We’re pretty sure that most of our readers already know it by now, but we’ll tell you anyway: the Hackaday community (writers and readers) is currently developing an offline password keeper, the Mooltipass. A month ago we published our first demonstration video and since then the development team has been fairly busy at work.
First things first: we heard (well, read) the comments you left in our previous articles and decided to make a small animation video that will hopefully explain why having an offline password keeper is a good thing. We welcome you to have a look at our script draft and let us know what you think. We updated our GitHub readme and more importantly our FAQs, so feel free to tell us if there are still some questions you have that we didn’t answer. We finally found a short but yet interesting paper about software based password keepers possible security flaws.
Secondly, a little more than 20 prototypes have successfully been assembled and some beta testers actually already received them. As they financially contributed to their units we offered them the possibility to pick a blue, green, yellow or white OLED screen (see picture above). We therefore expect things to gain speed as we’ll have users (or rather bosses) pushing us to improve our current platform and implement much needed features.
Finally, as I figured some of our readers may be interested, I made a quick video of the prototype assembly process (embedded below). It is still a little sketchy and a few changes will be made to make it simpler for production. We expect these next weeks to be full of interesting events as our beta testers / Hackaday readers will be able to judge the work we’ve been doing for so long. We highly recommend you to subscribe to our official Google group to stay updated with our adventures.
No offense but this is just an useless trinket.
none taken… could you elaborate why? do you have individual strong passwords for all the websites/services you use?
I can easily memorize passwords (and they are non trivial) for sites I use (fb, bank account, gmail, reddit, ebay -> actually allegro.pl, few forums, steam). I can’t see a reason why I’d need that device.
Good for you then :)… I must have subscribed to too many websites.
It looks really nice
thanks!
After all this time I still can’t figure out why anyone would want this. I mean, I guess the concept is ok but the device is so huge that it’s not convenient to take it with you everywhere you go.
Everything is relative. It’s after all intended for home and work use.
Could you use this to unlock doors?
With the arduino version (accessible gpio), sure why not! ;-)
I have been reading about this project since the start of it. And now that I see how it should be used (video from about a month ago) I had the same thought as the reader who commented before me.
My thinking is this device should be portable, able to be pluged in every computer, while not being OS dependent at the same time.
I think the main features should be a non OS dependent anonymous browser (TOR) starting when pluged in and portability as being able to have it in a wallet or being a wallet it self.
Being ahead of NFC would be a great promise.
Matic
Well (granted the device is a bit bigger than a credit card) our device is driverless and can be used on most operating systems. Our contributors use it on Linux/Mac/Windows.
maybe too late, but adding bluetooth so no cable is required would be a nice touch.
but would drastically increase the price due to the components themselves and the required certifications…
Bluetooth is a security risk…depends on the required security level. It would be much, much more convenient, but…
Android too, though that could be argued to just be a linux variant
Poorly. Android is basically Java with a Linux kernel. The stuff you need to call it *nix isn’t there.
If the computer has spyware installed (for instance, a public computer at a school), will the spyware be able to capture the passwords the Mooltipass enters?
Is the communication between the Mooltipass and the computer encrypted?
Would it be possible to make a “system hook” so that the passwords can be compromised?
Although I can see this gadget being a nice way to keep your passwords safe and it will help you “enter” them on sites etc.. It’s useless if other precautions against hackers/attackers/theft haven’t been taken.
No security system is perfect. A thing not being perfect does not make it useless. Firewalls do not stop trojans, yet they are truly not useless. Locks can be picked, yet they are not useless.
What you are referring to is the McCumber cube layers of storage and processing. In short, how can you protect a password that must be entered and checked? The answer is that it cannot be done without the receiving system being a trusted computing platform that complies with a protocol this device also complies with. Very, very few trusted computing platforms exist, and none are designed to interface with hardware tokens that work the way the mooltipass does. This device is for everyday use. It is intended to interface with normal systems doing normal systems tasks.
To answer your questions in order: Yes, No, yes (this question is redundant).
Like always, security is not a product you can buy. It is a property of a complex system. This can be one part of such a system.
Great comment, thanks!
Once the host controller firmware has been hacked, nothing’s impossible ;)
Oh, I got a few answers when reading the FAQ. Sorry for wasting your time…
How are the credentials sent to the computer?
