Forgot your password?
typodupeerror
Security

Storing Your Encrypted Passwords Offline On a Dedicated Device 107

Posted by samzenpus
from the built-to-last dept.
An anonymous reader writes "The Hackaday writer Mathieu Stephan (alias limpkin) has just launched a new open source/hardware project together with the Hackaday community. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating long and complex random passwords for the different websites people use daily. It consists of a main device where users' credentials are encrypted, and a PIN locked smartcard containing the encryption key. Simply visit a website and the device will ask for confirmation to enter your credentials when you need to login. All development steps will be documented and all resources available for review."
This discussion has been archived. No new comments can be posted.

Storing Your Encrypted Passwords Offline On a Dedicated Device

Comments Filter:
  • US Military pretty much does this with their Common Access Cards (CAC). It doubles as our government ID card and stores certificates that are used to identify individuals on government sites. I like that system as it allows me to remember a simple master password (a PIN) and the passwords are stored somewhere secure.

    Not sure how useful this system would be if people continue to use passwords like 'password.' Combining this with KeePass or something similar would be nice.
    • by DrTime (838124)
      The government uses key loaders and a unique rugged serial connector in legacy key loaders. These are used with cryptographic and secure communication equipment. Look up the KYK-14 and KIK-30. I've even used paper tape key loaders, a long time ago. Some more "modern" key loaders are based on legacy PDA hardware. I haven't worked with these things in years. These devices use numerous techniques to protect keys, a USB device with good protection would be nice and might be a good kick starter venture.
      • He's not talking about an ANCD or other transfer device. He's talking about our Common Access Cards (CAC) [cac.mil], by which we authenticate to DoD resources on the Web. The CAC has an encryption chip embedded in it, as well as some storage for certificates. I have a Smartcard reader [amazon.com] attached to a USB port on my computer. When I need to get into a military website, I place my CAC in the reader. Windows 7 and 8 have built-in drivers for smart cards, and the web site will send a request for authentication to my compu

  • How does this differ from using KeePass and keeping the password safe on Dropbox?
    • Not well, from what I can see. It requires buying/building hardware, and you have to remember to take the device if you want to access a stored password away from home. KeePass + Dropbox goes everywhere my phone does.

      • by stenvar (2789879)

        The problem with that is that nothing that you enter on your phone or that's displayed on your phone is even remotely secure: your carrier, your phone vendor, various intelligence agencies, and police can all compromise your phone at the push of a button.

        • An attack like that would require installation of a keylogger. I don't recall any evidence that such a system can be installed remotely (though I don't discount the possibility). I suspect, however, that an attacker sufficiently motivated to install a keylogger would not be deterred by the necessity of installing it on another device.
          • I think the idea is that a keylogger is already installed on your phone when you buy it. Because the free parts of Android's userspace are Apache licensed, not copylefted, the carrier isn't obligated to provide complete corresponding source code along with the phone to ensure that your handset doesn't already have covert snooping software to comply with CALEA [wikipedia.org] and its sequels.
          • by chihowa (366380) *

            It's happened once before [wikipedia.org], it could certainly happen again. Google can remotely install applications to an Android phone (with Google's app store installed) at the click of a button. How else do you think apps are automatically installed when you buy them on the Play website or updated in the background. Apple may have some means to do this as well.

            There are ways to make your phone more secure, but most phones are under the control of third parties.

          • by stenvar (2789879)

            On both the smartphone OS and the GSM portion, a keylogger can be installed as part of any OS update, or many application updates. Carriers, phone vendors, spy agencies, and police clearly all have had that capability for a while, and it's been in use.

  • by YesIAmAScript (886271) on Sunday December 08, 2013 @02:56PM (#45633805)

    It's not offline.

    This really is some guy just using a system he thinks is less likely to be compromised. Well, that's what everyone else does too.

    • by chihowa (366380) * on Sunday December 08, 2013 @03:18PM (#45633899)

      The way it's described in TFA, you can't "access it on a website" (whatever that means).

