GitHub Try it now

How it works

Remember symbols.
Enter their changing positions.

The thing you memorise never changes. The thing a bystander sees you type changes every single login. Here's the full method, end to end.

01 · REGISTER

Pick & remember

The grid has rows (categories) and columns (symbols). In each row you choose one symbol to remember, and you mark one or more rows as neglected.

02 · STORE

Salted hash only

Your choices are turned into a single canonical secret. We store only a salted hash of it — never your symbols, never their positions, never a plaintext sequence.

03 · LOGIN

Reshuffle & verify

The grid reshuffles row order and symbol order. You read off the new positions of your remembered symbols and type them. The server reverses the shuffle, rebuilds the secret, and compares hashes.

These three steps are the Classic method. PassNumber also ships a second method on the same engine — Sequence: 3 icons in order, found anywhere on the board ↓

Worked example

A 4×4 grid, one neglected row.

Say you register on a four-row grid and choose to remember these symbols.

at registration
fruit
🍎1
🍌2
🍇3
🍓4
animal
🐶1
🐱2
🦊3
🐼4
car
neglect
🚕2
🚌3
🚲4
sport
1
🏀2
🎾3
🏓4

Your secret

You remember: 🍌 banana, 🐼 panda, 🎾 tennis, and you neglect the car row. Internally that becomes a fixed token like 2 · 4 · x · 3 — position 2, position 4, neglected, position 3.

Next login

The grid reshuffles. Your banana might now sit at position 4, your panda at 1, your tennis ball at 2. So this time you type 4 1 ? 2 — and for the neglected car row, any number at all.

Why it's safe to watch

Someone who memorised 4 1 ? 2 learns nothing useful: next login your symbols will be somewhere else entirely. The numbers are throwaway; only the symbols persist, and they live only in your head.

The second method

Sequence — 3 icons, in order, anywhere on the board.

The walkthrough above is the Classic method. PassNumber also ships Sequence: instead of one symbol per row, you remember just three icons and their order.

a sequence login board (3 of 6 rows shown)
animals
🐶1
🐱2
🦊3
🐼4
travel
✈️1
🚆2
🚗3
4
hobbies
🎸1
🎨2
📚3
🎮4

Your secret

Three icons, in a fixed order — say 1st 🐱 cat, 2nd 🎸 guitar, 3rd ⛵ sailboat. Each comes from a different category row. The rows and the icons inside them reshuffle every login, but each row's category label travels with it — that's how you find your icons wherever they land.

Logging in

You type 6 digits: the current column numbers of your three icons, in your order, placed in the slots you chose at sign-up (for most people the first three) — and any digits at all in the remaining slots as decoys. On the board above that's 2 · 1 · 4 plus three throwaway digits. Next login the board is different, so the digits are too.

What the server knows

Only a salted hash of the canonical secret, plus non-secret metadata: the ordered category names and which slots are real. Never the icons — by design, the server can verify your answer but can never display your secret back to anyone.

Honest math, again. Three icons on a board of C columns give C³ combinations on the real digits (729 at 9 columns) — modest on its own, which is why per-account lockout and rate limiting are part of the design, not optional extras. The decoys and the reshuffle are what defeat an onlooker; the lockout is what defeats guessing.

An honest note on the math

Bigger grids, stronger secret.

A small grid is easy to demo but has a small number of possible secrets. The strength comes from three things together, not the hash alone:

  • Grid size. Larger grids (up to 9×9) and more remembered rows dramatically increase the number of possibilities.
  • Lockout. Accounts lock after a handful of failed attempts, so guessing is slow.
  • Rate limiting. The implementer adds IP-level limits to stop automated guessing at scale.
Be realistic. PassNumber reduces specific risks — shoulder-surfing and replay — well. It is not a substitute for a complete, audited authentication stack. Treat it as one carefully-implemented layer.
Try it yourself Read the security model