The Last Week Of The Mooltipass Approacheth

A year and two days ago, [Mathieu] started out on a quest to develop some hardware with the help of Hackaday readers. This project became known as the Mooltipass, an open source offline password keeper that’s pretty much a password management suite or Post-It notes on a monitor, except not horribly insecure.

The product has gone through multiple iterations of software, [Mathieu] flew out to China to get production started, and the project finally made it to a crowdfunding site. That crowdfunding campaign is almost over with just eight days left and just a little bit left to tip this project into production. This is the last call, all hands in, and if you’re thinking about getting one of these little secure password-storing boxes, this is the time.

You can check out the Developed on Hackaday series going over the entire development of the Mooltipass, made with input from Mooltipass contributors and Hackaday readers. The Venn diagram of those two groups overlaps a lot, making this the first piece of hardware that was developed for and by Hackaday readers.

Even if you have a fool-proof system of remembering all your passwords and login credentials, the Mooltipass is still a very cool-looking Arduino-compatible board. Note that (security device) and (Arduino thing) are two distinct operating modes that should not be conflated.

[Mathieu] and other contributors will be in the comments below, along with a bunch of ‘security researchers’ saying how this device ‘is horrifying’, ‘full of holes’, and ‘a terrible idea’. One of these sets of people have actually done research. Guess which?

46 thoughts on “The Last Week Of The Mooltipass Approacheth

      1. But the above URL to buy one on tindie is really a ‘waiting list’ …. I do not know, but if the indiegogo campaign fails, it is possible that they will not be sold on tindie… If you want one, put your money in, it will be refunded if the campaign does not succeed per indiegogo terms of service.

  1. I think the device is cool, I know my passwords are insecure since I can actually remember them. Ideally for each site that requires a login, should have a unique password, that’s a random collection of letters, numbers and special characters. Many people use the same password for multiple sites, and choose passwords they can remember. Is the Mooltipass totally secure, absolutely not, but it is way more secure than what most people are doing now. That being said, putting security researchers in quotes is really insulting, and just begging for people to say nasty things.

    1. I haven’t seen any non-obvious security concerns mentioned about this from people claiming to be security researchers, that’s for sure. Truth is, as long as the coders were careful and security-conscious, the physical integrity of the device is not compromised, and a decent PIN is used, this should be significantly more secure than even a software-based password manager, because the encryption key is never stored in the computer’s RAM. The only caveat I know of is that a keylogger could still steal individual passwords as they are entered.

      1. I’m not saying this isn’t a good device.
        Drawbacks:
        Real random number generator not used. Why not use hardware based random number generator?
        There are more but I’m sure they will be fixed in future firmware updates, no firmware update can fix the lack of a proper random number generator.
        Advantages:
        Security though obscurity.
        Hard to hack unless someone is stupid enough to leave card in machine.

      1. Because “ABCDEFG” or “aaaaaaa” are much more likely to be guessed by a brute-force password cracker or even a lucky guess by an attacker, than a long random string of characters.

  2. I actually think this device would be most useful for people like my parents, who can’t get the hang of something like keepass and are more likely to fall for viruses/phishing. It’s hard to convince them of the necessity of strong passwords though.

  3. Congratulations already, beeing that close to 100k without the product beeing a fraud or a 3D printer is tough. The issue with the easy to overlook “featured perk” is also to blame. I also thought ABS mooltipasses were out when I wanted to perk an additional one before the first deadline.

  4. I just contributed.

    As of this reply, $109,112 – $95,512 = $13,600 needed for funding.

    The campaign needs 136 people to purchase a unit at $100 to complete funding.

    That’s not a lot of people.

    Question: According to the FAQ, after three failed attempts to type the PIN the system will brick the smart card. That seems a little low – I’ve occasionally needed more than three attempts on my work system, and I enter that password a couple of times a day.

    Can a card be blanked/reinitialized using the saved information, so that we don’t have to keep purchasing new cards? Alternately, can the algorithm be changed so that it keeps out intruders but doesn’t brick the card? (For example: An exponentially increasing wait time starting with the 4th incorrect PIN.)

      1. Note: Exponential wait time cannot be added. It would need to be implemented in the Mooltipass firmware, which for purposes of PIN verification is an untrusted component (e.g. an attacker will just use their own smartcard reader to try the PINs). Now, the obvious idea of integrating a capacitor into the smartcard, charge that in case of incorrect PIN attempts, slowly discharge it through an internal resistor and disallow attempts while it’s still charged, is not implemented very widely in smartcards because, AFAIK, T-Systems has a patent on it.

          1. Could an attacker use malware to reprogram the Mooltipass via USB with a firmware that looks like the regular Mooltipass firmware but disables/changes the PIN on the card. Well, and then unnoticedly take a copy of the card, i.e. in the absence of the victim? Or use malware to reprogram the Mooltipass via USB to make it act normal, but silently sending the decrypted passwords back to the malware for sending them back to an attacker?

        1. It was only a suggestion. If I can make backups of the data and reformat the cards so that I’m not destroying cards by fumbling with the PIN, I’m OK with that.

          I’m hoping that this takes off in a big way and can be integrated with the ShopSafe system. Essentially, ShopSafe generates a new CC number which is attached to your account and can only be used for 1 purchase (and can have a limit set by the user).

          ShopSafe isn’t used much because to get a new number you have to log in to their system, go through their security, then cut/paste the number into the seller’s website.

          It would be *totally awesome* if the Mooltipass had my CC number inside it, and would generate a ShopSafe number on request.

          …all without letting the vendor or any eavesdropper know my CC account number, and without letting the eavesdropper use the number for a 2nd purchase. (And without letting the vendor kite the purchase beyond my set limit.)

          Lots of security there. I hope someone figures out how to do this.

  5. Im curious if yall have addressed the multiple computer problem: If get one of these for my home computer, will I also have to get a mooltipass for my work computers and school computers? Otherwise, I would not be able to remember my passwords to access my online accounts whenever I am not a computer that has a mooltipass.

  6. You can’t really claim that this is powered by free software with the software license you guys are using. And to compare it to the Linux kernel like you do in the indiegogo page is extremely disingenuous – Linux is GPL and truely free.

  7. It looks like you got funded (or close enough, I’m sure the last few hundret will either come in, or that the project will be possible anyway).
    Congratulations to Hackaday and everyone who helped make it happen! :)
    I considered doing crowfunding for my own, but I’d never have succeeded, so I’m happy to see that someone did, the world needs better password security and I do believe that the keyboard-emulator approach is the most versatile.

  8. [Mathieu] and other contributors will be in the comments below, along with a bunch of ‘security researchers’ saying how this device ‘is horrifying’, ‘full of holes’, and ‘a terrible idea’. One of these sets of people have actually done research. Guess which?
    lol you couldn’t have done it without us assholes so fu again, Benchoff. A bunch of armchair engineers berating armchair engineers-that is science.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.