Meet Lynx, A (costly) Offline Password Keeper

Maybe because he didn’t want to wait for the Mooltipass to be produced, [davidhend] built himself his own offline password keeper, named Lynx.

It is based around an Arduino Pro 328, a 2.8″ TFT touch screen, an RFID card reader, an FTDI basic breakout and finally a li-ion battery. Lynx is therefore self-powered and uses an RFID card to later read the XOR-encrypted passwords located in a SD card. A USB serial connection is used to send the passwords to the computer, which also charges the battery. The current BoM cost is around $220 but we’re quite sure it can be made for much cheaper when not using pre-made boards. Looking at the official GitHub repository tells us that the XOR key is stored inside the microcontroller and that Lynx checks the RFID card code to allow encryption/decryption.

On a side note, we recently published a FAQ on the official Mooltipass GitHub. You’re welcome to let us know what questions we may have forgotten.

28 thoughts on “Meet Lynx, A (costly) Offline Password Keeper

    1. Yes, something more secure than XOR would be good. However, if XOR is going to be used then it would be a good idea to really stress the fact the the XOR key needs to be changed, nay that it should be made mandatory not to use the one on Github. Anyone with a little common sense and inititive, could easily get the passwords from the device (or sd-card)

    1. there isnt any, it is just a excuse of people to justify working on a arduino. they’re all designed and implemented so poorly that they really do little to nothing to improve security. for christ sakes this thing at $220 is held together with electrical tape, that should tell you all you need to know about how much effort went in to this.

    2. Password keepers can be handy. I find myself having to remember so many passwords that I start reusing without realizing it (all of my passwords are long phrases). I am kind of interested in the mooltipass, but only if it demonstrates real security features, i.e. 3 factor authentication, good encryption, etc. As matt says, this particular device is less then stellar, and is just an excuse to make something. Kudos on making the thing, now work on improving it in pretty much every way

      Everyone has gotta start somewhere.

        1. They dont offer any substantial documentation, and their website is essentially nothing more than a listing of American regulations without stating how exactly this device helps you to comply with them. How the hell do you even enter the pin for this device, by pressing a directional pad god knows how many times? Well considering that their e-store page is offline, and their website hasnt been updated since 2006 ought to tell you all you need to know about how successful this product is. If you really want a passwork keeper which will lock you out after so many successful attempts go buy a old blackberry, enable encryption and lock out attempts, and store your passwords on it. That product has at least been analyzed by lots of people unlike anything you’ll see on HaD or that mandylion device.

      1. Just as a rubber tire is not a dump truck, XOR is not encryption. Things can be composed into other things, but that does not mean they are a replacement for the entirety of what they compose.

        Conflating the two by saying that is might be in some circumstances an encryption method only further enables people to use it as an encryption method.

  1. lynx is the name of the public transport in the Orlando Florida area …. any copy wright infringement going on here ?
    as for the browser lynx, don’t think I have heard of it .

  2. This article in a nutshell: “oh look at this project that’s similar to ours…it sucks though so ours is better.” If you want to both cover projects fairly and develop your own as well you might want to set up some ethical boundaries.

Leave a Reply to mattCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.