Slashdot Mirror
Storing Your Encrypted Passwords Offline On a Dedicated Device
An anonymous reader writes "The Hackaday writer Mathieu Stephan (alias limpkin) has just launched a new open source/hardware project together with the Hackaday community. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating long and complex random passwords for the different websites people use daily. It consists of a main device where users' credentials are encrypted, and a PIN locked smartcard containing the encryption key. Simply visit a website and the device will ask for confirmation to enter your credentials when you need to login. All development steps will be documented and all resources available for review."
What could possibly go wrong?
Nah, the password server couldn't possibly be compromised by a terminated sysadmin or via social engineering.
"Storing Your Encrypted Passwords Offline On a Dedicated Device" = stick them in a USB stick in your pocket.
My solution fulfills all of the requirements the easiest, the cheapest, and the most reliably.
I don't respond to AC's.
If your ciphertext must be stored in such a fashion, why bother? Properly encrypted data should be able to fall into the hands of an attacker, that's the whole point.
Assuming of course that you (i) have internet access, and (ii) that you have a secure connection - best joke of 2013.
Security gets better with these keywords - offline, local, air-gapped.
US Military pretty much does this with their Common Access Cards (CAC). It doubles as our government ID card and stores certificates that are used to identify individuals on government sites. I like that system as it allows me to remember a simple master password (a PIN) and the passwords are stored somewhere secure.
Not sure how useful this system would be if people continue to use passwords like 'password.' Combining this with KeePass or something similar would be nice.
How does this differ from using KeePass and keeping the password safe on Dropbox?
... the Mandylion Password Manager? http://www.mandylionlabs.com/
It's not offline.
This really is some guy just using a system he thinks is less likely to be compromised. Well, that's what everyone else does too.
http://lkml.org/lkml/2005/8/20/95
The device should never return credentials. It should return a set of hashes of your credentials. You also cannot use a standard network stack, but one crippled to provide limited valid responses.
If you add a way to encrypt data by streaming it through the device (or text written/ video taken on the device)and view it, without exposing the entire device, then you are on to a winner.
I store my passwords on a piece of paper. Works fine for me.
-- Cheers!
The passwords are to be AES128 encrypted on the smart card. There is no password server.
Now I'm logged in as you, huh huh huh.
The NSA ***LOVES*** morons who use encryption services where an encrypted copy of the 'key' (password) exists. Why? Two reasons.
1) The NSA seeks to accumulated statistical 'wisdom' about the common behaviour of the sheeple. The 'passwords' we choose are of immense interest to the NSA, since the psychology of selection means the NSA can refine speculative attacks on likely password choices. 'Long' and 'strong' password choices may show statistical tendencies, and this knowledge is golden to intelligence agencies.
2) The most common attack against encryption is known as REVERSE LOOK-UP. Put simply, intelligence agencies create TRILLIONS of password keys, and calculate their equivalent encrypted 'twin'. Then they can look up any given encrypted key, compare against their database, and likely find an entry for the original password. Their are actually commercial services that offer, for a fee, password 'recovery' for all the purposely WEAK encryption options provided by major providers like Microsoft and Apple, using such database methods.
Clearly, when your password is used to identify you, not merely activating decryption (as with Truecrypt), the service providing the recognition either stores lists of passwords in plain text (yes, many still do this) or use the very vulnerable encrypted twin method. The NSA actively seeks to accumulate every possible (IN USE) password to store on its password cracking database. While the space of all possible passwords is far too vast to crack, the space of ALL passwords actually in use is trivial to store in a giant database. The NSA assumes 99.999% of all password cracking tasks can be achieved by referring to this database of 'passwords actually used by people'.
And before the usual vile shills step in, of course it is ALWAYS possible to 'create' a password that is NOT vulnerable to this form of attack, but most people following this route will create an IMPOSSIBLE to remember random string that they WILL write down in some easy to guess place. Using good logic, it is possible to create password phrases that are both easy for the individual to recall, but fiendishly difficult for the NSA to attack. You will notice the TOTAL lack of Slashdot stories on how to create such password phrases.
The sheeple are NEVER encouraged to engage in strong security practices, for obvious reasons.
If we seriously wanted to know if it was necessary and sufficient, I'd suggest we ask Whitfield Diffie, who is a nice man and would probably answer...
davecb@spamcop.net
People are getting tired of the ads carefully camouflaged as articles...
This one is a deal with SupplyFrame, who recently acquired hackaday (Good bye hack-a-day.)
Hopefully somebody comes up with a better slashdot in a couple of years...FSCK DICE HOLDINGS!
And something else you have?
What's the point of introducing a PIN-locked smart card? The PIN is what matters in this case, since both the device and the card need to be kept together anyway. All adding complexity does here is create an easier way to lose access to your credentials.
Why not handle it like OS X's Keychain, where your passphrase unlocks the encrypted secret... while the secret and the data store are on the same device?
#DeleteChrome
Why is it 2013 and we still are not using something like a Common Access Card? Banks and credit card issues are really missing the boat on these things.
