USB Password Keeper Runs On Tiny Chip

The most important rule of password use, especially when used for online logins, is to avoid reusing passwords. From there, one’s method of keeping track of multiple passwords can vary considerably. While memorization is an option in theory, in practice a lot of people make use of a password manager like Lastpass or KeePass. For those with increased security concerns, though, you may want to implement a USB password keeper like this one based on an ATtiny.

This password keeper, called “snopf”, is a USB device with an ATtiny85 which adds a layer of separation to password keeping that increases security substantially. Passwords are created by the USB device itself using a 128-bit key to generate the passwords, which are physically detached from the computer. Password requests are made by the computer to the USB device, but the user must push a button on the snopf in order to send the password to the computer. It does this by emulating a keyboard, keeping the password information off of the computer’s clipboard.

Of course, snopf isn’t perfectly secure, and the project’s creator [Hajo] goes into detail on the project’s page about some of the potential vulnerabilities. For most use cases, though, none of these are of serious concern. Upgrading your password keeper to a physical device is likely to be a huge security improvement regardless, and one was actually developed on Hackaday a few years ago.

This Week In Security: Facebook Hacked Your Email, Cyber On The Power Grid, And A Nasty Zero-day

Ah, Facebook. Only you could mess up email verification this badly, and still get a million people to hand over their email address passwords. Yes, you read that right, Facebook’s email verification scheme was to ask users for their email address and email account password. During the verification, Facebook automatically downloaded the account’s contact list, with no warning and no way to opt out.

The amount of terrible here is mind-boggling, but perhaps we need a new security rule-of-thumb for these kind of situations. Don’t ever give an online service the password to a different service. In order to make use of a password in this case, it’s necessary to handle it in plain-text. It’s not certain how long Facebook stored these passwords, but they also recently disclosed that they have been storing millions of Facebook and Instagram passwords in plain-text internally.

This isn’t the first time Facebook has been called out for serious privacy shenanigans, either: In early 2018 it was revealed that the Facebook Android app had been uploading phone call records without informing users. Mark Zuckerberg has recently outlined his plan to give Facebook a new focus on privacy. Time will tell whether any real change will occur.

Cyber Can Mean Anything

Have you noticed that “cyber” has become a meaningless buzz-word, particularly when used by the usual suspects? The Department of Energy released a report that contained a vague but interesting sounding description of an event: “Cyber event that causes interruptions of electrical system operations.” This was noticed by news outlets, and people have been speculating ever since. What is frustrating about this is the wide range of meaning covered by the term “cyber event”. Was it an actual attack? Was Trinity shutting down the power stations, or did an intern trip over a power cord?
Continue reading “This Week In Security: Facebook Hacked Your Email, Cyber On The Power Grid, And A Nasty Zero-day”

Raspberry Pi Becomes The Encrypted Password Keeper You Need

Unless you’re one of the cool people who uses the same password everywhere, you might be in need of a hardware device that keeps your usernames and passwords handy. The Passkeeper is a hardware password storage system built on a Raspberry Pi. It encrypts your passwords, and only through the magic of a special key fob will you ever get your passwords out of this device.

The hardware for this device is built around the Raspberry Pi Zero. You might be questioning the use of a Pi Zero, but given that it’s an entire Linux system for just a few bucks, it only makes sense. The rest of the hardware is a tiny OLED SPI display, an RFID card reader, a few LEDs, some wire, and some solder. A 3D printed case keeps everything together.

Of course, this build is all about the software, and for that, the Passkeeper device is built in Go, with a system that builds a web interface, builds the firmware, and writes everything to an SD card. Usage is simply plugging the Passkeeper into the USB port of your computer where it presents itself as a network interface. Everything is available by pinging an IP address, and after that the web UI will log your usernames and passwords. All this data is encrypted, and can only be unlocked if an RFID key fob is present. It’s an interesting idea and certinaly inexpensive. It’s not quite as polished as something like the Mooltipass, but if you have a Pi around and don’t have a password keeper, this is something to build this weekend.

Hash And Roll Your Way To Secure Passwords

In the electronic battlefield that is 2019, the realm of password security is fraught with dangers. Websites from companies big and small leak like sieves, storing user data in completely unsecure ways. Just about the worst thing you can do is use the same password across several services, meaning that an attack on one gives entry to multiple accounts. The challenge is to generate a unique and secure password for each and every application, and [Ilia]’s way of doing that is called HashDice.

No, it’s not a password manager, or an app – it’s a simple method that can be readily applied by anyone with the right tools. A simple dice is used to create random numbers, which are used to select words from a list to form the basic secret phrase. This is then combined with the name of the service or application to be accessed, the date, and a salt, before hashing using the SHA256 algorithm. The final hash is then truncated to create the password. You can do it all on a device that’s airgapped from the world, ensuring your core secret is never exposed, thus maintaining security.

There are some pitfalls to this method, of course. Many websites make things harder by requiring special characters or enforcing length limits on passwords. [Ilia] helpfully suggests several workarounds for this, but admits that no system is perfect in the face of these obstacles.

If you’re now wondering if your current password is safe, there are ways to investigate that, too.

