Nudge Cards

From our “obvious in retrospect” department, Iʼll share this bright idea I shouldʼve had years ago.

If, like me, you find yourself in the position of having to create or reset someone elseʼs password every now and again, you may also have been tempted to grab any conveniently-sized piece of paper within reach. The main problem with these brightly-coloured scraps is that, due to the small amount of adhesive on the back, those carefully pseudorandom passwords invariably end up in places like this:

Not the most secure setup

Opinions vary on this subject, but I would rank single-factor login security options thusly: (from most to least secure)

  • public-key cryptography using a Hardware Security Module (HSM);
  • public-key cryptography using keys encrypted with a strong passphrase;
  • using a long, pseudorandomly generated, unique (service-specific) password stored in a password manager (and unknown to the user);
  • using a long, pseudorandomly generated, unique password that the user remembers;
  • using a long, unique, password that the user thought of themselves;
  • using the same long password that the user uses everywhere;
  • using a weak or obvious password (though not one in the top ten);
  • sticking the password on the device youʼre authenticating on;
  • using password or test, or any password in the top ten most used.

For a brief motivation for this ranking:

  • well-designed HSMʼs can be stolen, but they cannot be surreptitiously copied;
  • password managers check the site URL more effectively than humans, making it difficult or even impossible to enter your login information on a phishing site;
  • users remembering long pseudorandom gibberish is highly laudable, but expecting users from reality-land to actually do that is a pipe dream;
  • humans arenʼt as good at inventing random things as we think we are (e.g. “Clio&Artemis1988” looks secure, but is obvious to anyone who knows me or my cats);
  • anyone visiting the office (or seeing a picture) will be granted immediate positive access;
  • well-designed systems will blacklist or lock down before allowing 10 login attempts.

Sending all the wrong signals

I had an epiphany the other day: Iʼve been going at it all wrong. In handing out passwords on a sticky note, Iʼve been hinting at users to, well, stick it to stuff.

If I want to send a different message, Iʼll need different paper media to convey it. Introducing, the Nudge Card:

Credit card sized, for your convenience

These cards are credit card sized, inviting users to just keep it in their wallet for safe keeping. Where does this rate in the security ranking? In my opinion, (assuming what you write on it is securely generated) Iʼd say this ranks fifth, just below remembering random gibberish. People generally pay well enough attention to their wallet, and the criminals stealing wallets arenʼt necessarily the same criminals that are interested in harvesting passwords. (Though this may change in the future.)

Iʼve been using them for a while now, and so far everybodyʼs taken the hint and stored it in their wallet. (Iʼve yet to encounter someone that reached for the scotch tape to stick the card to their monitor, but Iʼve prepared a stern talking to, just to be safe.)

If you want to use these yourself, go nuts!

For copyright reasons I canʼt sell the cards themselves, nor can I make the PDF available for download (I donʼt own the graphic I used). If you want to have some, drop me a line and maybe Iʼll send a few over.