[conspire] storing passwords

Rick Moen rick at linuxmafia.com
Tue Apr 4 13:18:55 PDT 2017 

Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> Hence the links that began this thread.

Yes, I do appreciate the category of device typified by PassType, 
mentioned at the top of this thread by Paul Zander 
(http://linuxmafia.com/pipermail/conspire/2017-March/008793.html).
I actually had not had time to follow his link then, only read his
description of it.  I've just now started looking at the referenced 
project,
http://www.instructables.com/id/Password-Manager-Typer-Macro-Payload-All-in-ONE/ , 
though I still honestly have too little time to spare to look in detail.

Project name is instructive:  PassType is from 'PASSword TYPE in
device'.  So, basic idea is to make a USB-connectable widget that
presents as a HID (human interfaced device), e.g., a keyboard, to type
passwords & similar text credentials for you upon user deployment.
Physically, it's in the predictable size & form factor of about the same
as a thumb drive.  Local user input on the device itself is via a 5-way
'tactile switch' that they describe as joystick-like (or, I guess, IBM
TrackPad-like).  Local display output is on a tiny LED screen.

We've almost reached the bad news.  Storage is a 32kB EEPROM, though you
can use a bigger one.  (Wow, so little in 2017?  This strongly hints at
the bad news, that is knocking on the door, now.)   This is said to be
enough to store 250 or more passwords, indeed in my experience enough
for most people.

RAM is unstated, but that's because -- ta-da! introducing the bad news
-- the sole processor is an Arduino.

Which tells me without reading anything else that there is no encrypted
storage, let alone good crypto storage, and only extremely primitive
anything, because an Arduino is good enough to replace a Rainbird
watering controller for a vegetable garden and lawn, but is not even a
real computer by 1985 standards.

No crypto means this widget has exactly the same functionality as a
pad of 250 mini-PostIts in my pocket with passwords written on them,
except that it can also type those passwords into a USB port.

Eh, no.  A worthy hobbyist effort to explore ultra-simple
USB-connectable devices, but fails to meet spec for any serious 
attempt to store passwords unless you have total faith in your 
physical control of that device.  It's exactly as secure as a pad of
PostIts in your pocket, and I don't think that's OK.

More information about the conspire mailing list