Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storing Your Encrypted Passwords Offline On a Dedicated Device

Posted by samzenpus on from the built-to-last dept.

An anonymous reader writes "The Hackaday writer Mathieu Stephan (alias limpkin) has just launched a new open source/hardware project together with the Hackaday community. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating long and complex random passwords for the different websites people use daily. It consists of a main device where users' credentials are encrypted, and a PIN locked smartcard containing the encryption key. Simply visit a website and the device will ask for confirmation to enter your credentials when you need to login. All development steps will be documented and all resources available for review."

11 of 107 comments (clear)

  1. if you can access it on a website by YesIAmAScript · · Score: 2, Insightful

    It's not offline.

    This really is some guy just using a system he thinks is less likely to be compromised. Well, that's what everyone else does too.

    --
    http://lkml.org/lkml/2005/8/20/95
    1. Re:if you can access it on a website by chihowa · · Score: 4, Informative

      The way it's described in TFA, you can't "access it on a website" (whatever that means).

      It's a USB device that generates and stores passwords. The stored passwords are encrypted using a key contained in a smartcard. When you want a password, you use the touchscreen on the device to generate or decrypt a password and spit it out to the computer (presumably, the device looks to the computer like a HID keyboard device).

      The only communication would, therefore, be from the device to the computer. All user interaction is through the device's touchscreen. The smartcard handles the security.

      It's not a bad approach, though it would/could be ridiculously clumsy to use once you have accumulated hundreds or thousands of passwords.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    2. Re:if you can access it on a website by SuricouRaven · · Score: 3, Insightful

      Clumsy is precisely the problem.

      Three mail accounts. Laptop bios, laptop login, laptop root. Several encrypted archival hard drives. Slashdot login. The Register account. Furaffinity account. Home server user password, home server drive encryption password, home server root password. Minecraft account. Ukfur forum password. Work user password. Work domain admin password. Work test user account passwords. Ebuyer account password. Ebay password. Paypal password. GPG private key password. Retroshare private key password. Three sites I'd rather not mention. 1and1 hosting password. Domain name registrar password.

      That's just what I can remember right now, so it's probably around half of what I actually have. How do I remember so many? I don't. Very few humans are capable of that. It's bordering on impossible. You need to either have a list somewhere written down, or reuse passwords a lot. Neither option is ideal - both introduce security vulnerabilities.

    3. Re:if you can access it on a website by SuricouRaven · · Score: 2, Insightful

      Thought up some more: Furrymuck, latitude and SPR much passwords. EVE online password. two IRC nameserv passwords. Work computer bios passwords. Work network switch passwords. Combination to my wall safe. Unlock code for my phone. Unlock code for my tablet. Two internet banking passwords. Somewhere out there, a disused Second Life account from before I concluded it is crap.

      At least I don't have a facebook account.

    4. Re:if you can access it on a website by hughperkins · · Score: 2

      You can use a single password, combined with the url of the website, to generate unique passwords for each website, via a hashing algorithm.

      One implementation of this is: https://github.com/hughperkins/openpw , which is a derivative of http://angel.net/~nic/passwd.current.html There are other implementations around.

      The advantage of this system is:
      - only one password to remember
      - if a website gets hacked, that password can't be used on other websites, and can't realistically be used to obtain your master password, assuming they even know which algorithm you're using, which is unlikely
      - unlike a password safe, you don't need to handle making backups, replicating the backups around, and so on

  2. Re:it's been done? by Cid+Highwind · · Score: 2

    Not well, from what I can see. It requires buying/building hardware, and you have to remember to take the device if you want to access a stored password away from home. KeePass + Dropbox goes everywhere my phone does.

    --
    0 1 - just my two bits
  3. Paper by tsa · · Score: 2

    I store my passwords on a piece of paper. Works fine for me.

    --

    -- Cheers!

  4. Re:it's been done? by stenvar · · Score: 2

    The problem with that is that nothing that you enter on your phone or that's displayed on your phone is even remotely secure: your carrier, your phone vendor, various intelligence agencies, and police can all compromise your phone at the push of a button.

  5. Re:Prior Art by DrTime · · Score: 2

    The government uses key loaders and a unique rugged serial connector in legacy key loaders. These are used with cryptographic and secure communication equipment. Look up the KYK-14 and KIK-30. I've even used paper tape key loaders, a long time ago. Some more "modern" key loaders are based on legacy PDA hardware. I haven't worked with these things in years. These devices use numerous techniques to protect keys, a USB device with good protection would be nice and might be a good kick starter venture.

  6. so basically an ident-i-eeze. by pezpunk · · Score: 4, Interesting

    Douglas Adams, right again.

    "It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

    Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense. "
    -Mostly Harmless, 1992

    --
    i could live a little longer in this prison
  7. Re:it's been done? by gmhowell · · Score: 3, Funny

    I don't understand your point about divulging a password. Why would one do that?

    To make the men in black stop hitting you with hammers?

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon