Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storing Your Encrypted Passwords Offline On a Dedicated Device

samzenpus posted about a year ago | from the built-to-last dept.

Security 107

An anonymous reader writes "The Hackaday writer Mathieu Stephan (alias limpkin) has just launched a new open source/hardware project together with the Hackaday community. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating long and complex random passwords for the different websites people use daily. It consists of a main device where users' credentials are encrypted, and a PIN locked smartcard containing the encryption key. Simply visit a website and the device will ask for confirmation to enter your credentials when you need to login. All development steps will be documented and all resources available for review."

Sorry! There are no comments related to the filter you selected.

Good idea (0)

Anonymous Coward | about a year ago | (#45633615)

What could possibly go wrong?

Re:Good idea (1)

fizzer06 (1500649) | about a year ago | (#45634425)

generating long and complex random passwords

The NSA has been very helpful with solutions.

Re:Good idea (1)

bhagwad (1426855) | about a year ago | (#45636875)

Am I the only one terrified that if something happens to my one "dedicated device", I'm screwed? The reason I keep my encrypted passwords in the cloud is that the service provides have redundancy. I'm seriously fucked if I lose access to my data store. How could anyone possibly sleep in peace knowing that their entire lives revolve around the safekeeping of one fallible hardware device??

Re:Good idea (1)

antsbull (2648931) | about a year ago | (#45637605)

Just keep your primary email address password backed up on a hard copy somewhere. If you lose your device, you can just reset all the passwords.

Re:Good idea (1)

rioki (1328185) | about a year ago | (#45637751)

That is why I don't store any passwords anywhere. I have 3 master passwords each in order of trustworthiness and then generate the passwords using supergenpass. As a result each website has their own unique passwords of reasonable complexity. The only issue I have is with system authentication, but that is a different password altogether.

Re:Good idea (1)

ElSergio (1956248) | about a year ago | (#45640969)

I've just developed my own algorithm for generating passwords that is based on the specific site and other info. I only have to remember the algorithm to refigure the password instead of memorizing passwords. This allows me long, complex, and unique passwords for every site, without having to store any of them anywhere. Some systems have required password changes at certain time intervals, so be sure to include that into your password generation too. I recommend this process to everyone. (Then again I am a physicist :/)

What could possibly go wrong? (0)

Anonymous Coward | about a year ago | (#45633645)

Nah, the password server couldn't possibly be compromised by a terminated sysadmin or via social engineering.

what password server? passwords encrypted on card (1)

raymorris (2726007) | about a year ago | (#45634031)

The passwords are to be AES128 encrypted on the smart card. There is no password server.

Simple! (0)

DogDude (805747) | about a year ago | (#45633653)

"Storing Your Encrypted Passwords Offline On a Dedicated Device" = stick them in a USB stick in your pocket.

My solution fulfills all of the requirements the easiest, the cheapest, and the most reliably.

Re:Simple! (1)

JustOK (667959) | about a year ago | (#45633939)

yet, still lacks in reliability

Re:Simple! (1)

gmuslera (3436) | about a year ago | (#45633969)

... in a keepassx database with a strong but easy to remember master password. In general if you believe an encryption is good enough you could put your password db in a public area, but usually the weakest link is the computer from where you decrypt it, that is usually online exposed in a way or another to malware that could try to intercept that key.

Re:Simple! (1)

arglebargle_xiv (2212710) | about a year ago | (#45635905)

... in a keepassx database

Keep-ass-X? I guess that's one place to store them, but it doesn't strike me as terribly hygienic. Mind you it should be safe from shoulder-surfing, unless you're in the shower and bend over for the soap.

Re:Simple! (1)

Dr. Zim (21278) | about a year ago | (#45639021)

Mind you it should be safe from shoulder-surfing, unless you're in the shower and bend over for the soap.

Even still, I would expect them to stop at the wrist or elbow.

Re:Simple! (1)

gnoshi (314933) | about a year ago | (#45634767)

Actually, it doesn't fulfil all the requirements.
You walk into a net cafe and want to log into random site you don't care much about password of. Will you plug in your stick and enter your encryption password, thus allowing the theft of all your passwords?
Having a device which masquerades as a USB keyboard addresses this use case.

Re:Simple! (0)

Anonymous Coward | about a year ago | (#45635035)

Net cafe, how quaint. I have a smartphone, I would never need to use someone else's computer.

Re:Simple! (1)

slick7 (1703596) | about a year ago | (#45635455)

"Storing Your Encrypted Passwords Offline On a Dedicated Device" = stick them in a USB stick in your pocket. My solution fulfills all of the requirements the easiest, the cheapest, and the most reliably.