The Mooltipass is enumerated as a composite HID keyboard / HID proprietary device.
Is it still possible to sniff the passwords sent over HID?
In theory yes. As mentioned in our project description the Mooltipass aims at reducing the number of attack vectors to a minimum: the device basically types your password as if you were doing it yourself.
A simple system hook application can sniff the passwords. Sure a anti-spyware tool or scanner might find this software, but there’s also legit software that can be easily installed by someone with administrator rights. It is extremely easy to hack Windows OS’es.
I’m looking at the advantages of this gadget over software-based solutions (at Github):
As at a given moment your passphrase and your database are stored inside your device’s memory, a malicious program with access to both elements could compromise all your passwords at once.
Some of these software applications encrypt with AES256, which is thesame encryption as the Mooltitool. Your site states: “We are using AES-256 encryption in CTR mode, bruteforcing the encrypted credentials takes more than fifty years”. So basically the passwords are safe, even when they are stolen.
I don’t want to be rude or anything. I see you have put a lot of time, effort and money on this project. I therefor wish you not but the best. It’s still a cool looking gadget. I’m sure there will be people out there who are happy to use it. Respect. :)
Not quite. The difference here is that the passphrase (your pin to unlock the smartcard, containing your AES key) cannot be compromised by malicious software on the PC – it’s never transmitted to the PC. Yes, the encrypted DB can be retrieved for backup purposes, but without the key, it’s practically useless.
Sure I understand.. All you need to remember (keep safe) is the PIN and the card.
Let’s say a computer is infected with malicious software and monitors the users keystrokes. The malicious software will be able to read my “master password” from fi KeePass. A hacker could use the master password to decrypt the db containing all the passwords.
In thesame case the malicious software would also read the passwords that are being entered on a website with the Mooltipass. Sure, the database is safe, but every password the tool enters is stolen. I guess it’s only a matter of time before all the passwords are collected.
And thus… Against hackers who use mallicious software: The Mooltitool is only a bit safer than software applications like KeePass.
I guess the Mooltitool is a great tool against “offline theft” of the passwords.
Hey Dave,
You can also have a look at the article I linked, which details some type of attacks that the mooltipass is immune to.
You are correct, though the spyware will also have to monitor which website the user is browsing (but I guess some bruteforce should work well here as well).
As mentioned in the FAQs, we only aim at reducing the number of attack vectors. Perfect security can only be achieved by sharing unique secrets with every website out there.
Since the password is typed automatically, I think a nice feature would be to type the characters of the password in random with random erase and rewrites of characters. So if my password is “HackaDay”, the Mooltipass would type it in like this:
| = Cursor
a|
Ha|
HaD|
Hac|D
HacF|D
HacFDy|
Hac|Dy
Hack|Dy
HackDa|y
Hacka|Day
Password: HackaDay
What might appear to keyloggers: aHDcFyckaa
The typing sequence, and erase/rewrites are at random and changes everytime so that keyboard sniffers, or keyloggers would log random characters. But of course there are other ways to sniff keyboard presses that might by pass this feature.
I think i already wrote this once:
I feel the same with the comments above me, for me my needs of security are not big enough to overcome my KISS-Principle, that is adding another system brings more complexity and thus more chances of failure.
But, i think just saying its useless is a bit insensitive and shows no respect for the effort that has been done to develop such a device. I think the community has earned some respect, having designed this in a unique kind of teamwork.
And i think, especially we hackers often appreciate that the journey is the reward, not only the final outcome by itself, which is often way more useless than the mooltipass,it can be just for fun, a strange work of art or just freaking crazy, like the flying stuffed cat.
Hey Erich,
Thanks for the kind words :). We actually implemented as much redundancy as possible to avoid any problem that may arise. As long as you’re aware of your level of security your choice is understandable.
Any update on if you’ve moved to a better license model, ie to GPL?
not at the moment…. but we’re counting on you to write the same comment if we ever launch a kickstarter video :)
I know you’re not taking me seriously, but this is serious issue, one that severely is putting limits on the project.
We need the “waa, it’s not open source” morons to debate the “eh, it’s pretty, but pretty pointless” crowd.
