly to prevent having actual words in my password) with random special
characters between them and/or at the beginning or end.

This may not be as secure as a random SHA1, but it's so random (and usually
pretty long) that I think it's pretty solid.

One bad thing is that I have taken to having one password for all of my
"really don't care about this" websites. Only for stuff where if it were
compromised, I really wouldn't care (though I might care a little), but it's
still not a great practice, and that password is weaker than my other ones.

~~~
dedward
You think it's pretty solid - but it may not be. Computers are fast these days
- passwords even loosely based on real words and common substitutions can be
brute-forced - so not saying your system is bad (it's probably what most of us
do, more or less) - but this passwordcard idea seems equally valid - you are
still free to use it however you want, and without physically obtaining it,
someone would have no idea where to start. If they did physically obtain it -
they'd still have to know how you used it (which is up to you) - and that's
assuming you didn't add some other out of band information (which you are free
to do).

------
foxtrot
I started doing this a while ago. I have some keys to access a building which
needs a security code to disable the alarm, so I wouldnt forget it I wrote it
on the key tag mixed in with a series of other numbers.

Alternativly I use KeePass to store all my passwords and for the master
password I combined all the passwords Ive used over the years, so its about 15
characters long and easy to remember.

~~~
sami_b
Same here. I save it on my dropbox account, just in case I needed access to my
password when I am away from my computer.

~~~
Gormo
Same. The KeePass iPhone app is very convenient when used in conjunction with
the Dropbox public folder.

However, I will occasionally need to set a new temporary password for an
online account when I do not have r/w access to my KeePass file. In this case,
I tend to use the same simple password until I have the opportunity to change
it, so the Password Card / Chart can still come in handy.

~~~
slantyyz
1Password works well also.

------
terra_t
I don't like how (i) the card is pseudo-randomly generated and (ii) the people
as passwordcard.org potentially have access to the key used to generate it --
it certainly would cut down on the size of the password space that ~they~
would need to search to steal your password; or the space that someone who
steals data from them would need to search.

------
d0m
This would be kind of annoying to pick that card every time I want to enter a
password.. no?

I Like To Take The First Word Of Easy To Remember Sentences. (iltttfwoetrs)
and put some random i->1 and a->@ and o->0.

This way, it's fairly secure and easy to remember.

~~~
smackfu
See, that method never worked for me. How many easy to remember sentences are
there where I know every word exactly?

~~~
d0m
Well, you can choose sentence that are easier to remember.. It helps if that
sentence is related to the website in question.. so for instance.. "I Like To
Visit Hacker News" -> iltvhn.. I kind of type the password while saying the
sentence in my head. However, as I said, I usually change i for 1, and a for
@.. 1ltvhn. :p (Don't try this pass on my account please!)

------
talsraviv
Of course, like the site says, a chain is as strong as its weakest link, so
saving passwords in chrome/firefox or using the same one for all of them, or
being victim to a phishing attack are all still just as vulnerable as they
were before

------
noidi
Just install the PwdHash Firefox add-on, and keep using the same password
everywhere (just prefix it with F2) <https://www.pwdhash.com/>

------
patrickS
Well I am good with Sticky Password. Use it, everything is automatic, I am all
set.

------
younata
or... you just use something like firefox's master password.

you can use as many passwords as you can think of, but only have to remember 1
of them.

~~~
Rhapso
But what happens when you have to use somebody else's computer? How are you
going to log into your super secure email using a stolen cellphone to warn the
president about the terrorists, if you have to run back home, log into firefox
then get the password?

While that scenario might not be realistic, for this type of thing, you have
to plan for worst case scenario of needed to access you services now, without
extra tools. Memorizing the password will always be the best, and if you are
in situation where you accounts need passwords so difficult you cannot
remember them, then you likely will also need to connect to those services at
a moments notice. Start with a simpler password and work your way up in length
and complexity over time, your memory can get longer with practice!

~~~
epochwolf
I have a workable but annoying solution to this. I have a master email account
for every website I'm signed up on. I have the password for that email account
memorized and that passwords isn't saved on my computer. If I need access to
photobucket when I'm away from my computer (and 1Password) I can reset my
photobucket password to a memorized password. Then when I can get access to
1Password, I can login in and change it back.

