Home > Security > Complex, secure passwords made easy

Complex, secure passwords made easy

I attended a talk by Aaron Toponce at Ohio Linux Fest on password security.  Everyone knows you shouldn’t use a simple password that is easily guessable and that you shouldn’t use the same password for every account but how do you make unique, complex passwords and only use it once per account and still remember them all?  Personally, I’ve been using a password locker (encrypted storage for my passwords) and using Gnome Password Generator to create random strings of gibberish.  But Aaron discovered a better way.

A simple card to use to help you create and remember your passwords.

The solution, PasswordCard, is quite simple and easy to use.  The card has eight rows and twenty-nine columns of random letters and numbers that you can use to create your password.  To create a password simply choose a starting point on the card (maybe the frown face and the #4 for your work email account), remember where you started, and then follow a pattern on the card to create your password.  You can choose any pattern you like (and should probably always use the same pattern for each of your passwords so you won’t forget).  That’s it, you are done.

Let’s try one together to make sure everyone is on the same page.  It’s time to change that work email password.  You’ve got your PasswordCard in your hand (laminated I’m sure) and we are going to start at the frown face and the #4 (work is a four letter word after all).  So the first character of our password is P.  From there we can go in any pattern you want.  Perhaps just a straight line up, down, or sideways or maybe we’re going to make a square or a stair-step.  For our example we’ll use a stair-step pattern with five characters on each step and we’ll go to the left and down.  P…F…G…F…Z…v…P…5…N…F…x…b…J…t…d…B…4…B…K…Q

Did you see what I did after the N?  Because I ran out of letters going down I just started over at the top and kept going.  So now we have a very good password that is complex and long (more characters in your password make it harder for others to break into your account).  Just remember where you started and  your pattern and you’ll never forget your password!  Need another password for another account?  No problem, just select a new starting point and use the same pattern that you used before.  It’s that simple.

One thing I should mention is that each card is unique.  If you lose this card you won’t be able to go back to the website and get the same card back unless you have that code at the bottom of the card.  It is very important to write that code somewhere safe so you can get your card back if you happen to lose the original.

Too cool for a piece of paper?  Not a problem!  There is also an Android application and one for your iPhone as well that will allow you to take  your password card with you everywhere.

So, there you go!  No more excuses for not having secure passwords and remembering them, too!  And unless you divulge your starting point for each of your passwords and the pattern used to create the password no one will be able to obtain your passwords simply by looking at your card.

Creative Commons License
Sparks’ Linux Journal by Eric “Sparks” Christensen is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at https://sparkslinux.wordpress.com/license/.

Categories: Security Tags:
  1. 2011-09-29 at 12:11 EST

    This is an interesting idea, but it becomes problematic if you don’t have your card handy. Wouldn’t longer but more memorable passwords (e.g. Steve Gibson’s “Password Haystack”[0] or the XKCD method[1]) be better?

    [0] http://www.grc.com/haystack.htm
    [1] http://xkcd.com/936/

    • 2011-09-29 at 14:01 EST

      Yes, not having the card with you can be problematic (so keep the card and/or smart device with you!). Using passphrases would be a much better option but remembering numerous passphrases can also become problematic.

  2. 2011-09-30 at 03:24 EST

    Try as I might, I can’t see any way in which this is better than just using a proper password manager. I use Revelation on my PCs and Password Safe on my N900; you can export from Revelation format to Password Safe format in one step, so it’s very easy to keep things synced.

    The password manager can generate passwords for you, it stores them all encrypted, you can copy/paste passwords into applications (no need to type them), and there’s no need to remember 500 starting points (yes, I have about 500 passwords in my database).

    • 2011-09-30 at 23:20 EST

      I would agree that using a password manager is awesome and I, too, use one. The only weakness I can think of, off hand, is the possibility of a security vulnerability in the password manager that allows someone access to your data contained within. The paper card would not have such a weakness. Of course trying to remember 500 starting points on the card might be a bit difficult.

  3. 2011-10-02 at 13:57 EST

    “The only weakness I can think of, off hand, is the possibility of a security vulnerability in the password manager that allows someone access to your data contained within.”

    Password managers tend to use pretty well known strong encryption mechanisms, for obvious reasons. Even if there were such a vuln, which seems unlikely, the attacker would need some kind of access to the password database. I don’t use online password databases, because that just seems silly; ‘traditional’ ones like Revelation just use a regular file. It’s quite unlikely an attacker could even gain access to the file, it’s not like you’re putting it on a publicly accessible server. They’d have to compromise your system to gain access to it. Sure, this happens, but the chances are fairly slim; and remember, you’d need the combination of an attacker hacking your system *and* some kind of vulnerability in the encryption of the file.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s