“If no-one cares, would GPL help?”
(I’m with Team B.)
(We’re not bothering to show up anyway.)
(Morons win by default!)
(Go morons!)
Would you care to explain the issue and how the current license is insufficient? Keep in mind that a completely GPL license would not cover the hardware implementation.
The problem is it’s not open source enough.
I don’t know what that means. (I suspect the morons don’t either.)
Two big things stand out immediately to me:
1. The CDDL is pretty antaganistic to other software licences (and was pretty much written to be incompatible with the GPL of any form). This puts big limits on people who want to modify/make/hack their own firmware that they might want to include libraries or other code that is GPL or otherwise imcompatible with CDDL.
2. The GPL gives it teeth to stay open and free for anyone to look at / tinker with / hack, whereas the CDDL does not. It would prevent people from keeping changes / improvements / features to themselves and closed (more a concern if someone makes a derivative product and wants to sell it too). This is important especially for a product that’s aiming to be ‘hacker friendly’ and with an open mindset.
On the hardware side of things, maybe a Creative Commons license would be apropriate since the GPL doesn’t cover that.
The BSD folk have an interesting take on all that…
While I don’t agree with his second point that the GPL is better (it’s a valid choice, but a choice the developers have to make). His first point is still valid. A lot of resources are GPL, and the CDDL was intentionally build to be incompatible with GPL. A BSD-style license, or Creative Commons for some parts, would allow to combine it with GPL code.
I am.
My Mooltipass just arrived! I’ve been wanting something like this for years, it’s so cool to finally have it in my hands!
Interesting product. If i was going to design something similar, i’d make it run like a usb keyboard, so that no matter what the OS was, or permissions, you could probably use the device. I’d make the 4 buttons some type of encrypted button sequence required to turn the device on/unencrypt the drive. Then have accounts scrollable. Clicking left would paste the username (using the keyboard) and clicking right would paste the password for that account. All internally stored, no external card.
You just described 99.9% of the mooltipass’s design,, except one point: the storage is internal, the card is the string part of the key to unlock the storage (the pin code being lesser part). While there is an API for software on the pc to make it easier to use the device, it is not required for it to work: it always operates as a usb key board :-)
smh. You want a password holder built in Shenzen. Great. I once left bad feedback for an amazon seller that was using their uncle to import parts illegally from China and 3 hours later my gmail associated with the amazon acct was attempted on 3 times. How is that for a coincidence?
Anyhoo, it would have been great to see it at least assembled over here in the USA. What, with this site being about DIY and building a 3d scanner like some make a ham sandwich, there should be that option on every corner. Anyhoo, to each their own and hope the next device is…different. Somehow the potato salad kickstarter seems more sensible. Everybody needs potato salad ;)
Well, I couldn’t find the mechanical parts I wanted neither in the US nor in Europe…
>Anyhoo, it would have been great to see it at least assembled over here in the USA.
Because the US government would never violate the 4th amendment right? hahaha
I have to say, actually holding the mooltipass in my hand, there’s nothing about the form factor that prevents portability. If you’re carrying a laptop around, you’ve got space to hold the mooltipass somewhere in your bag.
If the complaint is that you’re not going to be carying a laptop and you want something to plug into any computer you might want to log in from? My question would then be: if you’re using a password manager, why would you trust any computer you don’t control with ANY password manager/storage device you have to plug in?
I think the mooltipass definitely serves its target audience. My only complaint is that the plastic screen seems to absorb swirls out of thin air ;)
Having the smart card poking out isn’t the best idea.
How could you take it out then?
Have notches for your fingers, like this: http://upload.wikimedia.org/wikipedia/commons/0/05/Smartcard_CAM.jpg.
Depending on space you might not need to cut the bezel.
You don’t need the notches to be top/bottom like that, they can be at the sides so the card is gripped by the edges (fat fingers is a problem)
Then there’s spring-loaded readers (rare & expensive) or having a clam-shell case where the card simply sits on the contacts (though that’s a bit fiddly).
One little but very helfull design change – make a bezel so the plastic shield drops into this – auto-aligned. from what i can see – not very ‘secure’ by means of hardware restriction. maybe use some sort of switch to notice if the case has been opened
It’s easier just to do it by hand.
i want one