GitHub Try it now

Passwordless · self-hosted

Log in by memory,
not by password.

Remember a few symbols. Every login the grid reshuffles — so the numbers you type change while your symbols stay the same. Easier to remember, harder to shoulder-surf.

Try it now Read the docs
4×4 → 9×9grid sizes
Saltedhashing, no plaintext
PHP · SQLiteself-host in an afternoon
login attempt grid reshuffles every attempt
Your symbols stay highlighted— their positions change each time.

The idea in four steps

See it before you build it.

1

Remember symbols

At sign-up you pick a symbol to remember in each row, and mark some rows to ignore.

2

Grid reshuffles

On every login the rows and symbols shuffle into new positions.

3

Read new positions

Find your symbols and type the numbers where they landed this time.

4

Authenticate

The server maps your input back through the shuffle and checks the hash.

The problem

Strong passwords are hard to remember and easy to watch.

Reused & written down

Complexity rules push people into reusing passwords or writing them on a note.

Shoulder-surfing

Anyone watching your screen or keyboard captures the exact same string.

Replayed keystrokes

A captured password works again and again until it's changed.

How it works

Remember symbols. Enter their changing positions.

The thing you memorise never changes. The thing a bystander sees you type changes every single login.

01 · REGISTER

Pick & remember

Choose a symbol to remember in each row and mark the rows you'll neglect. Nothing about your choice is stored in readable form.

02 · STORE

Salted hash only

We derive a single secret from your choices and store only its salted hash — never your symbols, never their positions.

03 · LOGIN

Reshuffle & verify

The grid reshuffles, you type the new positions, and the server reverses the shuffle to rebuild the secret and compare hashes.

See the full walkthrough with a worked example →

Why teams try it

Memorable for people. Simple for developers.

Easy to remember

Visual memory beats memorising a random string of characters and symbols.

Observation-resistant

What a bystander sees you type is different — and useless — next time.

No extra hardware

No phone, no token, no magic link. Just something you already remember.

Self-hostable

Runs on a standard PHP + SQLite stack. Clone, configure, run.

Source-available

Free to use and modify for individuals and companies alike.

Lockout built in

Accounts lock after repeated failed attempts — a core part of the defence.

Security model

Designed to reduce common login risks — when implemented correctly.

We'd rather be precise than loud. Here's what the method helps with, and what stays your responsibility.

The method helps with

  • Shoulder-surfing — the visible input changes every login.
  • Replayed keystrokes — a captured entry won't work next time.
  • Plaintext exposure — only a salted hash is stored.
  • Casual brute force — paired with strict per-account lockout.

You must implement

  • ! HTTPS / TLS on every request.
  • ! A strict Content-Security-Policy and security headers.
  • ! Global, IP-level rate limiting and monitoring.
  • ! Account recovery, audit logging, and a security review.
What we don't claim. This is a demonstration of an authentication method, not an audited, production-ready system. At small grid sizes the keyspace is small — the real defence is larger grids plus lockout plus rate limiting, not the hash alone. We don't claim it is "unhackable" or that it prevents man-in-the-middle attacks. Read the full security model →

For developers

Self-host it in an afternoon.

PHP-based, runs on a standard stack with no database server to configure. Clone, start a server, open the demo. Full docs and a security checklist are included.

Read the docsView on GitHub
quickstart.sh
# clone and run — no credentials, no DB server
git clone passnumber-demo
cd passnumber-demo
php -S 127.0.0.1:8000 -t public

# storage: salted hash only (no plaintext)
password_hash($token, PASSWORD_DEFAULT);

# queries: prepared statements, always
$stmt = $pdo->prepare(
  'SELECT * FROM users WHERE username = :u'
);

Where you can use it

On the web today. On your phone soon.

Try it in any browser right now. Native apps and a free WordPress plugin are on the way.

Web demo LIVE

Run the full method in your browser — no install, no sign-up.

Try it now →

iOS & Android SOON

Native apps so you can log in straight from your phone. Coming soon.

WordPress plugin SOON

A free plugin to replace the conventional password login on your WordPress site. Coming soon.

Want to know when the apps or plugin launch? Drop us a line.

Built in the open

Transparent by default.

Source available on GitHub Honest security model Documented limitations Public roadmap

See it for yourself.

Pick a few symbols, watch the grid reshuffle, and log in — right in your browser.

Try it now How it works