C@RD™ Mark II: Credential @ccess Recall Device
Thanks to all early adopters of the original c@rd™ for your suggestions and support! As requested, here it is -- the 'Mark II' version of the original c@rd™!
The C@RD™ mkII is an improved version of the original c@rd™, now on PVC plastic. Unlike the original c@rd™, it's exactly the size of all your other credit and ID cards for in-wallet convenience.
The C@RD™ is keyed to user by serial number, email address or ID -- every single one is absolutely unique. Use it to generate complex, per-site and per-account passwords for all of your online activity.
Order the C@RD™, and you can truly Forget Your Passwords.
(Please read the ORDERING NOTES section at the bottom before checkout)
The C@RD™ was inspired by a few of my loved ones and friends, whose email accounts were hacked not once, but twice, in the space of a few months. Everyone I knew used both simple and predictable passwords, and used the same ones (or minor variations thereof) for every web account.
I thought to my self: there has to be a better way to make more complex and secure passwords that anyone can use.
As a computer professional, I know how hard it is to manage all the passwords in one's daily life. So I thunk and I thunk until my thinker was sore: how can people make better, more secure passwords, and how can they possibly remember all those secure passwords for all their different devices and website accounts? Then I realized the solution: not to remember passwords at all.
The C@RD™ is the simple, no-batteries-required, always in-pocket solution to making hard to guess -- but easy to recall -- passwords, for all your accounts. Unlike smartphone, PC-based or (heaven forbid) cloud-hosted password wallets, carrying a C@RD™ means you always have access to your passwords just by remembering one simple rule. Look up your password using your own private rule, and you'll never have to remember a complicated password again.
Each C@RD™ is absolutely unique and printed on demand, seeded using three quantities: a unique user ID (incrementing serial number, your email address, or other ID unique to you), an 'issue code' (which can be incremented to offer a replacement whilst preserving the same user ID), and a private issuing authority ID. Only the user ID and issue code are printed on the card. All three quantities are used as input to the SHA256 hashing algorithm to create the unique digest which then feeds into a strong pseudo-random number generator (Mersenne Twister). Due to the nature of the SHA256 hash algorithm, there's no danger someone could generate a copy of your C@RD™ knowing just your user ID and issue code, or even by examining the symbols of many other cards -- all three seed quantities must be known in order to generate one.
Artwork for each card is also keyed to the unique seed so each has a distinct look! (Custom artwork may be specified, contact for special arrangements before ordering.)
Even if someone steals your card, they won't know your secret rule. Your passwords gain complexity from being composed of two sources: something you have (the c@rd™ itself), and something you know (your own, personal lookup rule). Easily order a new one with a new issue code to get a whole new set of passwords if your C@RD™ is ever lost, stolen, or considered compromised.
The C@RD™ can be used in other ways, for you to discover, perhaps not so simple... ;) Order two with the same keying and exchange secret messages with your co-conspirators... fun for kids and grown-ups alike ;). (NO, I am not seriously proposing this as secure encryption. Note the word 'fun'. Please don't use it that way for important things. :p)
This product DOES NOT provide 'two-factor authentication' in the formal sense that there is no challenge/response, independent of generated passwords, to prove to systems that you actually possess your C@RD™ at the time of login. That would require a trusted authority to know something about each C@RD™ and actively challenge the user in addition to the password itself, to provide some response proving possession of the item.
It DOES, however, provide a handy mnemonic aid to generate a wide range of complex passwords from two fragments: one being your own unique rule, the other being your unique C@RD™, which when combined yield passwords which are: non-memorable, complex, an adequate minimum length, and different for (nearly) every account you use. These are the fundamentals of good password practice when higher security measures, such as two-factor authentication, are not available.
If your organization requires the higher security of true two-factor authentication, this product is not for you. If, however, you're just looking for a way to get users to stop being lazy about using short, predictable passwords, re-using the same password everywhere within the company (or, using their company passwords outside the company), or forgetting those passwords all the time due to (legitimate) modern password complexity requirements, this is at least a step above just setting policy and praying people don't work around it in all of the common ways. Finally, it gives employees a way to 'help themselves' to recall their passwords and stop asking IT to reset them so often.
It's a way to provide demonstrably better password security than what people will typically come up with on their own. It isn't perfect password security, and is highly dependent on how well one chooses a private rule, but as someone wise once said, the perfect is the enemy of the good.
Think of password hackers as a bear, and your passwords as hikers. You don't have to outrun the bear, you just need to not be the slowest hiker... if your passwords are more complex and diverse than the average, you won't be the most vulnerable if an entire password database is compromised and hackers are attempting to brute-force crack the whole lot. They'll likely stop once they have cracked the easiest ones.
Technically, nothing can save your password if the database stored it improperly.. but at least, with the C@RD™, you won't have re-used that password with any of your other accounts, so it's useless elsewhere.
For a slightly more technical discussion, please see this document.
If you choose the "Email address" or "other ID" option, and you're ordering multiple C@RDs, please list the emails or IDs exactly as you want them to appear on each C@RD™ in the Additional Instructions box prior to checkout. (Obviously these can't be pre-generated as with serial numbers, so shipping may be take a day or so more). Thanks!
If you are ordering a replacement due to loss or theft of your C@RD™, please specify in the Additional Instructions your original email, serial # or ID, and mention that you need a new issue number -- that way you'll get a new C@RD™ keyed to the same user, but with a new configuration, so you can re-secure all of your passwords. (See the instruction sheet on the Documentation link to the right for more information.)
§ The C@RD™ is patent pending (CIPO appl #2,895,597).
|Shipping Rate||First item||Additional items|
Canada Post: Combined item Standard Ground Rate
If you're ordering a heavier item like the p@ss, and also want some lighter items like the C@RD, use this rate. Thanks!
We recognize our top users by making them a Tindarian. Tindarians have access to secret & unreleased features.
We look for the most active & best members of the Tindie community, and invite them to join. There isn't a selection process or form to fill out. The only way to become a Tindarian is by being a nice & active member of the Tindie community!
I'm an embedded software developer (and no-talent bum musician) who dabbles in hardware from time to time. When not twiddling with MIDI- and audio-related microcontroller projects, I write music and think thoughts, musing about privacy, crypto, online security, space, deep time and other woo-woo.