sh(/J3HqAfQsu..u.rqf

  . = A
  u = M
  r = Z
  q = O
  f = N

  AfQsu.

  _N__MA

  grep '^[^amzon]n[^amzon][^amzon]ma$' < /usr/share/dict/american-english

  A = E
  Q = G
  s = I

Edit: I agree with the replies that this is an unlikely attack considering how passwords are typically compromised. And it's probably better than how most people choose passwords. But the website claims that this generates "very strong passwords," which is nonsense.

On the other hand, nearly every attack against passwords is non-targeted, software trolling for matches with word lists and such. A user of qwertycard is paradoxically safe, especially as single password (from for instance hacked database) does not contain telltales of being generated by substitution cipher.

In order to be in danger someone would have to either do some mathematical analysis, someone should have already tools looking for substitution ciphers, or someone should set up some application (scripts, whatever) to look for substition ciphers and break them.

Now the crucial part: No one bothers. Typically almost 9/10 of the targets use the same "catdog123" password on every site. They will be used because it is less work.

Unless you are in a risk of targeted attacks, these cards actually can improve your overall security, even despite the flaw in logic. (Which could be mitigated by the way, there are several ways to that.) In other words, non-geeks can benefit from this. My mom could.

Yes, because we've basically realized that memorizing passwords isn't a workable solution. We should be recommending password managers that generate/store strong passwords and MFA for any account that needs to be secure. That these password generators themselves can now be unlocked using both memorized information and biometrics (TouchID and such) makes them all the more secure.

Moreover, this is the only solution that's capable of dealing with all the asinine password requirements that get imposed on users...solutions like this card fail hard when the password requirements prohibit certain characters and/or other characteristics of these passwords (repeated characters, length, etc.) Until the world gets together and standardizes what constitutes a secure password, memorized passwords will always be a flawed solution.

passwords are a flawed solution

They have been through history and way before the industrialized world, not only that but what was considered secure yesterday may be compromised today or tomorrow. This is not going away any time soon and you have to design security taking this into account.

Another problem with password, it's that those web services we use password for collect way too much sensitive information that they should not be given in the first place.

seems like solutions like that are a bit easier than typing in a bunch of keys you are looking up on a card and really solve the issue of web-based attacks.... it really only leaves you vulnerable to people who have physical access to the USB device, and even then i can imagine simple ways to make even that a hassle (have another password layer as master sign-in? would be enough to deter most of your acquaintances from being able to use your device)

The combination of a password (using a password manager) and a U2F key is more secure (Yubico also has U2F keys). U2F keys avoid phishing and most MITM attacks by generating a unique keypair per origin. Since a phishing site or MITM does not have the same origin, they cannot successfully complete a challenge-response with the key.

Also, AFAIR, Yubikey OTP requires the use of a Yubikey server which knows the shared secret, which may be problematic.

Correct analysis,

> recommend password managers

No! Passwords should never be considered as secure material, period. Centralizing in a password manager centralizes the burden. There are half a dozen other workable solutions, among which authentication by email (What else is the reset-by-email link?), Mozilla Persona and all kinds of asymetric keys.

So does using a single email account for everything.

When password databases are leaked, there have been instances of people / groups who take passwords from those leaked databases and try to log in on other sites (for example, to steal money or data, defraud customers, or to plant back-doors to allow future criminal activity).

Suppose that after this becomes popular, there are leaks of at least two plain text databases from popular websites (not that unlikely, unfortunately). These websites might be relatively low value - someone might get permission to comment as someone else, our change their preferences on the site, or something like that, if they had their password. Suppose some people believed this card was safe, and so put a password generated by this card into two of these low-value sites that don't put too much effort into security (since they don't even bother hashing their passwords with bcrypt / scrypt or the like), and also into a high-value site (bank, domain name registrar, GitHub account that hosts puppet scripts, important e-mail account).

Using the two low-value site password databases, I could easily automatically identify likely candidates for these types of passwords that are common between the two databases - they both start with the same 8 'spacebar' characters. I could have a set of likely endings prior to the substitution cipher for the passwords in each database, and this would allow me to use something like the E/M algorithm to work out a distribution of most likely partial substitution cipher table, common word, and space bar values, which I could then combine with likely 'identifier' plaintexts to prioritise the order in which I send passwords to use against the secure site.

All of this would likely be completely automated - and if a significant number of people are using these cards, for certain types of criminal enterprise there is a good chance that it would be cost effective.

All in all, people using this card are taking a very real security risk that is completely unnecessary when there are other better alternatives (like using a password manager, and generating a completely different secure random password for each site). Encrypting the database with a strong password and an expensive key derivation function also complicates other types of attacks (for example, someone secretly going into your wallet and photographing the card) - obviously, they could try to install a keylogger on your phone or computer with the password database, as well as copy your password database, but that probably takes longer and carries more risk of getting caught than photographing a card.

