Playing Card Passwords: Safe Passwords for Forgetful People

An effective way to create great passwords with a built-in failsafe, detailed step-by-step.

Recently, I devised (at least independently) a method for password creation that is safe (effective), has steps to easily add extra layers of protection, and is usable by basically anyone, forgetful or not.

Sorry, p@ssw0rD is not “safe” and neither are Post-it notes.

Unfortunately many people still use passwords made from real words, and use the same passwords for everything. Not good, right? I think most people instinctively know this, but doing something about it seems too troublesome.

Complicated passwords are difficult to remember, so if you do create one, you create one… and use it for everything. Not good; if it’s compromised, you can lose everything.

Here’s a simple, robust solution: a pack of playing cards.

Your standard 52 card deck will give you four random passwords, at least 13 characters in length. Here’s how to set it up, and why I think it’s effective. At the end, I’ll list out methods to make passwords that are even harder to crack, and ways to make easier-to-remember passwords for sites and services where you need to frequently input them manually.

1. Separate the pack into each suit.

Diamonds, separated.

Ace through King gives you 13 cards per suit. Designate (at least) one picture card or the Ace to be a “lower case” card. If you aren’t sure you’ll remember this, just use a Sharpie and mark the card. (Websites and services usually require at least one uppercase and lowercase letter, as well as a number, so this step meets that requirement.)

2. Shuffle each suit thoroughly and separately.

This random order is one of “13!” (13x12x11x10…). Thirteen factorial alone gives you 6,227,020,800 possible configurations, but there’s actually many more password possibilities per suit because you’ve assigned one (or more) of the letters on the face cards (or the Ace) to be lowercase, and the Ace and Ten can be expressed as A, a, or 1, and T, t, or 10.

After a thorough mixing, here’s what I got.

My sample shuffle gave me: 9-2-K-10-8-3-5-A-7-Q-4-6-J

Assigning the King as lowercase, I get 92k10835A7Q36J. A pretty decent password!

Repeated in clubs, I get 10-7-Q-A-9-6-K-J-4-3-8-2-5

For this example, I can substitute the Ten with “T,” the Ace with “1,” and make the Jack the lowercase card. T7Q196Kj43825

Repeat twice more and you have four very good (practically) unpredictable passwords.

Storage and retrieval is simple.

Cards go back into the box in your new suit-separated, shuffled order, to be stored in a very secure place. A locked safe, or some out-of-reach place where you store valuables like jewelry, cash or important documents. Some place the pack isn’t likely to opened and shuffled. No one will suspect that the deck of cards is actually your passwords set — unless everyone starts doing this. And let’s face it, they won’t. (But I hope they will, and if that happens, I’ll share my method for refortifying your password pack.)

Your computer (or phone) likely stores a lot of these passwords for you, so you won’t have to recall and type them out often. If you ever need to manually type them again, just go back to the pack; spread out the cards and like magic, there are your secure passwords!

Important note: It’s not important that the shuffles appear random, only that it actually is.

Actual randomness (or an event near enough that it makes no difference) doesn’t really look the way most of us intuitively think it should. It often ends with what looks to us like patterns. For example, cards may end up regrouping with two or three cards forming a pattern, like “23” or “765.” You can rearrange it if you want, but it’s not necessary for the password to be “randomized.”

Want a trickier password?

In my first sample, I created: 92k10835A7Q46J

But that could easily be 9dKt835a7Q46j or ndK1083fA7q46J with an intuitive substitutions of “d” for 2 (deuce), “n” for Nine and “f” for Five. If these changes aren’t intuitive to you, you can use a Sharpie to mark the cards you’re altering for your password. You could apply these changes to passwords of just the red-suit variety, or maybe hearts and spades.

Additionally, you could replace a number with a non-intuitive (or less intuitive) character or string. The Ten could become “qo” for the two keys underneath the 1 and 0 on the keyboard. Seven could become “&.” Or, change the Queen to “v.” Create substitutions that you’re likely to remember or mark the cards.

In case 13! isn’t strong enough for you, your two Jokers can come into play.

Just assign it a value and shuffle it in. Just adding one card creates a minimum 87,178,291,200 combinations.

Here’s a sample result using a Joker:

8-9-K-Q-4-5-2-A-6-Joker-3-10-J-7

8NkQ45Da6–310j&

With a few substitutions, I’ve created a fantastic 15-character length password.

Want a safe, but simpler password?

I’ve got you covered, too.

Though not as strong, eight characters is still pretty good.

Eight cards gives you just 40,320 possible combinations of cards, but you choose those eight cards (and what they represent), creating many, many more possibilities.

My simplified 8 card password:

Randomly chose seven spades and added a Joker. 9-A-8-Joker-J-Q-2–5

While 9A8JjQ25 is okay, it’s hard to remember. With a few substitutions, I can get: NA8-jq25

I can remember it as the phrase “North America 8 (pause, meaning hyphen) jack-queen twenty-five.” It’s a good password, sufficiently random, and can be remembered more easily.

Another example:

A-6-Joker-10–5-K-Q-7

Again, I’ll make adjustments making it easier to recall. A6wt5KQ7

Maybe trickier to create a mnemonic for, but not impossible. “A6 what-the-5 Kwing 7.” (“w” for “Wild,” “t” for Ten, “wtf…” what the five; King+Queen as “kuh-wing”)

My suggestion is to use complex, unique passwords for your most valuable accounts (banking, email, facebook? — separate passwords) and simpler (but still safe) passwords for things like Netflix and your computer (login).

And there you have it, the Bradtastic Method of Password Creation!

What I’ve presented is really just the beginning of a scalable method for password creation with a built-in failsafe — a pack of cards kept in an actual safe! While no password is perfect and uncrackable, I haven’t come across a better, safer method.

Notes:

Yes, there are simpler methods and safer methods of creating passwords. My goal was to create something that balances ease-of-use with security. “Playing Card Passwords” may seem a bit complicated when compared to just using a unique phrase (such as “YoudaManNowDog25”), but it’s far more secure and easier to retrieve the passwords if you forget them. Coming up with several unique passwords and then remembering them all isn’t easy. Ever try to access an old computer or account and need a password reset, only to find out that the email address you chose to send it to is no longer accessible? Ever forgotten the answer to one of your own security questions? I’ve had both of these problems in the past. Sometimes what we think of as “memorable” doesn’t stay that way. And writing passwords down on paper is essentially the Post-it note problem. Too easy lost or tossed, or disregarded amongst other scraps of paper.

You can create your own tweaks to enhance this system, use ten or twelve cards instead of 13, or just use the basic vanilla method. If you need more than four passwords, you can use red and blue decks, or different back designs.

If you like this idea, share it with friends and loved ones.

Better still, implement this system for your parents who might still be using passwords like “Orwell1984” or “OurDogsNameYearWeGotMarried.” And then send me presents when your inheritance isn’t stolen by a hacker.


My writing and lots of designs can be found at saysbrad.com