Write them in a holy book, the G-Dless politicians would never think(if they ever knew how) to look there.

Doing it wrong... (0)

Anonymous Coward | about a year ago | (#45633659)

If your ciphertext must be stored in such a fashion, why bother? Properly encrypted data should be able to fall into the hands of an attacker, that's the whole point.

Re:Doing it wrong... (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#45634755)

If your ciphertext must be stored in such a fashion, why bother? Properly encrypted data should be able to fall into the hands of an attacker, that's the whole point.

Because you want to avoid trusting the computer on which you are entering the password to also handle decryption duties. You do want the encrypted data to be useless without the key; but if you are planning on decrypting the data yourself, your key is going to be living in some computer's memory, at least briefly. If you are using a suitably compromised computer, it won't be a private key for long.

assuming... (0)

Anonymous Coward | about a year ago | (#45633695)

Assuming of course that you (i) have internet access, and (ii) that you have a secure connection - best joke of 2013.
Security gets better with these keywords - offline, local, air-gapped.

Re:assuming... (0)

hendrikboom (1001110) | about a year ago | (#45633777)

Air-gapped? You must not have heard about wifi yet.

-- hendrik

Re:assuming... (0)

Anonymous Coward | about a year ago | (#45633937)

You are aware that you can disable wifi? Or even better, use a machine w/o wifi capability.

Re:assuming... (1)

PopeRatzo (965947) | about a year ago | (#45634671)

You are aware that you can disable wifi? Or even better, use a machine w/o wifi capability.

I've removed the processor and storage drive from my computer, thus rendering it 100% secure.

I store all the most sensitive data in my brain, where my faulty memory provides the necessary encryption.

Re:assuming... (0)

Anonymous Coward | about a year ago | (#45634307)

I would assume if you are storing website passwords, you have internet access, or access to some internal website at least. If you don't have access to a website, why would you need to store website passwords?

Prior Art (1)

h2oboi89 (2881783) | about a year ago | (#45633719)

US Military pretty much does this with their Common Access Cards (CAC). It doubles as our government ID card and stores certificates that are used to identify individuals on government sites. I like that system as it allows me to remember a simple master password (a PIN) and the passwords are stored somewhere secure.

Not sure how useful this system would be if people continue to use passwords like 'password.' Combining this with KeePass or something similar would be nice.

Re:Prior Art (2)

DrTime (838124) | about a year ago | (#45634059)

The government uses key loaders and a unique rugged serial connector in legacy key loaders. These are used with cryptographic and secure communication equipment. Look up the KYK-14 and KIK-30. I've even used paper tape key loaders, a long time ago. Some more "modern" key loaders are based on legacy PDA hardware. I haven't worked with these things in years. These devices use numerous techniques to protect keys, a USB device with good protection would be nice and might be a good kick starter venture.

Re:Prior Art (1)

IDtheTarget (1055608) | about a year ago | (#45634737)

He's not talking about an ANCD or other transfer device. He's talking about our Common Access Cards (CAC) [cac.mil] , by which we authenticate to DoD resources on the Web. The CAC has an encryption chip embedded in it, as well as some storage for certificates. I have a Smartcard reader [amazon.com] attached to a USB port on my computer. When I need to get into a military website, I place my CAC in the reader. Windows 7 and 8 have built-in drivers for smart cards, and the web site will send a request for authentication to my computer. It will intercept the request and ask me to unlock my CAC. I enter my PIN, the CAC does it's PKI thing with my private certificate, and I have access to the website.

Most, if not all, federal agencies are moving to the Multi-factor authentication [wikipedia.org] model, where we not only have to have the "something I know" piece, but the "something I have" piece, in this case, the CAC.

it's been done? (1)

Steven Emmerson (3027565) | about a year ago | (#45633737)

How does this differ from using KeePass and keeping the password safe on Dropbox?

Re:it's been done? (0)

Anonymous Coward | about a year ago | (#45633751)

Keep your passwords on a server under American authority. Yea, that's the ticket!

Re:it's been done? (1)

Steven Emmerson (3027565) | about a year ago | (#45633845)

KeePass uses AES 256 encryption and my master password has about 256 bits of entropy. Even Bruce Schneier says to trust the math.

Re:it's been done? (1)

TheCarp (96830) | about a year ago | (#45639703)

True, but you still have to download it and decrypt it. Do that on a machine that can't be trusted and you may be hosed. Hell, look at the capabilities of a system like foxacid, and the very request you make to download your key file could be the same one that infects the local machine.

At least a device like this is only as vulnerable as typing, and exposes only the one password being used at a time, the master password is always protected as its only entered on the device.

