Abstract
In this article I am presenting an approach for entering strong passwords using a touch screen.
Author: David Heiko Kolf, 2026-01-15.
Introduction
In my article on the topic of Diceware I recommended the word list of the EFF where every word starts with three unique letters. We can use this list to create a compact password based on a memorable phrase. I concluded the article with the question on whether there is a more comfortable way of entering those three letters on a touch display than the usual touch-keyboards.
I finally found the time to create a draft of my idea in a small JavaScript program. Using this program I would like to present my approach.
Mode of operation
My approach consists of two areas with 26 letters each. The second area forms a circle around the first one. You select the first letter by tapping and holding into the inner area. A swipe into the outer circle selects the second letter. The gesture returns to the inner area where you select the final letter by releasing the finger on top of it.
The circular design reminds me a bit of certain types of vault locks.
Example
Unfortunately this example does not appear to work with every browser. I had good experiences with Firefox and Google Chrome on Android, but poor experiences with the DuckDuckGo browser where the gesture kept scrolling away the picture (state at the end of 2025).
To have something for testing, here is the passphrase from my earlier article:
eagerness, abundant, wrongdoing, nuptials, rarity, gyration, sandworm, atypical
I emphasized the first three letters. Due to the used wordlist only those are necessary.
Notes
The design of this example would of course need to be adapted if it were to be used for a real password input. The password would need to be obfuscated and the currently selected letters should probably not be displayed with such a large font size and high contrast, otherwise someone might be able to read it from across the room.
Mistakes are easy to correct, as letters are only accepted once all three are valid — in case of a mistake it is enough to end the gesture outside of the inner area. The second and third letter are correctable within the gesture anyway.
I haven't tested my example with screenreaders yet. For a serious product this would of course be necessary. But I did make sure to include a default text input field as a fallback in my example, I would highly recommend to do so in a real product as well.
Conclusion
I don't see much sense in implementing this on a website, as there are much better ways to store good passwords. But for apps that deal with encrypted data I can see this method being a good alternative.