Password Keeper Uses Off-The-Shelf Formfactor

With every website these days demanding the creation of an account, it can become difficult to remember so many logins. Each password should ideally be unique, lest a leak from your fantasy football game cost you thousands in stolen bitcoins. To help, [vcch] developed a password vault, using an interesting off-the-shelf platform.

The platform in question is the M5stickC, which packs an ESP32, color LCD, and battery into an attractive orange enclosure. It’s even got USB-C, making it a tool with an eye on the future. It serves as a quick way to get a basic IOT project up and running, without having to fuss about designing your own enclosure or basic power supply hardware.

On this platform, [vcch] created a tool to make keeping track of passwords easy. The PassStrong, as it’s called, can store a huge number of passwords, and communicates with the host PC over Bluetooth. The interface makes good use of the LCD, displaying the current mode and function of each button on the device for the user. It’s capable of working in both QWERTY and AZERTY environments, which should appeal to European users.

The M5StickC is a perfect choice in this regard, packing enough buttons and the required Bluetooth hardware to get the job done. No need to spend any time integrating modules – simply open the box and get to coding. We expect to see more developments in this space in future, and look forward to the efficiency gains this will bring to all kinds of projects!

25 thoughts on “Password Keeper Uses Off-The-Shelf Formfactor

      1. > You will need to install M5StickC libraries, as well as BLEkeybaord library

        Nope, I did not see any settings for encryption (password bonding) or mitm in code. But maybe they are there somewhere, didn’t have too much time for this.

    1. [Writing this for a third time now, and not in Chrome for Android in the comment box…]
      Hopefully they would be using a secure key-agreement protocol like ECDH considering how not very difficult it is to implement on very tiny computers; even smart cards can do it; so if this thing can do Bluetooth, much more complex, then one would hope so.

    2. Yeah notwithstanding any previous comment that may or may not have been posted on my behalf I still can’t tell, doesn’t look like it, so i would not use it for any sensitive passwords which kind of defeats the point of a password manager doesn’t it

  1. Cool project for keeping unimportant passwords, but security is rather limited. Flash memory can easily be read and pin bruteforced as it lacks self-destruct mechanisms like secure chips or smartcards for example. Also you have firmware in ESP32 that can’t be audited. I’d stick to Mooltipass or similar device that stays safe even when not in your possesion.

    1. FWIW, ESP32 does have flash encryption and secure boot. So, if done correctly, you can’t read the firmware or the password from the flash. You could intercept bluetooth communication, but if it’s correctly ciphered, it’ll also be hard to decode. In the end, it might be good enough for the job.

  2. It’s good to know where the limitations are of the product. No device or scheme is perfect, in this case, referring to CryptoAG. When you know and understand the limitations you can decide if you want to use this tool, a close source or an open source tool. Multiple have been on HAD, either the development or the hacking of such a device.

    Let’s get passed the technology X is secure and you should’ve used product Y! This will almost always result in a polar opposite internet argument you are all likely familiar with. It’s far more complicated in the real world. In my limited experience I’ll tell you that it’s almost impossible to make security/software/electronics withstand everything. Even more so if developed with limited time and funds like this hobby project.

    Bluetooth or any communications protocol is just for moving bits. The security is up to you.

    For research: BLE CTF, Pwn the ESP32 forever, Hardware wallet fail.

  3. Thanks a lot for all your insights. Would really appreciate suggestions to strengthen the bluetooth. Agree pincode could be hashed and salted to protection this better.

    As jwrm says it only does what it is supposed to do, and it is as strong as entering a complex password on a bluetooth keyboard (in my case : nobody sees you typing ans the keyboard is pincode protected).

    Existing dongles look fine but most of the apps i am using are password protected. So a solutions that is not able to type the password for me is useless.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.