Qwerty Card: A lo-tech solution to managing hi-tech passwords

The way to have safe and easy passwords is to have a management method that makes generating and remembering passwords as easy as possible

privacy policy 510733 1920
sacco / Pixabay

Yesterday I wrote about a study that revealed how real users think and act when it comes to passwords and one of the biggest challenges for them was dealing with so many passwords; a problem that led to them using weak passwords and often re-using them to save effort. But there are systems that can make generating and remembering passwords much easier ...

For a few years I’ve used a password system that’s been really successful; the only problem I’ve had has been when entering the passwords but that’s really just because I’m not a very good typist. My system is based on a simple formula and, nope, I can’t tell you what it is exactly but let me give you a similar method:

  1. Take the first letter of the site’s name in lower case ("" gives “g”)
  2. add the last two digits of, say, your birth year, reverse them ("1963" – not my birth year, alas - becomes "63" which gives “36”)
  3. Add a “+”
  4. Add the next four letters of the site’s name in upper case ("" gives “MAIL”)
  5. Add a “-“
  6. Add the last four digits of your phone number backwards ("888-555-1234" gives “4321”)
  7. Voila! Your password for would be “g36+MAIL-4321”. And for it would be “n36+ETWO-4321”.

According to the strength of these passwords (measured by their information “entropy”) is 85.2 bits and it would take a supercomputer up to 14 years to guess the password while a PC/GPU setup might have to run for 283,717 years to guess it. Not bad at all. Also see Gibson Research’s Password Space Search Calculator which figures that the count of all possible passwords with this alphabet size and up to this password's length is:


… and the site figures the time required for a desktop machine to exhaustively search this password's space, assuming one thousand guesses per second, would be 16.50 trillion centuries while at a supercomputer speed of one hundred trillion guesses per second it would still take up to 1.65 hundred centuries.

And these kinds of formulae are easy to construct and easy to remember.

xkcd 936 password strength xkcd

But what if you’re really lazy or, as many people are, really not very good at these kind of mental gymnastics? You might prefer this tool, the Qwerty Card from Qwertycards ($4.99 with international delivery included):

card front back Qwertycards

These are simple plastic cards laid out like a Qwerty keyboard and each one has a unique code; in the above picture it’s “sh(/J3Hq” to which you add your own secret password, for example, “catfish”. You then append the encoded version of the site’s name using the character map on the card, for example, “Amazon” becomes “.u.rqf” which is added to the previous strings to generate the complete password. So, from our examples, your final password would be “sh(/J3Hqcatfish.u.rqf” which, according to How Secure is My Password could take a desktop PC about 3 septillion years to crack.

While the Qwerty Card might seem to involve a lot of effort in managing passwords it’s really a minimal amount of pain compared to actually remembering scores of passwords and next to no work compared to trying to clean up after your accounts have been breached.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10