It all started a few days ago with this Xkcd strip.
Someone pointed it out passwordcard.com to me,
and it made me wonder how safe are the passwords generated with that tool.
Those passwords are meant to be used on all those websites that require you
to create a user account with a password. Using a single password for all those
web sites means that when the attacker of one of those websites gets your
password, he can access your account on every other website where you have an
account.

Beware that I'm no mathematician, and neither am I a specialist in
cryptography or information theory, but here are my thoughts on this system.

The generator is based on what looks like a 64-bit key, so in theory, the
entropy is 64 bits, which is reasonnably much (it would take 6x10^{8}
years to break at 1000 attempts per second). However, since you need to feed
the key to an unknown web server, the practical entropy is much less, since
someone else than you knows the key. But let's assume you can generate the
card yourself on a secure computer.

The symbols on the card are upper- and lower-case letters, and digits, which
makes overall 62 possible combinations. This gives 5.95 bits of entropy per
such symbol, if the symbol is randomly generated. Since the card is generated
from 64 bits of entropy, you can take up to 10.7 symbols to generate one or
more passwords without loosing any entropy. That is, a password made of one
symbol will have 5.95 bits of entropy, a password made of two symbols will
have twice that (11.9 bits), three symbols will be 17.9 bits and so on. If you
take more than 10.7 symbols, the entropy of each symbol will be reduced, so
that the entropy of the symbols in all your passwords altogether will never
exceed 64 bits. For example, if you take 16 symbols to make 2 passwords of 8
symbols each, the entropy of each password will be 32 bits instead of the 47.6
bits of a single, 8-symbol password. A 32-bits-of-entropy password takes 50
days to break (at the example rate above) against about 7000 years for the
47.7-bit-of-entropy password.

Here are a few examples of password types and strengths:

- 1 password of 6 symbols: 35.7 bits of entropy, cracked in 1.8 years
- 1 password of 7 symbols: 41.7 bits of entropy, cracked in 112 years
- 1 password of 8 symbols: 47.7 bits of entropy, cracked in 7000 years
- 2 passwords of 6 symbols each: 32 bits of entropy, cracked in 50 days
- 2 passwords of 7 symbols each: 32 bits of entropy, cracked in 50 days

However, if the card is stolen, the thief only has to test a few tens of
thousands combinations to find a password made of 4-8 symbols (29 x 8 symbols,
8 reading directions and 5 possible password-lengths is 55680), which
represent 15.8 bits of entropy and takes less than a minute to crack.
Loosing the card is therefore a bad move.

As a conclusion, the password card is fine on the following three conditions:

- Use a real random number for the key (e.g., by rolling 25 times a 6-sided
die) or a hardware random number generator (there will be a post on that
soon).
- Use the card for passwords totalizing no more than 10 symbols (best to use
only one password of 8, 9 or 10 symbols).
- Do not lose your PasswordCard.

*Disclaimer: once again, I'm no specialist in cryptography or information
theory, but the above is based on how I understand those things. It may be
completely wrong.*