It seems like after every major computer security breach, or site hack, we find out that tonnes of people are still using terrible passwords for all their various accounts.
The P@SS (https://www.tindie.com/products/Russtopia/pss-mark-ii-password-generatorrecall-key-fob) is a lo-fi attempt at addressing this problem, by helping you create fairly complex passwords which you can easily recall. This video will look at some of the strengths and weaknesses of this way of doing things.
Thank you to Russ, the guy who makes these for sending me a review copy to look at.
The P@SS is a little keyfob, which has a bunch of rings that you can smoothly scroll through. Each of these contains various numbers, letters and symbols in high contrast white on black.
The whole thing is made from machined stainless steel, and feels pretty solid, and well constructed.
You can unscrew the top of the P@SS and store things inside it too if you want.
The P@SS provides a bunch of numbers, letters and symbols for you to use, but it's you who has to create a good rule to generate and recall passwords.
Russ has produced 8 different rings, and you receive 4 which you can arrange however you like.
He also includes a backup sheet which you can use incase you lose the device.
OK, let's say we want to generate a password for our Github account. Find the G I T H on the P@SS, and look at the symbols and numbers.
We now have a choice for what to do with these. You could simply write everything out in the line, giving you a 12 character password.
Or you could use only the number or symbols from 3 rows down:
Or make it more complex by joining these together:
To add even more strength to the password, you could add a phrase or something that you can easily remember onto the end or the beginning.
This gives you a 41 character password with both upper and lowercase letters, numbers and symbols.
It's up to you how you want to do it, you can go backwards, forwards, shift, and alternate between rows and columns, and/or combine passwords or phrases - the important thing is that the rule is something you can remember, and something other people aren't likely to use.
NO MAGIC BULLET
Russ wanted me to stress to you that this is not foolproof, and the complexity of your rule is absolutely crucial.
It's not going to generate a password as securely as a computer can, but this can potentially enable you to both generate and recall fairly complex passwords without any computers or software.
After all, hackers are actively attacking password manager apps and cloud password storage precisely because of how this important data is centralized.
It's quite nice to have something so tactile, and well built for a use like this. I'm not sure how mathematically secure the P@SS is, but like I mentioned before, much of that depends on your discipline with the thing.
If someone gains physical access, sure they could potentially figure it out, but then again, if they gain physical access, then all bets are off anyway.
It could be a good way for less technical people to use a different, complex password for each of their accounts, and that's got to be better than the horrible infosec most people use at the moment. What do you think?