A friend of mine sent me a link to a gimmicky password system called a Qwertycard and asked me what I thought about it. I told him, in 100 words or less, that I thought they were in fact a bad idea. For those that won’t click the link, a Qwertycard is a plastic card you keep in your wallet (or purse for that matter) that provides a system for creating “strong passwords”. I think the people behind the Qwertycard have good intentions, but I think the product overall should be avoided because of the risks of using Qwertycard password system.
In brief, the Qwertycard works by creating a three part password system that produces a unique complex password for each website or application you use it for. The card resembles a keyboard with each letter key containing two characters (this is a simple monoalphabetic substitution cipher wherein each letter of the keyboard has a corresponding character assigned to it) and the space bar containing a string of random characters. The system works by building passwords starting with the random string of characters in the space bar, appending some “secret” word or characters, and then appending the URL of the website encoded with the corresponding substitution cipher values from the keyboard. The result is a complex password that uses letters, numbers, and special characters that you’ll never remember and won’t be able to reproduce without the card.
I will be admit that if you use their system you will undoubtedly create strong passwords; a healthy mix of upper and lower case letters, punctuation, and numbers in a long-enough string to pose a reasonable challenge to most password crackers. My beef with Qwertycards is not that the product won’t work as advertised. My beef with Qwertycards is twofold; the system is so complex that it can’t be committed to memory, and if the card is ever lost, stolen or compromised an attacker will have two of the three parts of your password system in their possession. If the attacker knows who the card belongs to, it increases the likelihood that they can guess or deduce the “secret” rendering every password the owner has created with the Qwertycard compromised.
The Qwertycard system relies on true randomness. This is where I start to become skeptical. Qwertycards advertises that each card is unique, created with a random number generator, printed, and then the information deleted. How can they guarantee the cards are truly all unique if they don’t have records of the previous cards created? This true randomness, or entropy, is great for securing your bank account but doesn’t work well in a human brain which makes the system extremely difficult (read impossible) to memorize. If the user can’t memorize the system they MUST produce the card from its hiding place each time they want to use it. This not only exposes the card and the contents therein to anyone in the vicinity but also increases the risk of losing or leaving the card and exposing the system and all of your passwords.
For those security-minded but nonetheless uninformed cyber wizards that type in their credit card numbers to order on of these cards my next concern is the risk you accept by using this system and keeping it on your person. If the card becomes compromised or lost, your three-part secure password system now relies solely on your “secret” because the attacker now has the first and third parts of your system. They know that your passwords start with the spacebar content, and end with the substitution cipher encoded URL of the website.
Let’s be honest about the “secret” most people are going to select for this system, it will be a simple dictionary word or a predictable set of characters (birthdate, spouse’s name, pet’s name, or something trite and easily crackable). It is almost guaranteed that the user’s secret will be a simple and easily guessable word because it will be bookended by a bunch of random characters and human instinct will kick in guiding them to pick something easy to remember. This system plays a psychological trick on the consumer, allowing them to choose a simple secret because the entropy of the other parts of the system are “good enough”. So an attacker with your card in hand has now reduced the amount of entropy from very high to very low.
There are ways to alter the use of the card to reduce the risk, but I maintain that the system is too difficult to commit to memory and therefore should be avoided. As an example, the user could use the substitution cipher but instead of using the mapping on the card, they could substitute for the letter to the left or right. They could also choose a complex secret to add entropy and length. But even with these alterations, the user will undoubtedly still have ti produce the card each time they need to enter a password and this is just unacceptable.
Look, I am all for using a password system or passphrase, but it needs to be something that can live entirely in your brain. Your password system should never be written down because if you need to, it’s too complicated. I will follow this post with another about choosing an effective password system or passphrase. For now, save your hard earned shekels and skip the Qwertycard because in my opinion it’s not worth the risk.