Mathieu Stephan : The Making of a Secure Open Source Hardware Password Keeper

Mathieu Stephan is an open source hardware developer, a Tindie seller who always has inventory, a former Hackaday writer, and an awesome all-around guy. One of his biggest projects for the last few years has been the Mooltipass, an offline password keeper built around smart cards and a USB interface. It’s the solution to Post-It notes stuck to your monitor and using the same password for all your accounts around the Internet.

The Mooltipass is an extremely successful product, and last year Mathieu launched the Mooltipass Mini. No, it doesn’t have the sweet illuminated touch-sensitive buttons, but it is a bit cheaper than its big brother and a bit more resistant to physical attacks — something you want in a device that keeps all your passwords secure.

Mathieu didn’t build the Mooltipass alone, though. This is an Open Source project that has developers and testers from around the globe. It may have started off as a Hackaday Post, but now the Mooltipass has grown into a worldwide development team with contributors across the globe. How did Mathieu manage to pull this off? You can check out his talk at the 2017 Hackaday Superconference below.

Continue reading “Mathieu Stephan : The Making of a Secure Open Source Hardware Password Keeper”

Hackaday Links: October 16, 2016

You need only look at the weekly user account leak from a popular web service or platform to know there’s a problem with security. Reusing passwords is the dumbest thing you can do right now, and the Mooltipass Mini is the answer to that problem. The Mooltipass originally began as a Developed on Hackaday series, and we log frequent sightings of the Multipass (maxi?) at security cons. The Mini is smaller, has exactly the same capability, and is completely unrepairable. It’s very cool, and if your email password is the same as your banking account passwords, you kind of need this yesterday.

Last weekend was the Open Hardware Summit in Portland. All the talks were worth watching, but editing the talks down into something sensible takes time. In lieu of this, OSHPark has gone through the livestream and timestamped everything

Continue reading “Hackaday Links: October 16, 2016”

The Last Week Of The Mooltipass Approacheth

A year and two days ago, [Mathieu] started out on a quest to develop some hardware with the help of Hackaday readers. This project became known as the Mooltipass, an open source offline password keeper that’s pretty much a password management suite or Post-It notes on a monitor, except not horribly insecure.

The product has gone through multiple iterations of software, [Mathieu] flew out to China to get production started, and the project finally made it to a crowdfunding site. That crowdfunding campaign is almost over with just eight days left and just a little bit left to tip this project into production. This is the last call, all hands in, and if you’re thinking about getting one of these little secure password-storing boxes, this is the time.

You can check out the Developed on Hackaday series going over the entire development of the Mooltipass, made with input from Mooltipass contributors and Hackaday readers. The Venn diagram of those two groups overlaps a lot, making this the first piece of hardware that was developed for and by Hackaday readers.

Even if you have a fool-proof system of remembering all your passwords and login credentials, the Mooltipass is still a very cool-looking Arduino-compatible board. Note that (security device) and (Arduino thing) are two distinct operating modes that should not be conflated.

[Mathieu] and other contributors will be in the comments below, along with a bunch of ‘security researchers’ saying how this device ‘is horrifying’, ‘full of holes’, and ‘a terrible idea’. One of these sets of people have actually done research. Guess which?

Hackaday Links: November 23, 2014

The 2015 Midwest RepRap Festival, a.k.a. the MRRF (pronounced murf) was just announced a few hours ago. It will be held in beautiful Goshen, Indiana. Yes, that’s in the middle of nowhere and you’ll learn to dodge Amish buggies when driving around Goshen, but surprisingly there were 1000 people when we attended last year. We’ll be there again.

A few activists in St. Petersburg flushed GPS trackers down the toilet. These trackers were equipped with radios that would send out their position, and surprise, surprise, they ended up in the ocean.

[Stacy] has been tinkering around with Unity2D and decided to make a DDR-style game. She needed a DDR mat, and force sensitive resistors are expensive. What did she end up using? Velostat, conductive thread, and alligator clips.

You know the Espruino, the little microcontroller board that’s basically JavaScript on a USB stick? Yeah, that’s cool. Now you can do remote access through a telnet server letting you write and debug code over the net.

The Open Source RC is a beautiful RC transmitter with buttons and switches everywhere, a real display, and force feedback sticks. It was a Hackaday Prize entry, and has had a few crowdfunding campaigns. Now its hit Indiegogo again.

Speaking of crowdfunding campaigns, The Mooltipass, the designed-on-Hackaday offline password keeper, only has a little less than two weeks until its crowdfunding campaign ends. [Mathieu] and the rest of the team are about two-thirds there, with a little more than half of the campaign already over.

Developed on Hackaday: $50k Reached in a Week!

Around 500 awesome people backed the Mooltipass offline password keeper crowdfunding campaign, raising a total of $50k in less than a week… which is nearly half our goal.

The development team and I would therefore like to thank our readers for their support. We were featured by several electronics websites, which definitely helped spreading the world of open source security devices. Many interesting discussions spawned in either our comments section or official Google Group. One new contributor even started looking into implementing TOTP on the Mooltipass.

Another hot topic was a possible smaller and more powerful Mooltipass v2, implementing other functionalities like U2F and encrypted file storage. You may therefore wonder why we didn’t start with it… the reason is simple: limited resources. Our project is made by (great) non-remunerated contributors who took a lot of their spare time to work on the Mooltipass v1. We therefore preferred working on something we’d be sure we could deliver rather than wasting $4M by making promises. We therefore hope that our crowdfunding campaign might allow an even bigger collaboration around a Mooltipass v2!

Developed on Hackaday: Crowd- funding Campaign Start!

For a little less than a year open source enthusiasts from all over the globe got together to work on an open source offline password keeper. We narrated our progress here on Hackaday and always asked our readers’ opinion when critical decisions were to be made.

Today, the wait is finally over: the Mooltipass crowdfunding campaign finally arrived.

In some of our Developed on Hackaday series posts we noticed that it was tricky for us to convey the benefits of the device we were developing. The first 3 minutes of our video therefore explain good security practices and how the Mooltipass can help users with their credentials security. For our readers that may not have followed our adventure since its beginning, the campaign’s text will provide them with a simple (yet detailed) explanation of what the Mooltipass can do. Finally, our geeky readers will find at the end of our write-up a few links supporting our claims. We would have liked offering cheaper pledges but we unfortunately need to hire professional javascript developers to finish our app & extension.

Our Mooltipass Developed on Hackaday series therefore come to an end. We would like to thank you for your support and hope that you enjoyed seeing an idea materialize into a crowdfunding-ready product!

Developed on Hackaday: The Answer is Below

In one month the Mooltipass offline password keeper project will be one year old.

We hope that our twice a month Developed on Hackaday series posts allowed our dear readers to see what are the steps involved in a device’s life, going from idea to prototype to crowdfunding-ready product. The Mooltipass is the fruit of a unique world-wide collaboration around open source, developed by and for security minded people who (for most of them) never saw each other. Relating our progress here enabled us to benefit from our readers’ feedback and make sure that we didn’t miss important wanted features. Contrary to other campaigns that we often debunk on Hackaday, we preferred to wait until we had a beta-tester approved device to move to the crowdfunding stage. Our geekiest readers will therefore find the launch date embedded in this post, other may want to subscribe to our official Google group to stay updated.