 

Ask Hackaday: Security Questions And Questionable Securities

Your first school. Your mother’s maiden name. Your favorite color. These are the questions we’re so used to answering when we’ve forgotten a password and need to get back into an account. They’re not a password, yet in many cases have just as much power. Despite this, they’re often based on incredibly insecure information.

Sarah Palin’s Yahoo account is perhaps the best example of this. In September 2008, a Google search netted a birthdate, ZIP code, and where the politician met her spouse. This was enough to reset the account’s password and gain full access to the emails inside.

While we’re not all public figures with our life stories splashed across news articles online, these sort of questions aren’t exactly difficult to answer. Birthdays are celebrated across social media, and the average online quiz would net plenty of other answers. The problem is that these questions offer the same control over an account that a password does, but the answers are not guarded in the same way a password is.

For this reason, I have always used complete gibberish when filling in security questions. Whenever I did forget a password, I was generally lucky enough to solve the problem through a recovery e-mail. Recently, however, my good luck ran out. It was a Thursday evening, and I logged on to check my forex trading account. I realised I hadn’t updated my phone number, which had recently changed.

Upon clicking my way into the account settings, I quickly found that this detail could only be changed by a phone call. I grabbed my phone and dialed, answering the usual name and date of birth questions. I was all set to complete this simple administrative task! I was so excited.

“Thanks Lewin, I’ll just need you to answer your security question.”

“Oh no.”

“The question is… Chutney butler?”

“Yes. Yes it is. Uh…”

“…would you like to guess?”

Needless to say, I didn’t get it.

I was beginning to sweat at this point. To their credit, the call center staffer was particularly helpful, highlighting a number of ways to recover access to the account. Mostly involving a stack of identification documents and a visit to the nearest office. If anything, it was a little reassuring that my account details required such effort to change. Perhaps the cellular carriers of the world could learn a thing or two.

In the end, I realised that I could change my security question with my regular password, and then change the phone number with the new security question. All’s well that ends well.

How do You Deal with Security Questions?

I want to continue taking a high-security approach to my security questions. But as this anecdote shows, you do occasionally need to use them. With that in mind, we’d love to hear your best practices for security questions on accounts that you care about.

Do you store your answers in a similar way to your passwords, using high entropy to best security? When you are forced to use preselected questions do you answer honestly or make up nonsensical answers (and how do you remember what you answered from one account to the next)? When given the option to choose your own questions, what is your simple trick that ensures it all makes sense to you at a later date?

We’d love to hear your best-practice solutions in the comments. While you ponder those questions, one mystery will remain, however — the answer to the question that nobody knows: Chutney butler?

Hackaday Links: June 25th, 2017

There will be no special badges for DEFCON. Everyone will still have badges — and our expectations are tempered because of the one year on / one year off schedule for electronic badges — there just won’t be mind-bending puzzles wrapped up in the official badges. What this means: it probably won’t matter if you’re late for linecon, and someone in the DEFCON hive mind still has a Facebook. Also, DEFCON is canceled.

In the past, we have decried the very existence of fidget spinners. It’s what the kids are into, after all. However, an electronic fidget spinner is an interesting engineering challenge. It combines the mechanical fun of bearing science, the exacting precision of balancing stuff, and stuffing electronics where no electronics should be. This Kickstarter is perhaps the best electronic fidget spinner we’ve seen. The electronics are powered by a coin cell and are packed into one of the spaces for the ‘wing’ bearings, and two additional weighted bearings allow the spinner to balance. There’s a small magnet for a hall effect sensor in the ‘stator cap’ so RPM can be measured. This design uses the most common mold for a fidget spinner, making it very manufacturable. Compare this design to the Internet of Fidget Spinners, a POV fidget Spinner, another POV fidget spinner, an educational electronic fidget spinner, or this amazing technique to measure the speed of a fidget spinner that will blow your mind, and you’ll see this Kickstarter project is clearly the superior design.

You kids are spoiled with your programmable drum machines like your 808 and 909. Back in the day, drum machines were attached to organs, and only had a few patterns. You couldn’t change the patterns, you could only change the speed. [Jan] has created one of these prehistoric drum machines in a microcontroller. You get hard rock, disco, reggae, rock, samba, rumba, cha-cha, bossa nova, beguine, synthpop, boogie, waltz, jazz rock, and slow rock. Awesome.

There’s a new electronics magazine. It’s called DIYODE, and we’re all kicking ourselves for not coming up with that name.

Do you need a new password? Humans really aren’t good at coming up with random numbers, and if you need a completely random alphanumeric password, it’s best left to a computer. Have no fear, because there’s now a website that generates the single most secure password on the planet. This password, “H4!b5at+kWls-8yh4Guq”, features upper and lowercase characters, numbers, symbols, and twenty unique characters. This password was developed by security researchers and encryption specialists in Europe, so you know it has absolutely nothing to do with the NSA, CIA, or any other American three-letter agency.

Speaking of three-letter agencies, last Wednesday was International Selfie Day! That doesn’t mean you still can’t get in on the action. Take a selfie right now and upload it to social media! What’s facial recognition?

Looking for a great little ESP32 breakout board with all the bells and whistles? Olimex has a new board out with Ethernet, a MicroSD card slot, and 20 GPIOs broken out.

Is My Password Safe? Practices For People Who Know Better

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices For People Who Know Better”