      It's a USB device that generates and stores passwords. The stored passwords are encrypted using a key contained in a smartcard. When you want a password, you use the touchscreen on the device to generate or decrypt a password and spit it out to the computer (presumably, the device looks to the computer like a HID keyboard device).

      The only communication would, therefore, be from the device to the computer. All user interaction is through the device's touchscreen. The smartcard handles the security.

      It's not a bad approach, though it would/could be ridiculously clumsy to use once you have accumulated hundreds or thousands of passwords.

      • by Anonymous Coward

        The way it's described in TFA, you can't "access it on a website" (whatever that means).

        It's a USB device that generates and stores passwords. The stored passwords are encrypted using a key contained in a smartcard. When you want a password, you use the touchscreen on the device to generate or decrypt a password and spit it out to the computer (presumably, the device looks to the computer like a HID keyboard device).

        The only communication would, therefore, be from the device to the computer. All user interaction is through the device's touchscreen. The smartcard handles the security.

        It's not a bad approach, though it would/could be ridiculously clumsy to use once you have accumulated hundreds or thousands of passwords.

        Tools like Keepass have browser plugins to recognize what site you are on and call up the right password (or whatever fields need to be filled) accordingly. This sounds like taking that and moving the key onto an external device to remove the chances of a keylogger giving the perps the password to your whole keychain. Its effectiveness is limited by the fact that you very well could be giving away your most important passwords anyway, if a keylogger is around. The best defense is still a strong antivirus

      • Oh. Okay. The single page project page wasn't all that descriptive so I went by the summary partly and stated you had to go to a website and enter a PIN to log in. It wasn't particularly clear.

        If this is just a smartcard, then this system has been in use for at least a decade. MS' internal VPN system used a smartcard login system, and IE supports it. That system is even more secure actually because it uses a challenge response and a PIN, it doesn't just decrypt a password which can be captured on the host c

      • by SuricouRaven (1897204) on Sunday December 08, 2013 @04:10PM (#45634137)

        Clumsy is precisely the problem.

        Three mail accounts. Laptop bios, laptop login, laptop root. Several encrypted archival hard drives. Slashdot login. The Register account. Furaffinity account. Home server user password, home server drive encryption password, home server root password. Minecraft account. Ukfur forum password. Work user password. Work domain admin password. Work test user account passwords. Ebuyer account password. Ebay password. Paypal password. GPG private key password. Retroshare private key password. Three sites I'd rather not mention. 1and1 hosting password. Domain name registrar password.

        That's just what I can remember right now, so it's probably around half of what I actually have. How do I remember so many? I don't. Very few humans are capable of that. It's bordering on impossible. You need to either have a list somewhere written down, or reuse passwords a lot. Neither option is ideal - both introduce security vulnerabilities.

        • Re: (Score:3, Insightful)

          by SuricouRaven (1897204)

          Thought up some more: Furrymuck, latitude and SPR much passwords. EVE online password. two IRC nameserv passwords. Work computer bios passwords. Work network switch passwords. Combination to my wall safe. Unlock code for my phone. Unlock code for my tablet. Two internet banking passwords. Somewhere out there, a disused Second Life account from before I concluded it is crap.

          At least I don't have a facebook account.

          • by antdude (79039)

            Actually, you do have a Facebook account since I am your account with your password. [grin]

        • by Chozabu (974192)
          Well, it does not have to be clumsy, particularly on your home computer with a little extra software
          • it could have decent search on the device
          • it could launch websites, and login
          • auto login to websites
          • launch apps and login?
        • You can use a single password, combined with the url of the website, to generate unique passwords for each website, via a hashing algorithm.

          One implementation of this is: https://github.com/hughperkins/openpw [github.com] , which is a derivative of http://angel.net/~nic/passwd.current.html [angel.net] There are other implementations around.

