[conspire] storing passwords

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Tue Apr 4 21:55:15 PDT 2017 

On Tue, 2017-04-04 at 13:18 -0700, Rick Moen wrote:
> Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
> 
> > Hence the links that began this thread.
> 
> Yes, I do appreciate the category of device typified by PassType, 
> mentioned at the top of this thread by Paul Zander 
> (http://linuxmafia.com/pipermail/conspire/2017-March/008793.html).
> I actually had not had time to follow his link then, only read his
> description of it.  I've just now started looking at the referenced 
> project,
> http://www.instructables.com/id/Password-Manager-Typer-Macro-Payload-All-in-ONE/ , 
> though I still honestly have too little time to spare to look in detail.
> 
> Project name is instructive:  PassType is from 'PASSword TYPE in
> device'.  So, basic idea is to make a USB-connectable widget that
> presents as a HID (human interfaced device), e.g., a keyboard, to type
> passwords & similar text credentials for you upon user deployment.
> Physically, it's in the predictable size & form factor of about the same
> as a thumb drive.  Local user input on the device itself is via a 5-way
> 'tactile switch' that they describe as joystick-like (or, I guess, IBM
> TrackPad-like).  Local display output is on a tiny LED screen.
> 
> We've almost reached the bad news.  Storage is a 32kB EEPROM, though you
> can use a bigger one.  (Wow, so little in 2017?  This strongly hints at
> the bad news, that is knocking on the door, now.)   This is said to be
> enough to store 250 or more passwords, indeed in my experience enough
> for most people.
> 
> RAM is unstated, but that's because -- ta-da! introducing the bad news
> -- the sole processor is an Arduino.
> 
> Which tells me without reading anything else that there is no encrypted
> storage, let alone good crypto storage, and only extremely primitive
> anything, because an Arduino is good enough to replace a Rainbird
> watering controller for a vegetable garden and lawn, but is not even a
> real computer by 1985 standards.
> 
> No crypto means this widget has exactly the same functionality as a
> pad of 250 mini-PostIts in my pocket with passwords written on them,
> except that it can also type those passwords into a USB port.
> 
> Eh, no.  A worthy hobbyist effort to explore ultra-simple
> USB-connectable devices, but fails to meet spec for any serious 
> attempt to store passwords unless you have total faith in your 
> physical control of that device.  It's exactly as secure as a pad of
> PostIts in your pocket, and I don't think that's OK.

Yes, well, as I previously stated:
> Of special note are the comments on the page by ia42 and by
> SuperSonik,
> and the comment by robertbu is also interesting.

More information about the conspire mailing list