Meet Lynx, a (costly) Offline Password Keeper

Maybe because he didn’t want to wait for the Mooltipass to be produced, [davidhend] built himself his own offline password keeper, named Lynx.

It is based around an Arduino Pro 328, a 2.8″ TFT touch screen, an RFID card reader, an FTDI basic breakout and finally a li-ion battery. Lynx is therefore self-powered and uses an RFID card to later read the XOR-encrypted passwords located in a SD card. A USB serial connection is used to send the passwords to the computer, which also charges the battery. The current BoM cost is around $220 but we’re quite sure it can be made for much cheaper when not using pre-made boards. Looking at the official GitHub repository tells us that the XOR key is stored inside the microcontroller and that Lynx checks the RFID card code to allow encryption/decryption.

On a side note, we recently published a FAQ on the official Mooltipass GitHub. You’re welcome to let us know what questions we may have forgotten.

Comments

  1. fred says:

    neat project, but should probably replace the XOR encryption with something a bit more secure

  2. HC says:

    I must admit I still fail to see the utility in these devices.

    • matt says:

      there isnt any, it is just a excuse of people to justify working on a arduino. they’re all designed and implemented so poorly that they really do little to nothing to improve security. for christ sakes this thing at $220 is held together with electrical tape, that should tell you all you need to know about how much effort went in to this.

    • K says:

      Password keepers can be handy. I find myself having to remember so many passwords that I start reusing without realizing it (all of my passwords are long phrases). I am kind of interested in the mooltipass, but only if it demonstrates real security features, i.e. 3 factor authentication, good encryption, etc. As matt says, this particular device is less then stellar, and is just an excuse to make something. Kudos on making the thing, now work on improving it in pretty much every way

      Everyone has gotta start somewhere.

      • fartface says:

        And just buy one of the secure ones…

        http://www.mandylionlabs.com/

        Works great, is tough enough to live on my keychain for 3 years now, and is secure enough to self destroy the contents after 3 attempts to turn it on incorrectly

        • matt says:

          They dont offer any substantial documentation, and their website is essentially nothing more than a listing of American regulations without stating how exactly this device helps you to comply with them. How the hell do you even enter the pin for this device, by pressing a directional pad god knows how many times? Well considering that their e-store page is offline, and their website hasnt been updated since 2006 ought to tell you all you need to know about how successful this product is. If you really want a passwork keeper which will lock you out after so many successful attempts go buy a old blackberry, enable encryption and lock out attempts, and store your passwords on it. That product has at least been analyzed by lots of people unlike anything you’ll see on HaD or that mandylion device.

  3. Jim Turner says:

    papyrus! but perhaps thats the joke of this thing?

  4. Edgar Vice says:

    LULZ, it’s like I would name my project coca cola

  5. Irish says:

    Why not just use KeePass or any other portable password keeper software on a thumb drive? More secure and less cost.

  6. shanon says:

    sounds yummy enough for bitcoin ;)

  7. rwb65 says:

    How about an old Palm M100 with any number of password apps at http://www.mobyware.net/

  8. William DeRieux says:

    lynx? Might want to consider a different name … lest someone thinks this is related to the ncurses browser.

  9. anon says:

    “xor” and “encryption” do not belong in the same sentence unless the words “is not” are between them.

    • matt says:

      Technically xor operations are used heavily in encryption algorithms. But yeah you’re right, when it is the only operation present, “is not” ought to be used.

      • not-the-same-anon says:

        Just as a rubber tire is not a dump truck, XOR is not encryption. Things can be composed into other things, but that does not mean they are a replacement for the entirety of what they compose.

        Conflating the two by saying that is might be in some circumstances an encryption method only further enables people to use it as an encryption method.

  10. XOIIO says:

    I have a free one if these, it’s called my brain. Definitely not going to spend $220 on something like this.

  11. Sheff says:

    lynx is the name of the public transport in the Orlando Florida area …. any copy wright infringement going on here ?
    as for the browser lynx, don’t think I have heard of it .

  12. Tyson says:

    This article in a nutshell: “oh look at this project that’s similar to ours…it sucks though so ours is better.” If you want to both cover projects fairly and develop your own as well you might want to set up some ethical boundaries.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,391 other followers