This site was created and is maintained by pepsoft.org, a one-man Java software development company from the Netherlands. I needed a password card for myself and decided to create this page so that everyone could benefit from it. You can email me here: firstname.lastname@example.org.
No individual records are kept whatsoever. The server does not log requests, nor is any other information stored about which cards were generated, or the identity of the site's visitors.
In addition, the password card images are not cached by your browser, and any numbers entered into the number field are not stored in your browser's autocompletion history. If you clear the browser history after visiting the site there should be no record whatsoever.
The site does include some third party code, namely code from Google AdSense (only on the non-secure version), AdBrite (only on the secure version), Google Analytics, AddThis and PayPal, and some information about your visit is sent to these sites. However, as long as you don't construct URLs including a card number yourself, this information does not include any information about the specific card that was generated for you, and insofar as any of the sites store information about you, it is in an aggregated form and they don't disclose any personally identifiable information.
Note that the mobile version of the site only includes Google AdSense (except on the secure version) and Google Analytics code, but does include the card number in the URL, so the card numbers is transmitted to Google. However, in so far as Google stores this information at all it is in an aggregated form and without any personally identifiable information. Note also that the mobile version of the site does allow caching of the page and the card image (to increase performance and decrease Internet traffic for those paying by volume), so the card number and image may be stored by your mobile browser as well as any intermediate caches (such as may be operated by your mobile phone provider, for instance).
Yes, you can access the site at https://www.passwordcard.org/ to connect to the site over an encrypted SSL connection, so that no one can intercept the card.
The site was created because I needed it myself, and it was very little extra effort to make it public. It costs very little to run, and it is hoped the income from the Google ads, plus any donations, will be enough to cover those costs. The site is not intended to make money from, although if that does happen, I will of course not complain about it.
This page describes the algorithm used to generate the cards.
The intention is to keep the site up indefinitely. But of course anything can happen and I cannot guarantee that. In order to make it possible for others to provide continuity if this site ever goes down, this page describes the algorithm used to generate the cards, and provides Java source code and a command line tool as a last resort backup to regenerate a card.
Of course if the site does go down that page will have gone with it, but the algorithm should still be salvageable from the Google cache or the Wayback Machine and hopefully there would be people who had the foresight to download the code and keep it safe.
In an ideal world, you would have a different extremely strong password, consisting of random characters, for each website, and you would have them all memorized. However, since most people could never remember so many random strings of characters, it's a choice between storing the passwords somehow, or choosing easy to remember passwords, or using the same password everywhere. Storing the passwords is the lesser evil, especially if you keep them somewhere which you already protect very well, such as your wallet.
Read about how easy it is to crack easily remembered passwords here. Bruce Schneier, a very well respected authority on computer security, also recommends to write down your passwords, as does Microsoft security expert Jesper Johansson.
There is nothing wrong with using software to store and even automatically fill in your passwords, provided the software is of good quality and you use a strong master password. You could even use both: use a PasswordCard to pick the passwords, and to remember your master password, and store them in a computer program.
This is essentially a low-tech version of the same thing. The advantage is that you can use it in circumstances where you couldn't use a computer program, such as when you're on a public, or someone else's, computer, or when you're not on a computer at all.
No, because if someone has the card itself, they no longer need the number. There is no other information an attacker could extract from the number other than the characters on the card, and he would already have those anyway.
Yes you can. I highly discourage this though, for several reasons. Firstly, keeping the card, or a reference to the card, on the same computer as you use to log in to the accounts you're trying to protect is only marginally better than writing your passwords on a Post-it note and sticking it to your monitor. The idea is to keep your passwords apart from any other information about your accounts.
And secondly, when you use such a link, the information about which card you are requesting is also potentially sent to the third parties that are mentioned above under "What records do you keep?".
The recommended way to use the card is to print it out, cut out the card, keep the card in your wallet, and store the rest of the page (which has the number on it) somewhere safe and secure.
If you still want to link to your card, here's how:
?number=card numberto the URL, substituting
card numberwith your actual card number.
&digitArea=trueto the URL.
&includeSymbols=trueto the URL.
Not yet, but in the near future this possibility will probably be added.
© 2014 pepsoft.org