For example, set up a profile with American Express, and they send you a credit card which doubles as a smart card, and they also send you a USB reader. You want to by something from the brand new site example.com, you add it to your cart, then on checkout you authenticate against the card with a PIN, which then authenticates a PKI certificate with the provider. Upon success, the shipping info and payment is provided to the vendor on the backend.
You never had to login to example.com or provide any information, example.com can't retain anything but metadata, a shipment address and that you paid with an AmEx card. Clearly there are better solutions which could swallow/blackout additional information, but I'm just very surprised banks aren't all over this.
Other than my browser forgets my passwords at the worst possible time, why not do this in a browser plug-in? Right-click a password field, generate a GUUID or something, save it, and use it as the password? You could encrypt the passwords in a file as easily as on a hardware card - same encryption.
I think the idea is that a keylogger is already installed on your phone when you buy it. Because the free parts of Android's userspace are Apache licensed, not copylefted, the carrier isn't obligated to provide complete corresponding source code along with the phone to ensure that your handset doesn't already have covert snooping software to comply with CALEA and its sequels.
.....gives me that already
Sounds very much like ironkey ( ironkey.com)
The Secret Questions to reset your password are.
I've been wanting to do this for quite some time with an old Android phone. It provides a touch-screen interface. Many include a MicroSD meaning you can add software/updates to it without ever networking it. Kernel source is available for many, so you can build with the Linux HID Gadget driver to make it behave like a keyboard. Plus, people have the devices sitting around idle.
Douglas Adams, right again.
"It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense. "
-Mostly Harmless, 1992
i could live a little longer in this prison
An offline PDA with a pin code protection. Enter the secret passwords as notes, and then you have all your passwords with a good pin, on a device that would be too slow to bruteforce the 8 digit pin.
Battery lasts 6 months, its the size of a credit card. You could program it by plugging it into the PCMCIA slot of a laptop but I cut off that port for security.
http://www.engadget.com/products/xircom/rex-6000/
It's sadly no longer made, but if they were made they could be much thinner, much easier to use with a battery lasting a year or two.
OpenID enabled websites offer you the opportunity to go further: send no password at all over the network.
OpenID relies on an Identity Provider (IdP) to validate your identity. You can set up your own IdP, and if you have a PKCS11 compliant smart card, your web browser can use it to perform client certificate authentication to the IdP using the certificate and private key stored in the smart card.
Just use Keepass or a text editor in a trusted AppVM, plus the secured copy+paste in Qubes OS.
I doubt any remote attacker could take your passwords then.
It's a large notepad with "DON'T READ THIS! SECRETS INSIDE!" written in large, visible text on the outside. I haven't lost the penny from my bank account yet!
A ten million character password will not save you from companies that practice bad verification habits vs social engineering. I've been able to get my password reset with less than 25 percent accurate information, no lost password it was just out of curiosity. I have it reset on AOL with every single security wrong except my name because I have an "honest" voice.
You're going after anything you can pick up on by shooting the shit
Mood - bad mood = call again and get new rep
Gullibility - telling a story that's obviously bullshit - which will work with intellectual superiority very nice
Age - helps the topic
Misdirecting questions - to break their train of thought on company policy
Intellectual superiority - because people like teaching, it makes them feel smart especially if they think they're helping someone too fucking stupid to even remember their security questions.
Shift times - to catch people that's about to get off because they just want to go home asap
Are you allowed to chat at work because you sound like one cool mother fucker and if yes strap in because they're opening up the possibility for a world of hurt..
Death - people are more likely to help someone they feel sorry for
That's just for starters..
Just have one general passwords for all the public sites + the site name to generate a single password using md5 or sha hash
For example. To enter to slashdot acount:
echo -n "mypassword-slashdot.org" | openssl dgst -sha -binary | base64 | cut -c 2-12
The password is: BlcjPe1rmBD
Or if you have multiple acounts in one website:
echo -n "mypassword-websiteusername-slashdot.org" | openssl dgst -sha -binary | base64 | cut -c 2-12
SeDzD5LzFtF
That's will be great to implement inside a arduino :D
This idea of one password to rule them all is not new, in fact, Lastpass has already developed a perfect TNO (Trust No One) password storage system.
And it's free on all your computers
They charge $1 per month to use on mobile devices.
Violates the first rule of passwords. Don't EVER write them down.
http://supergenpass.com/ is probably the best solution I've seen that's both effective and easily setup. No 3rd party software, no special hardware, no online service. Just a chunk of javascript that's open for review.
Why does the world insist on using passwords when we have RSA?
If it ain't broke, don't fix it.
Your physical pocket! Store them on a USB stick, encrypted with something like Identikey (http://marquisdegeek.com/rnd_identikey.php), and don't let it out of your sight! You could probably install this to the SD card in your phone. Since virtually everyone protects their phone like the crown jewels, it's less likely to be compromised that a server owned by someone that doesn't care as much about your details as you do.