Chris Wellons has done work here with Pokerware, building passphrases from a shuffled deck of cards. This builds using a sufficiently shuffled deck of playing cards, but building random meaningless password strings instead of passphrases.
This is a manual method of password generation without needing a computer. As such, some care must be taken during generation:
- The deck must be sufficiently shuffled.
- At least 13 cards should be drawn for building a secure password.
If the deck is sufficiently shuffled, then drawing the first card has a security of log2(52) ~= 5.70 bits of security. Without replacing the card, the second drawn card has the security of log2(51) ~= 5.67 bits of security. As cards are continuously drawn without replacing them back in the deck, the security margin drops per card as such:
log2(52) + log2(51) + ... + log2(3) + log2(2) + log2(1)
This has the obvious property that characters will not be repeated in the password, as cards are not being replaced back into the deck (recommended).
The set definitions below define 52 unique characters across 4 different sets. They are strictly 7-bit ASCII as a lowest common denominator for all English speakers.
A standard poker deck of playing cards, of 4 suits with 13 cards per suit is required. The jokers are not utilized.
The security of the password is directly dependent on the quality of the shuffled deck. Assuming a riffle shuffle, where the deck is divided into two, and each half is randomly interleaved with the other half, it takes approximately 10-12 shuffles to maximize the Shannon entropy in the deck. However, cutting the deck for each riffle shuffle improves the rate of diffusion in the deck, requiring only 6-7 shuffles.
However, a problem exists with paper-based playing cards, and that's the fact that oils transfers from your hands to the cards, and over time, cards start sticking together, thus introducing a bias into the riffle shuffle. A way to remove this bias, is to deterministically shuffle the deck into 4 piles of 13 cards each. Think of this as a way to "whiten" the riffle shuffle.
As such, to maximize entropy in your shuffling, it is recommended that you repeat steps 1 through 3 seven times:
- Riffle shuffle.
- Cut the deck.
- 4-pile shuffle.
Alphabetic characters only. All lowercase and uppercase characters.
Alphanumeric, with all ten digits, lowercase, and uppercase characters, without vowels.
Alphanumeric based on Crockford's base-32. The ambiguous characters i,
I, l, L, o, O, u, U, 0, and 1 have been removed.
Alphanumeric with special characters. The lowercase characters are the first 13 characters of the English alphabet, the uppercase characters are the last 13 characters of the English alphabet. All ten digits are present, and the 16 special characters across the top row of the QWERTY and Colemak keyboards. See SET5 for Dvorak.
The same definition as SET4, except the special characters are found on the top row of the Dvorak keyboard layout.
| A |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
T |
J |
Q |
K |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SET1 | a | b | c | d | e | f | g | h | i | j | k | l | m |
| SET2 | b | c | d | f | g | h | j | k | l | m | n | p | q |
| SET3 | a | b | c | d | e | f | g | h | j | k | m | n | p |
| SET4 | a | b | c | d | e | f | g | h | i | j | k | l | m |
| SET5 | a | b | c | d | e | f | g | h | i | j | k | l | m |
| A |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
T |
J |
Q |
K |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SET1 | n | o | p | q | r | s | t | u | v | w | x | y | z |
| SET2 | r | s | t | v | w | x | y | z | B | C | D | F | G |
| SET3 | q | r | s | t | v | w | x | y | z | A | B | C | D |
| SET4 | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| SET5 | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| A |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
T |
J |
Q |
K |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SET1 | A | B | C | D | E | F | G | H | I | J | K | L | M |
| SET2 | H | J | K | L | M | N | P | Q | R | S | T | V | W |
| SET3 | E | F | G | H | J | K | M | N | P | Q | R | S | T |
| SET4 | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | ` | ~ | ! |
| SET5 | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | ` | ~ | ! |
| A |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
T |
J |
Q |
K |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SET1 | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| SET2 | X | Y | Z | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| SET3 | V | W | X | Y | Z | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| SET4 | @ | # | $ | % | ^ | & | * | ( | ) | - | _ | = | + |
| SET5 | @ | # | $ | % | ^ | & | * | ( | ) | [ | ] | { | } |