How it works
The thing you memorise never changes. The thing a bystander sees you type changes every single login. Here's the full method, end to end.
The grid has rows (categories) and columns (symbols). In each row you choose one symbol to remember, and you mark one or more rows as neglected.
Your choices are turned into a single canonical secret. We store only a salted hash of it — never your symbols, never their positions, never a plaintext sequence.
The grid reshuffles row order and symbol order. You read off the new positions of your remembered symbols and type them. The server reverses the shuffle, rebuilds the secret, and compares hashes.
Worked example
Say you register on a four-row grid and choose to remember these symbols.
You remember: 🍌 banana, 🐼 panda, 🎾 tennis, and you neglect the car row. Internally that becomes a fixed token like 2 · 4 · x · 3 — position 2, position 4, neglected, position 3.
The grid reshuffles. Your banana might now sit at position 4, your panda at 1, your tennis ball at 2. So this time you type 4 1 ? 2 — and for the neglected car row, any number at all.
Someone who memorised 4 1 ? 2 learns nothing useful: next login your symbols will be somewhere else entirely. The numbers are throwaway; only the symbols persist, and they live only in your head.
An honest note on the math
A small grid is easy to demo but has a small number of possible secrets. The strength comes from three things together, not the hash alone: