It's resistant to different attacks. It helps against shoulder-surfing and replayed input because what you type changes each login. It is not a drop-in replacement for a fully audited auth stack — it works best combined with HTTPS, rate limiting, and lockout. See the security model.
What if I forget my symbols?+
You'd use the account-recovery flow the implementer builds — the same as a forgotten password. The reference demo doesn't ship recovery; it's listed as an implementer responsibility.
Does it work on mobile?+
Yes. The grid is designed to be usable one-handed at small screen widths, with large tap targets and no hover-only interactions.
Is it accessible?+
The grid is keyboard-navigable with labelled cells. A purely visual challenge needs an accessible alternative, and we document that openly rather than pretend it's fully solved.
What stack does it need?+
PHP 8.1+ with SQLite for the demo — no database server and no credentials file. Prepared statements and salted hashing throughout. It's plain PHP, with no Laravel dependency.
Is it free?+
The web demo here is free to try. A free WordPress plugin and mobile apps for iOS and Android are planned — see what is coming. Use of the source code is governed by the license.
How big should the grid be?+
Bigger is stronger. Small grids are easy to demo but have fewer possible secrets; for real use, choose a larger grid and rely on lockout and rate limiting too.
Where is my passnumber stored?+
It isn't. Only a salted hash of a derived token is stored — never your symbols, their positions, or a plaintext sequence.