Generate strong user passwords using a deck of playing cards
(APR Tutorial)

1.0 Abstract

This tutorial describes a reliable manual method of generating strong user passwords using only a deck of playing cards. Eight character passwords can be easily and quickly created from a key space of 44 to 45 bits or 30 to 50 trillion possibilities. Randomness is provided by thoroughly shuffling and cutting the cards. Verification of the combinatorial analysis is simple. Extensions to larger key spaces are straight forward.

2.0 Requirements

A literature search offered the advice that safe passwords were best generated by thinking up random passwords and never writing them down. A practical problem is that people do not generally "think up" random passwords and that the more "random" the password, the more difficult it is to remember. The practical result is that users will make up easy to remember passwords that too often fall into the clever heuristics of password guessers like crack .

Forgoing the "best" approach in favour of a realistic approach, the proposed method is

  1. repeatedly shuffle and cut a deck of playing cards to create randomness
  2. write the password on a business card and stick it in your wallet

Users treating their passwords as carefully as their credit cards will be in the top one half of one percent of users. Users selecting passwords from a key space exceeding 40 bits or one trillion possibilities will also be in the top one half of one percent of users.

3.0 Playing Cards Generate Effective User Passwords

Repeatedly shuffle and cut a deck of cards until the deck is well randomized. Draw cards and assign letter values shown in the below table. Randomizing the letters in the table will not increase the randomness of passwords selected where the cards were well shuffled.

Now if the cards are not well shuffled so that sequences of cards remain intact between shuffles or the cards are re-interleaved in a semi-regular way, using a randomized letter ordering or applying some type of substitution algorithm to the generated password may weaken or obscure continuity between successive passwords. Readers with such concerns should seek stronger initial randomizing methods. The writer finds such concerns excessive for this method.

Several variations are described in the next section.

   Face      Hearts   Diamonds   Clubs     Spades  
AceAN an
2BO bo
3CP cp
4DQ dq
5ER er
6FS fs
7GT gt
8HU hu
9IV iv
10JW jw
JackKX kx
QueenLY ly
KingMZ mz

4.0 Variations

Our methods exclude most repetition to bypass complex issues of how repetition may help or harm randomness. The reader is left to decide if the more laborious methods are worth the extra effort.

The "number of bits" in x or the base two logarithm of x is computed as log(x) ÷ log(2.0).

4.1 Shuffle and draw 8 cards

This is the fastest method. Thoroughly randomize the deck by repeated shuffle and cut operations. There are no repeated letters with 52 ways to pick the first letter, 51 ways to pick the second letter and so on, the selected password is one of 52x51x50x49x48x47x46x45 possibilities (roughly 30.34 trillion or 44.78 bits).

4.2 Repeat 2 times: Shuffle and draw 4 cards

Their are 52x51x50x49 or 6,497,400 possible quadruples. If we exclude repeated quadruples by reshuffling and redrawing, the key space is 6,497,400x6,497,399 possibilities (roughly 42.21 trillion or 45.26 bits).

4.3 Repeat 4 times: Shuffle and draw 2 cards

Their are 52x51 or 2652 possible pairs. If we exclude repeated pairs by reshuffling and redrawing, the key space is 2652x2651x2650x2649 possibilities (roughly 49.35 trillion or 45.48 bits).

4.4 Repeat 8 times: Shuffle and draw 1 cards

Drawing cards one at a time any allowing repeats yields a key space of 52^8 possibilities (roughly 53.45 trillion or 45.60 bits). Note that "aaaaaaaa", eight "a"s, is a valid "random" password in this key space. Unfortunately crack will find it in minutes.

4.5 Make your own deck of (say) 64 cards

Using an alphabet of 52 upper and lower case letters plus ten digits and two other characters or any set of characters you please, the key space is roughly 281.47 trillion or 48.00 bits.

This completes the outline of generating passwords using a deck of playing cards.

5.0 Background

Some years ago, when the writer was president of the Calgary Unix Users' Group, CUUG, we received multiple complaints of port sniffing originating from CUUG machines. Our system administrators traced the activity back to one member's account. The member was of good reputation and very unlikely to be the snooper. No evidence could be found of the account being hacked. After some further research, it was discovered that the member's password, mouse1, was conveniently stuck on his monitor with a yellow sticky note and that his teenage son and son's friend were the perpetrators. The member had initially been unwilling to believe that his son would do such a terrible thing. The member was counseled and assigned a permanent password.

This combined with other security events lead our Chief System Administrator to begin running the crack password guessing utility to evaluate member password security. The first few minutes of running crack produced several humourous and appalling hits:

  1. "555555" - six fives.
  2. "penguin5" - penguin with a "5" instead of "s" on a Linux system!

Clearly we needed a simple and convenient way for members to generate strong high quality passwords. This method requires minimal apparatus (a deck of playing cards), is easy to implement, and users can readily understand and verify the security of the method.

The result was favourably received by the membership. This tutorial is a rework of that email.

Comments or questions about this tutorial?      back to APR Main Page     back to Tutorial Main Page    

     © 2011 Advanced Processor Research Ltd. All Rights Reserved      Contact