          The advantage of this system is:
          - only one password to remember
          - if a website gets hacked, that password can't be used on other websites, and can't realistically be used to obtain your master pa

      • If we seriously wanted to know if it was necessary and sufficient, I'd suggest we ask Whitfield Diffie, who is a nice man and would probably answer...
      • by Vesvvi (1501135)

        I don't understand why there is so much effort placed on storing passwords. We already know what to do with passwords from the perspective of the server: discard them as soon as possible!

        The password should be salted and hashed immediately, and it should never be stored in plaintext. So let's not store them at all: let the user remember the risky password, and encrypt it as soon as possible. It's a validated methodology, and it removes many/most of the trust issues of the user/server relationship: I don'

        • by tepples (727027)
          How would your HMAC-like method of combining the site name with your private key work around error messages like these?
          • Your password doesn't have an uppercase character.
          • Your password doesn't have a punctuation mark.
          • Your password contains a forbidden punctuation mark.
          • Your password is too long.
          • Your password has expired; please change it.
          • Your password matches a password that you have previously used on this site.
          • Your laptop/tablet is not allowed on our network. Instead, use our [possibly keylogged] Internet
          • by Vesvvi (1501135)

            It doesn't specifically solve any of those problems (except forbidden punctuation mark), although it simplifies them a bit.

            Required characters (uppercase, punctuation, numbers) can be added post-hash as an insecure suffix to meet site requirements. These don't add any security, so you can carry them around with you, put them on a public website, or leave them on a sticky note on your monitor: "work suffix: #U1_. Github suffix: (#$JHi/."

            The same thing can be said for length issues, although I've found that

  • by tsa (15680) on Sunday December 08, 2013 @03:25PM (#45633941) Homepage

    I store my passwords on a piece of paper. Works fine for me.

  • And something else you have?

    What's the point of introducing a PIN-locked smart card? The PIN is what matters in this case, since both the device and the card need to be kept together anyway. All adding complexity does here is create an easier way to lose access to your credentials.

    Why not handle it like OS X's Keychain, where your passphrase unlocks the encrypted secret... while the secret and the data store are on the same device?

    • Why not handle it like OS X's Keychain, where your passphrase unlocks the encrypted secret... while the secret and the data store are on the same device?

      The trouble is that you end up storing your secret and your data on the same device as your big, complex, modern OS, your web browser, and all the other neat network connected stuff you may have installed. Anything goes wrong with all that, and it isn't a secret anymore.

  • .....gives me that already
    • by gnoshi (314933)

      No, it really doesn't!
      If someone compromises your machine, they can capture your keepass database and your password.

      With this device, you're not entering your password into a system running piles of software that virtually no-one ever personally fully verifies (and how can they? Too much code), and furthermore if your password is captured you can't just clone the database to get all the passwords.

      Keepass on Dropbox + keyfile on local devices + password is pretty good, but it isn't as good as this device fro

  • I've been wanting to do this for quite some time with an old Android phone. It provides a touch-screen interface. Many include a MicroSD meaning you can add software/updates to it without ever networking it. Kernel source is available for many, so you can build with the Linux HID Gadget driver to make it behave like a keyboard. Plus, people have the devices sitting around idle.

  • by pezpunk (205653) on Sunday December 08, 2013 @08:16PM (#45635313) Homepage

    Douglas Adams, right again.

    "It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

    Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense. "
    -Mostly Harmless, 1992

  • OpenID enabled websites offer you the opportunity to go further: send no password at all over the network.

    OpenID relies on an Identity Provider (IdP) to validate your identity. You can set up your own IdP, and if you have a PKCS11 compliant smart card, your web browser can use it to perform client certificate authentication to the IdP using the certificate and private key stored in the smart card.

  • Just use Keepass or a text editor in a trusted AppVM, plus the secured copy+paste in Qubes OS.

    I doubt any remote attacker could take your passwords then.

  • Why does the world insist on using passwords when we have RSA?

"Tell the truth and run." -- Yugoslav proverb

Working...