The honest FAQ.

It's resistant to different attacks. It helps against shoulder-surfing and replayed input because what you type changes each login. It is not a drop-in replacement for a fully audited auth stack — it works best combined with HTTPS, rate limiting, and lockout. See the security model.

Classic: you remember one symbol per row (and mark some rows as decoys), then type each row's current position, top to bottom. Sequence: you remember just 3 icons and their order; at login you find each one by its category row — wherever it lands — and type its column number in your saved slots, plus decoy digits. You pick a method at sign-up; both run on the same engine and storage rules. See the walkthroughs.

The app ships a recovery flow: verify your email, then re-enroll with a fresh secret. One honest consequence of the design: because the server stores only a hash and never your symbols, it can't show you what you chose — recovery always means choosing a new secret, never recovering the old one.

Yes. The grid is designed to be usable one-handed at small screen widths, with large tap targets and no hover-only interactions.

The grid is keyboard-navigable with labelled cells. A purely visual challenge needs an accessible alternative, and we document that openly rather than pretend it's fully solved.

PHP 8.1+ with SQLite for the demo — no database server and no credentials file. Prepared statements throughout, and secrets stored as versioned, salted PBKDF2-SHA256 — never plaintext. It's plain PHP, with no Laravel dependency.

The web demo here is free to try. A free WordPress plugin and mobile apps for iOS and Android are planned — see what is coming. Use of the source code is governed by the license.

Bigger is stronger. Small grids are easy to demo but have fewer possible secrets; for real use, choose a larger grid and rely on lockout and rate limiting too.

It isn't. Only a salted hash of a derived token is stored — never your symbols, their positions, or a plaintext sequence.