Then again there are different kinds of attack on passwords, among those is the dedicated targeted attack and those will be happy to exploit the false sense of security you get from a qwerty card.

Now if you want a practical alternative for choosing passwords you can remember: https://www.schneier.com/blog/archives/2014/03/choosing_secu...

Lastly using the same password for everything is wrong, but reusing a password for services that do not require a high level of security is acceptable such as posting comment on weblogs. bugmenot being a popular choice reminding of a time when their website was actually useful.

[1]https://www.passwordcard.org/

This wouldn't provide cipher encoding, but someone already mentioned https://www.passwordcard.org/, and as you said, this is for the rest of us.

   sh(/J3HqAfQsu.?u.??

OTOH this is only relevant for targeted attacks where the attacker has one password. This still protects you pretty well from bulk attacks (so long as the card is not widely used) and is miles better than re-used or poor passwords at little usability cost.

  sh(/J3HqAfQsu.Qu.s?

Edit: I see "Combine with another compromised password, and we're coming dangerously close to being able to generate a password for any arbitrary website.", which means that if an attacker could obtain a couple of these passwords, they could determine (a lot of) your qwertycard and gain access to more of your accounts.

However, by the time an attacker has any of your passwords, I'm not sure that reverse engineering your qwertycard is an issue. As others put better than I, this would also mean that in addition to obtaining one or more plaintext passwords, the attacker would have to be targeting you specifically and know how you generated the passwords.

Alice is a system administrator of xyz.com. She has access to the password that Bob uses on xyz.com. By reverse engineering Bob's password on xyz.com, Alice can then attack Bob's account on pqr.com.

I think the Gawker leak alone is enough of a precedent to ensure that this can never be assumed.

That's a bold assumption.

Still, completely agree with this:

> I agree with the replies that this is an unlikely attack considering how passwords are typically compromised

It's always going to be a trade-off. Ultimately any scheme that gets people to use better passwords, even if flawed, must still be an improvement over the alternative of post-it notes and birthdays... there's no such thing as perfect security, as we keep being told.

[1] www.supergenpass.com

I don't know what you mean by "variable" "character associations," but note that my analysis doesn't depend on the space bar code at all, except assuming that it's the first eight characters, which the site's FAQ guarantees. Otherwise my analysis completely ignores it.

> You are also assuming that everyone will use the full name of the site, e.g., AMAZON, and not simply AZ or AMZN or AMA. For example, I may use YC or YCOMB or YCOMBINATOR for this site, which would also increase the combination exponent..

True, but there are only a handful of logical choices for any given site.

In any case, this is just haggling - the point is that attacks like this shouldn't be possible at all for something claiming to generate "very strong passwords."

A one time pad requires a key as long as all the messages you want to encode since each key bit is only used once.

[0] https://www.passwordcard.org/en

I think I'd like PasswordCard because it's pretty freeform - just pick a starting point and a visual direction/pattern and copy letters from the card. But honestly I don't much like the idea of relying on a physical token if I don't need to. Almost losing my 2FA last year was a bit scary.

Qwertycard on the contrary exposes their recommended scheme publicly which make losing the card a much higher risk of compromising your password.

As for remembering which sites have what restrictions, I can keep that stuff in my head (looking at you Microsoft), but I guess you may have more accounts than me. Then again, when a password fails, then all you'd have to do is retry with a safer version (and maybe only have two password kinds, for convenience - full-blown char support, and minimalistic lowercase-letters only, so you'd only have to retry a single time after the first failed login).

Personally, my biggest problem with this card is that it doesn't provide enough value.

And after three or five failed login attempts you get locked out and have to call the bank for a password reset, and throw away the damn card in frustration.

> (and maybe only have two password kinds, for convenience - full-blown char support, and minimalistic lowercase-letters only, so you'd only have to retry a single time after the first failed login).

If you're authenticating with more than HN and Reddit, you'll encounter much more than two mutually exclusive password policies.

Yeah, qwerty card are badly thought out, they know of the shortcomings and they don't care much as they're in this business for the money.

Then you've got to remember -- are you now on amazon3 or amazon4 or gmail4 or gmail5? And then it defeats the whole purpose of the card.

For example, some of the websites I use require passwords to contain at least one capital letter, or a digit, or a punctuation mark (e.g. ! ? #, etc.). But other Website do not allow punctuation marks or digits.

Some require a password of a minimum length, but a dwindling few can only accept fairly short maximum length password.

This is particularly maddening because there are plenty of ways to accept arbitrary passphrases from users.

https://www.ssllabs.com/ssltest/analyze.html?d=qwertycards.c...

I have used a similar variation in the past, in my case the character substitution came from changing the keymap of the keyboard.

for example 'correct' typed in qwerty over a dvorak keymap became 'krpp>ky'

http://www.passwordcard.org/en

Who is selling me this card, and with my name, address and (optional) email address, how long will it take him to crack every one of my accounts, considering that he has the key?

That said, there's a certain amount of security through obscurity I guess.

Still, for any of the sites I really care about I use two factor authentication. I'd take a mediocre password and 2FA over a strong password (But happy to be proved wrong ;)

For example, if my master key was 1234, and my password was 'baNana3', it would write down 'ayKwmy0'. When I look up the password, I shift the letters forward as I type them:

a + 1 = b

y + 2 = a (wrap around the end of the alphabet)

K + 3 = N

w + 4 = a

m + 1 = n

y + 2 = a

0 + 3 = 3

It's not too hard to advance 9 or fewer letters in the alphabet as you type.

I think i'm safe. Am I?

If someone willing to put in the effort to do some cryptanalysis obtains a copy of your book, then no, you are most likely not safe. Firstly, the Vigenere cipher is extremely vulnerable to a known plaintext attack on the key - if the person who obtained your book knows your password to just one site (for example, because it was lost in a compromise and published on the Internet), they can work out your master key and then get all your other passwords. Even if they don't know any passwords, if you use passwords that are not made up of equiprobably randomly selected characters (and especially if they are dictionary words), the attacker will usually be able to use that bias to work out the master key. For example, the attacker might cycle through all words in the dictionary to obtain the key that decrypts aykwmy to the word, and try the master key they obtain on other entries in your book until they find one that yields a lot of other dictionary words.

If I need to log in sometime in the future, I simply reset the password.

This seems an amusing and useful idea to making passwords - it's usability seems longer lived than my previous (personal) attempts (md5 hashing passwords and domain names).

In the end I need a trustable approach to storing encrypted data on my iphone - I suspect i have missed one. Any ideas?

Every card ships with a letter showing the only unique copy of the card.

"If I'm logging into Amazon I'll find the intersection of column M and row A (the second and third letters of Amazon) and then read off diagonally 16 characters."

This would let me keep a much more secure password for both.

https://github.com/resonantcore/lib/blob/master/demo/dicewar...

Run this locally, e.g.

    dw = new Diceware();
    dw.load("https://raw.githubusercontent.com/resonantcore/lib/master/js/diceware/diceware.wordlist.asc", function() {
        console.log("Diceware loaded!");
    });

    console.log(dw.getWords(8).join(' '));

    shuf -n 5 /usr/share/dict/words

Edit: I see that shuf permits the use of custom seeds, so you can do the following, and it will be secure:

    shuf -n 5 --random-source=/dev/urandom /usr/share/dict/words

  python -c 'import random;w=open("/usr/share/dict/words").readlines();print " ".join([random.choice(w).strip() for _ in range(5)])'

    shuf -n 4 /usr/share/dict/words | xargs | sed 's/ //g'

    echo `shuf -n 5 /usr/share/dict/words`

    randword()
    {
      if [ -z $1 ]; then
        echo `shuf --random-source=/dev/urandom -n 5 /usr/share/dict/words`
      else
        echo `shuf --random-source=/dev/urandom -n $1 /usr/share/dict/words`
      fi
    }

    kobra@stormforge blah $ randword 4
    crackpots fragmentation maximally Bradly's
    kobra@stormforge blah $ randword 6
    turnover's nonproliferation's bestowal's sulkier hillbilly Narmada
    kobra@stormforge blah $ randword
    Marciano fibulas roadwork mobilizations organics
    kobra@stormforge blah $ randword
    coins bronzed housemother's forefather supposing

Bruce Schneier blogged about this last year: https://www.schneier.com/blog/archives/2014/03/choosing_secu...

The Shannon entropy of the impossible to remember example password is 3.68418, which is not much better than the xkcd "easy for a human to remember" password 3.36386

EDIT: Just changed alot of things so if you viewed this in the last couple of minutes... take another look!

Or you could use something like (one of my side projects): https://www.wordentropy.org

Until you lose your wallet.

Much like lastpass and other password management software, you're putting all your eggs in one basket, and having faith it won't fail.

Passwords are a shitty idea people. We need a better system.

That's not "shitty", that's the way it's supposed to work. A better system, to be of any value, would fall prey to the same 'weakness'. Even biometrics can change over time.

In the world of security you simple cannot assume honesty and build security on top of this assumption.

Boom, backup.