A year and two days ago, [Mathieu] started out on a quest to develop some hardware with the help of Hackaday readers. This project became known as the Mooltipass, an open source offline password keeper that’s pretty much a password management suite or Post-It notes on a monitor, except not horribly insecure.
The product has gone through multiple iterations of software, [Mathieu] flew out to China to get production started, and the project finally made it to a crowdfunding site. That crowdfunding campaign is almost over with just eight days left and just a little bit left to tip this project into production. This is the last call, all hands in, and if you’re thinking about getting one of these little secure password-storing boxes, this is the time.
You can check out the Developed on Hackaday series going over the entire development of the Mooltipass, made with input from Mooltipass contributors and Hackaday readers. The Venn diagram of those two groups overlaps a lot, making this the first piece of hardware that was developed for and by Hackaday readers.
Even if you have a fool-proof system of remembering all your passwords and login credentials, the Mooltipass is still a very cool-looking Arduino-compatible board. Note that (security device) and (Arduino thing) are two distinct operating modes that should not be conflated.
[Mathieu] and other contributors will be in the comments below, along with a bunch of ‘security researchers’ saying how this device ‘is horrifying’, ‘full of holes’, and ‘a terrible idea’. One of these sets of people have actually done research. Guess which?
Let’s make it happen!
Thanks for the reminder! Funded!
thanks James :)
Is it the the naysayers???? Talk about nail biting,. so close.
Good luck Mathieu, kicking in now.
thanks :)
Noticing that unlike kickstarter, on indiegogo you have to pay right away. :(
Will the mooltipass be offered (at a higher price, surely) in the hackaday store?
https://www.tindie.com/products/limpkin/mooltipass-offline-password-keeper/
but the above URL to buy one on tindie, is a waiting list. If the indiegogo campaign is unsuccessful, it is probably NOT certain mooltipass will be sold.
But the above URL to buy one on tindie is really a ‘waiting list’ …. I do not know, but if the indiegogo campaign fails, it is possible that they will not be sold on tindie… If you want one, put your money in, it will be refunded if the campaign does not succeed per indiegogo terms of service.
I think the device is cool, I know my passwords are insecure since I can actually remember them. Ideally for each site that requires a login, should have a unique password, that’s a random collection of letters, numbers and special characters. Many people use the same password for multiple sites, and choose passwords they can remember. Is the Mooltipass totally secure, absolutely not, but it is way more secure than what most people are doing now. That being said, putting security researchers in quotes is really insulting, and just begging for people to say nasty things.
I haven’t seen any non-obvious security concerns mentioned about this from people claiming to be security researchers, that’s for sure. Truth is, as long as the coders were careful and security-conscious, the physical integrity of the device is not compromised, and a decent PIN is used, this should be significantly more secure than even a software-based password manager, because the encryption key is never stored in the computer’s RAM. The only caveat I know of is that a keylogger could still steal individual passwords as they are entered.
I’m not saying this isn’t a good device.
Drawbacks:
Real random number generator not used. Why not use hardware based random number generator?
There are more but I’m sure they will be fixed in future firmware updates, no firmware update can fix the lack of a proper random number generator.
Advantages:
Security though obscurity.
Hard to hack unless someone is stupid enough to leave card in machine.
have you looked in details into our RNG?
I don’t know much about it, but why the random + numbers + special chars? Are the hashes really crap? Why wouldn’t ABCDEFG or aaaaaaaa work as well? If not, why not fix it?
Because “ABCDEFG” or “aaaaaaa” are much more likely to be guessed by a brute-force password cracker or even a lucky guess by an attacker, than a long random string of characters.
I would have gotten one, but the ABS enclosure-types are already sold out. I am not going to pay 50$ more for an aluminium enclosure.
They aren’t! It’s the featured perk.
yeah i didn’t scroll down and though those were the only perks, didn’t even see the AL one… aye aye aye.
same happened to me, it’s easily overlooked
I actually think this device would be most useful for people like my parents, who can’t get the hang of something like keepass and are more likely to fall for viruses/phishing. It’s hard to convince them of the necessity of strong passwords though.
Refresh the update section in a few minutes to see something interesting….
Congratulations already, beeing that close to 100k without the product beeing a fraud or a 3D printer is tough. The issue with the easy to overlook “featured perk” is also to blame. I also thought ABS mooltipasses were out when I wanted to perk an additional one before the first deadline.
thanks!
Just published an update that I may regret:
https://www.indiegogo.com/projects/mooltipass-open-source-offline-password-keeper/x/8697710#activity
Guess who just became the most wanted head in lean hardware development now ^^
Just ordered 1 ABS one for 100$.
People we need to help this out!
Keep up the Good Work.
Cant wait to get this in.
thanks!
