USBPass – A Mooltipass-like Project

In our Developed on Hackaday series some readers may recall a sentence we wrote: “if one’s idea is not yet in the market, it’s either completely stupid or people are already working on it”. Well, [Josh] casually mentioned that he was also working on an offline password keeper after having recently subscribed to our google group. Similarly to the Hackaday-developed platform, the USBPass is connected to a computer via USB and is detected as an HID keyboard. As you can see in the picture shown above, it uses very few components: an ATMega32U2, a USB connector, three buttons and a few passives chips.

A total of 20 passwords can be stored in the microcontroller’s memory, which can be ‘typed’ by the platform using the push buttons. The USBPass firmware is based around the LUFA USB stack, to which [Josh] added HID report functionality to allow data transfer from his desktop application. The latter uses the Linux/Windows/OS X HID API library so bringing his software to other operating systems can be done in no time. All the project resources can be found on GitHub, while [Josh] is currently working on a B revision which will include an OLED screen.

15 thoughts on “USBPass – A Mooltipass-like Project

  1. I hope there is a plan to expand the number of stored passwords, 20 is not useful.

    It appears that there is no plan to prevent others from discovering the passwords when the device is misplaced or stolen.

    This is really no more sophisticated than writing down the passwords on a piece of paper.

    1. I am guessing that the password data is stored on the 1K byte EEPROM.

      Assuming 16 bytes each for Website name, user ID and password, that’s
      about 50 bytes per entry and you can roughly store 20 of them in 1KB.

      Seeing that the device has 32KB for program storage which I would expect
      not anywhere near filled, the capacity *could* be expanded there with a bit
      more work to handle wear leveling/allocation and access to program
      memory etc.

      1. Wear-leveling seems like overkill for a device that is designed to hold onto a value indefinitely. If you intend to change your password on a daily/weekly basis you’re far better off with 2-factor authentication.

    2. My next revision (no time schedule currently ;-) will likely have some kind of display on it and at least 4 inputs. This should allow me to provide a reasonable way to enter a PIN number to unlock the device, similar to Mooltipass.

      After seeing the level of security already designed into Mooltipass, I’ve been tossing around the idea of doing a similar kind of pin-based encryption. However, I want to keep my hardware design as miniscule as possible, so I might use one of the surface mount variants of Atmel’s CryptoMemory. My only concern is that if someone could maliciously lock-out my USBPass by intentionally exhausting the pin-attempt counter, rendering the device nearly useless (could still operate in rev A mode). Mooltipass will have the same “problem”, but a replacement crypto card should be pretty cheap ;-)

    1. Right now? Nothing. The security of USBPass rests entirely on your ability to hold on to it, like the keys to your car or house. Unlike YubiKey however, the firmware is open source, so you or I could easily add a 3-button PIN input :-)

  2. I built one a couple years ago using an MBed processor…the next version I built with a smaller usb/bluetooth device… Then recently I just moved to a bluetooth device from adafruit… http://www.adafruit.com/products/1535 works great.. Some people might say it won’t hold enough passwords for them, etc… and they might be right.. But for the few important ones, it works for me..

  3. Had the same thing 3 years ago patented it in belgium. Dubbed AnyKey ;). A month or so later I minified it to be the size of a key. Haven’t got around to finding funding for mass production:

    http://www.youtube.com/watch?v=aCeOeqHbQeM

    And no it’s not the same as putting it on a piece of paper for 2 reasons.
    1. It’s much faster to type in your password (add a four digit pincode if you’re paranoid about people copying it). But it allows you to have a password which is much more complex than you would normally choose to type in every day.

    2. On your keychain you have it everywhere and can also use it to type in that password on a collegues pc if he needs your login to do something (admit it it happens in every office can I ssh with that account for a sec… and you type on his pc and the collegue needs to look away for a while…). Wit a piece of paper people would be able to read it when they see your keychain here they have to fysically get your keychain, insert into a laptop and again see 1 hope you did not add a four digit pin before or after this long code it spits out. But it’s driverless and easier to use as is nowadays done with that piece of paper (which actually is also being done a lot I see post-it’s with passwords in many offices…).

    So yes it’s a nice gadget to have for the right price (sub 15$)…

    1. When I was researching for USBPass, one of the projects I found was a single-password device that types out the password as soon as it’s plugged in. The author idea was that you would have multiple of these keys, and you could use them in different orders to generate different combinations. Say, for website A, you insert device A then B, and for website B you insert B then A.

      Unfortunately I’ve forgotten now where I saw it, but I do remember finding it was a failed kickstarter or indiegogo.

Leave a Reply to NickCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.