Hackaday Prize Entry: A Very Small Password Keeper

One of the more popular security builds in recent memory is USB password vaults. These small thumb drive-sized devices hold all the passwords you have to deal with, and are locked behind a authentication code on the drive itself. For their Hackaday Prize entry, [Miguel] and [Noel] asked how inexpensively one of these devices could be made. The answer, coming in the form of their Memtype project, is very inexpensively.

The Memtype project is based on the cheapest and most simplistic USB implementation on the planet. It’s built around an ATtiny85 and V-USB‘s software only implementation of a USB keyboard, requiring only a few resistors and diode in addition to the ‘tiny85 itself.

The device can only be unlocked with a four-digit pin, input through the clever use of a small SMD joystick. After inputting the correct code, the Memtype grants the user access to all the stored passwords. As far as security goes, [Miguel] and [Noel] have implemented NOEKEON in assembly, however it should be noted that all security is weaker than a pipe wrench. For managing the passwords, [Miguel] and [Noel] built a small, simple GUI app to set the PIN and write credentials to the device.

[Miguel] and [Noel] already have a demo video up for the Memtype, you can check that out below.

The HackadayPrize2016 is Sponsored by:

27 thoughts on “Hackaday Prize Entry: A Very Small Password Keeper

  1. Wow, here on HaD, we have seen many hardware password manager but this one definitely looks the most polished.
    The joystick input and type/backspace is a very very clever way to select your input.
    Just add a hole for the keyring, a slim case, and count me in for any indigogo/tindie, would definitely pay 30€ delivered for gimmick.

      1. Thanks @Maxwell :D
        we have it on the roadmap too, it’s a GUI feature, when creating a new password by default filling it with a nice auto generated password instead of presenting an empty fill-in form, so if you want to use it there it is even before filling it :)

      2. I was thinking about how you get the passwords into the micro-controller. It would be cumbersome by normal methods – needing some sort of app on the host.

        Generating passwords internally would make this much simpler as it saves importing the password into the device.

        Another solution may be to include a light sensor and use some JavaScript in a web page (even offline) to flash-out the new password. Like we saw with the 555 beat generator in another recent post here.

        I was also wondering if it could store the URLS where the password is needed.

        1. hi @RÖB,

          indeed, the GUI is needed when you want to add/delete/modify credentials, this allowed us to save some space on the flash by keeping the firmware very simple, the communication is done by the same USB port that’s used to type as a HID.

          Generating passwords internally could be handy, but editing the name for example would need the GUI again, or it’d use too much flash that’s now free for using it with credentials, it’s our main limitation.

          Yes! it can store URLS, or anything else that needs to be typed, like credit card numbers for example, it’s much nicer for me to have it encrypted on the MemType and be typed automatically that bringing out my credit card to read the number. I use it also for storing commands on the User field, like for example: “ssh workuseronserver@workservername1orip.com -p 1337″ by using an enter as a hop, it enters the user string (command) then types an enter and then the password and another enter as a submit character, I also use a delay to make it wait some time before entering the password as it takes a second or so for ssh to resolve, connect and ask for the password.
          There’s no size limit for any field of the credential, they’re stored dynamically until they fill up the 2K free flash left for storage. 2K is not huge, so that’s why we need to keep firmware as small as possible :/

          I’m sure some others will find some more originals uses too :)

  2. This is definitely a cool build, tiny and simple. Some thoughts about security to consider; some security is better than none, unless it gives false sense of security level. Some possible holes here are that once the pin is entered, all passwords are available. If you forget to remove/lock it before walking away, an attacker will have hit jack pot. I imagine a virus on the host would have an easy time reading them too. Assuming valid pin includes only 0-9, there’s about 1 million combinations. An attacker who finds this could desolder the joystick and run a few wires from the pads to an arduino or something, then brute force it pretty quickly (unless there’s a limiter for pin entry attempts, I didn’t see this mentioned). Probably more attack vectors, but these came to mind first. Not trying to be negative, I like this project, I just wouldn’t use it for anything very sensitive like bank login. Aside from password storage, this could also be used to automate hacking the host to some extent.

    1. The word security is an oxymoron. It has no absolute meaning and by it’s own definition it is not possibly achievable. So all your left with is a comparison between more insecure and less insecure.

      This project is a step towards improved security for two reasons.
      1) I give people more incentive to use long and complex passwords as they don’t have to remember them.
      2) Never underestimate the value of physical possession in security. It is the exclusively unique way of tokenizing.

  3. I made something similar few weeks ago. More complicated also and not much more secure. Tho this gives me great ideas for improving it in the future as i used 3 buttons instead of the joystick and small oled display. The menu system with backspace and writing on the account field is also great idea. It would look totally good in custom machined aluminium case. could maybe even improve the design by using those real USB-A Male connectros and waterproofing it and the case, no need to worry you would blow up the micro when you come inside after rain.

    Demo of my system: https://www.youtube.com/watch?v=IY5LAmCJ1NU

  4. As more and more is done strictly from mobile devices are there any plans for an iOS version that plugs into the lightning connector port or a Bluetooth version so it just needs to be near the device it’s paired?

    1. For the moment our effort is focused on making this version as polished as possible with some improvements on the way :) We’ve used it on android devices using an OTG cable flawlessly.
      Adding more hardware elements like a screen or bluetooth would increment the price so that’s why we decided to go as simple as possible with this version.
      Making a version with more hardware features like integrated screen, bluetooth, integrated microUSB, lightning, more memory, hardware AES and USB and more would be great if there’s enough interest :)

      1. Order placed on Tindie!
        We would love a hole for a keyring and at least some degree of protection such as nice heat-shrink sleeve.

        If I were to find a case, I would find a fitting cheap flashdrive on Alibaba, crank them open, use a drill press to mass drill a hole for the joystick, and of course, design the PCB to have a perfect fit for this USB case. You cannot do cheaper than this.

        1. Great Tweepy!

          Haha you’re so right that we’ve already done it ;) we found a plastic case but it wasn’t so great, finally we found a much cooler one made of nice plastic and aluminium with a nice finish, we’ve adapted the PCB to fit into it! but we’re waiting to receive the modified PCBs from OSHpark to test if they’re ok or there is some other modification needed.
          After confirming that we’re ready to order some more PCBs and put them on tindie ;)

  5. “One of the more popular security builds in recent memory is USB password vaults.” [sic] Reading HaD is like dragging my nails on a blackboard! Is it too difficult to run a grammar check before publishing HaD?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.