Better Security, Harry Potter Style

We all know we shouldn’t use 1234 as our password. But we often don’t do the absolute best practice when it comes to passwords. After all, you should have some obscure strange password that is unique for every site. But we all have lots of passwords, so most of us use $pock2020 or something like that. If you know I’m a Star Trek fan, that wouldn’t be super hard to guess. [Phani] writes about a technique called Horcruxing — a term taken from the literary realm of Harry Potter that allowed Voldemort to preserve life by splitting it into multiple parts, all of which were required to bring an end to his villany. [Phani’s] process promises to offer better security than using a single password, without the problems associated with having hundreds of random passwords.

Most people these days use some form of password manager. That’s great because the manager can create 48 character passwords of random words or symbols and even you don’t know the password. Of course, you do know the master password or, at least, you better. So if anyone ever compromised that password, they’d have all your passwords at their fingers. Horcruxing makes sure that the password manager doesn’t know the entire password, just the hard parts of it.

Continue reading “Better Security, Harry Potter Style”

Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper

Remembering passwords is one of those things which one just cannot seem to escape. At the very least, we all need to remember a single password: namely the one for unlocking a password manager. These password managers come in a wide variety of forms and shapes, from software programs to little devices which one carries with them. The Mooltipass Mini BLE falls into the latter category: it is small enough to comfortably fit in a hand or pocket, yet capable of remembering all of your passwords.

Heading into its crowdfunding campaign, the Mooltipass Mini BLE is an evolution of the Mooltipass Mini device, which acts as a USB keyboard by default, entering log-in credentials for you. With the required browser extension installed, this process can also be automated when browsing to a known website. Any new credentials can also be saved automatically this way.

Where the Mooltipass Mini BLE differs from the original is in that it also adds a Bluetooth (BLE) mode, enabling it to be used easily with any BLE-capable device, including laptops and smartphones, without having to dig around for a USB cable and/or OTG adapter.

I have already been using the original Mooltipass Mini for a while, and the Mooltipass team was kind enough to send me a prototype Mooltipass Mini BLE for evaluation and comparison. Let’s take a look.

Continue reading “Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper”

Hash And Roll Your Way To Secure Passwords

In the electronic battlefield that is 2019, the realm of password security is fraught with dangers. Websites from companies big and small leak like sieves, storing user data in completely unsecure ways. Just about the worst thing you can do is use the same password across several services, meaning that an attack on one gives entry to multiple accounts. The challenge is to generate a unique and secure password for each and every application, and [Ilia]’s way of doing that is called HashDice.

No, it’s not a password manager, or an app – it’s a simple method that can be readily applied by anyone with the right tools. A simple dice is used to create random numbers, which are used to select words from a list to form the basic secret phrase. This is then combined with the name of the service or application to be accessed, the date, and a salt, before hashing using the SHA256 algorithm. The final hash is then truncated to create the password. You can do it all on a device that’s airgapped from the world, ensuring your core secret is never exposed, thus maintaining security.

There are some pitfalls to this method, of course. Many websites make things harder by requiring special characters or enforcing length limits on passwords. [Ilia] helpfully suggests several workarounds for this, but admits that no system is perfect in the face of these obstacles.

If you’re now wondering if your current password is safe, there are ways to investigate that, too.

 

Tearing Apart An Android Password Manager

With all of the various web applications we use nowadays, it can be daunting to remember all of those passwords. Many people turn to password management software to help with this. Rather than remembering 20 passwords, you can store them all in a (presumably) secure database that’s protected by a single strong password. It’s a good idea in theory, but only if the software is actually secure. [Matteo] was recently poking around an Android password management software and made some disturbing discoveries.

The app claimed to be using DES encryption, but [Matteo] wanted to put this claim to the test. He first decompiled the app to get a look at the code. The developer used some kind of code obfuscation software but it really didn’t help very much. [Matteo] first located the password decryption routine.

He first noticed that the software was using DES in ECB mode, which has known issues and really shouldn’t be used for this type of thing. Second, the software simply uses an eight digit PIN as the encryption key. This only gives up to 100 million possible combinations. It may sound like a lot, but to a computer that’s nothing. The third problem was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.

As if that wasn’t bad enough, it actually gets worse. [Matteo] found a function that actually stores the PIN in a plain text file upon generation. When it comes time to decrypt a password, the application will check the PIN you enter with the one stored in the plain-text file. So really, you don’t have to crack the encryption at all. You can simply open the file and reveal the PIN.

[Matteo] doesn’t name the specific app he was testing, but he did say in the Reddit thread that the developer was supposedly pushing out a patch to fix these issues. Regardless, it goes to show that before choosing a password manager you should really do some research and make sure the developer can be trusted, lest your secrets fall into the wrongs hands.

[via Reddit]