This post actually remonded me that I had to contribute. As I have been busy. hopefully this also reminds others to do the same.
I just contributed.
As of this reply, $109,112 – $95,512 = $13,600 needed for funding.
The campaign needs 136 people to purchase a unit at $100 to complete funding.
That’s not a lot of people.
Question: According to the FAQ, after three failed attempts to type the PIN the system will brick the smart card. That seems a little low – I’ve occasionally needed more than three attempts on my work system, and I enter that password a couple of times a day.
Can a card be blanked/reinitialized using the saved information, so that we don’t have to keep purchasing new cards? Alternately, can the algorithm be changed so that it keeps out intruders but doesn’t brick the card? (For example: An exponentially increasing wait time starting with the 4th incorrect PIN.)
TBH it’s actually 4 tries (cf AT88SC102 datasheet).
You can format your cards, exponential wait time could be very easily added.
Note: Exponential wait time cannot be added. It would need to be implemented in the Mooltipass firmware, which for purposes of PIN verification is an untrusted component (e.g. an attacker will just use their own smartcard reader to try the PINs). Now, the obvious idea of integrating a capacitor into the smartcard, charge that in case of incorrect PIN attempts, slowly discharge it through an internal resistor and disallow attempts while it’s still charged, is not implemented very widely in smartcards because, AFAIK, T-Systems has a patent on it.
It is true that nothing prevents an attacker from doing a DoS by plugging one’s smartcard to its own reader.
Could an attacker use malware to reprogram the Mooltipass via USB with a firmware that looks like the regular Mooltipass firmware but disables/changes the PIN on the card. Well, and then unnoticedly take a copy of the card, i.e. in the absence of the victim? Or use malware to reprogram the Mooltipass via USB to make it act normal, but silently sending the decrypted passwords back to the malware for sending them back to an attacker?
@iamnotachoice : firmware updates are locked with a unique password that you’ll have to ask us if you want to change yours.
Mathieu Stephan:
>firmware updates are locked with a unique password [..]
Very relieving to know you guys thought of everything ^^
we can’t say for sure! ;)
the code in question launched in the production stage if you wanna have a look:
https://github.com/limpkin/mooltipass/blob/master/tools/python_comms/mooltipass_coms.py#L266
It was only a suggestion. If I can make backups of the data and reformat the cards so that I’m not destroying cards by fumbling with the PIN, I’m OK with that.
I’m hoping that this takes off in a big way and can be integrated with the ShopSafe system. Essentially, ShopSafe generates a new CC number which is attached to your account and can only be used for 1 purchase (and can have a limit set by the user).
ShopSafe isn’t used much because to get a new number you have to log in to their system, go through their security, then cut/paste the number into the seller’s website.
It would be *totally awesome* if the Mooltipass had my CC number inside it, and would generate a ShopSafe number on request.
…all without letting the vendor or any eavesdropper know my CC account number, and without letting the eavesdropper use the number for a 2nd purchase. (And without letting the vendor kite the purchase beyond my set limit.)
Lots of security there. I hope someone figures out how to do this.
Im curious if yall have addressed the multiple computer problem: If get one of these for my home computer, will I also have to get a mooltipass for my work computers and school computers? Otherwise, I would not be able to remember my passwords to access my online accounts whenever I am not a computer that has a mooltipass.
You’ll indeed need a mooltipass everywhere you want to enter your credentials.
Or you could just carry it with you. I intend to keep it in my backpack most of the time. In a pinch, you could even carry it in your pocket.
Looks like a very small alternative is in the make: http://dangerousprototypes.com/2014/11/24/password-manager/
Not as feature rich, but less bulkier..
You can’t really claim that this is powered by free software with the software license you guys are using. And to compare it to the Linux kernel like you do in the indiegogo page is extremely disingenuous – Linux is GPL and truely free.
Please expand on why CDDL is bad… it’s one of the most permissive licenses out there.
I just contributed. One Mooltipass and 7 extra cards.
It looks like you got funded (or close enough, I’m sure the last few hundret will either come in, or that the project will be possible anyway).
Congratulations to Hackaday and everyone who helped make it happen! :)
I considered doing crowfunding for my own, but I’d never have succeeded, so I’m happy to see that someone did, the world needs better password security and I do believe that the keyboard-emulator approach is the most versatile.
[Mathieu] and other contributors will be in the comments below, along with a bunch of ‘security researchers’ saying how this device ‘is horrifying’, ‘full of holes’, and ‘a terrible idea’. One of these sets of people have actually done research. Guess which?
lol you couldn’t have done it without us assholes so fu again, Benchoff. A bunch of armchair engineers berating armchair engineers-that is science.
Will this have an option to display the password on its screen? If so I’ll be happy to contribute!