Re:it's been done? (2)

Cid Highwind (9258) | about a year ago | (#45633835)

Not well, from what I can see. It requires buying/building hardware, and you have to remember to take the device if you want to access a stored password away from home. KeePass + Dropbox goes everywhere my phone does.

Re:it's been done? (2)

stenvar (2789879) | about a year ago | (#45634055)

The problem with that is that nothing that you enter on your phone or that's displayed on your phone is even remotely secure: your carrier, your phone vendor, various intelligence agencies, and police can all compromise your phone at the push of a button.

Re:it's been done? (1)

Steven Emmerson (3027565) | about a year ago | (#45634403)

An attack like that would require installation of a keylogger. I don't recall any evidence that such a system can be installed remotely (though I don't discount the possibility). I suspect, however, that an attacker sufficiently motivated to install a keylogger would not be deterred by the necessity of installing it on another device.

Keylogger to implement enhanced wiretaps (1)

tepples (727027) | about a year ago | (#45634457)

I think the idea is that a keylogger is already installed on your phone when you buy it. Because the free parts of Android's userspace are Apache licensed, not copylefted, the carrier isn't obligated to provide complete corresponding source code along with the phone to ensure that your handset doesn't already have covert snooping software to comply with CALEA [wikipedia.org] and its sequels.

Re:it's been done? (1)

chihowa (366380) | about a year ago | (#45634465)

It's happened once before [wikipedia.org] , it could certainly happen again. Google can remotely install applications to an Android phone (with Google's app store installed) at the click of a button. How else do you think apps are automatically installed when you buy them on the Play website or updated in the background. Apple may have some means to do this as well.

There are ways to make your phone more secure, but most phones are under the control of third parties.

Re:it's been done? (0)

Anonymous Coward | about a year ago | (#45639429)

Even if that were true, that's just a small part of what most people are worried about. KeepPass with a Key File and reasonable password means that I don't need to worry if Dropbox gets hacked, and I have my passwords everywhere. If the man is monitoring me then they'll just grab the password when I enter it from any offline store anyway.

Re:it's been done? (0)

Anonymous Coward | about a year ago | (#45634103)

You really don't want to keep the safe on Dropbox because it can be brute forced. You want at least a keyfile stored on devices, public keys, or another form of additional key management so an attacker who filches the file from the remote site has to deal with the full 128 to 256 bits of encryption, not just the limited amount that most passwords can provide.

Plus, if the password ever gets divulged, the jig is up. It is far harder to divulge a keyfile or private key from memory or shoulder surfing.

Re:it's been done? (1)

Steven Emmerson (3027565) | about a year ago | (#45634355)

A brute-force attack on a password safe that's been encrypted using AES 256 with a 256-bit key is not feasible. I don't understand your point about divulging a password. Why would one do that? Also, the access code to a hardware device would seem to have the same vulnerability. Why would it matter if the key is entered into a program running on a laptop rather than into a program running on some other device?

Re:it's been done? (0)

Anonymous Coward | about a year ago | (#45634599)

The same vulnerability? I think folks who don't want to store an encrypted file on Dropbox because it isn't the same (at least in their minds) as storing it on your pc would apply a similar argument with smart card vs pc. Similar is what I consider it.

While I'm not sure if the other AC meant being forced to divulge, but in the US the legality of being forced to divulge goes back and forth, having your files on Dropbox, advertises the fact (to the three letter acronyms) that you have encrypted files. Having encrypted files is something they often consider suspicious. Grabbing or scanning your PC requires a bit more effort, identifing a smart card more effort. I like requiring more and more effort for them maybe someplace along the way they will cross a legal line that isn't ignored.

Re:it's been done? (0)

Anonymous Coward | about a year ago | (#45635233)

If your hardware device is the only one that stores the encrypted data and only accessible by you in person, no one else on the net can hack it.
You can not install a virus on the device (yet), but NSA and others can install one on a laptop.

Re:it's been done? (3, Funny)

gmhowell (26755) | about a year ago | (#45635479)

I don't understand your point about divulging a password. Why would one do that?

To make the men in black stop hitting you with hammers?

Re:it's been done? (0)

Anonymous Coward | about a year ago | (#45634479)

safe on Dropbox

Sorry, that phrase sounds like an oxymoron, like "jumbo shrimp" or "reality TV".

Re:it's been done? (1)

Stewie241 (1035724) | about a year ago | (#45635833)

The complete phrase is 'password safe on Dropbox'. KeePass looks after the security and encryption - Dropbox is just the means of sharing the password safe between devices.

i.e. 'password safe' together is the noun rather than 'password' being the noun and safe being the adjective.

So it's like ... (0)

Anonymous Coward | about a year ago | (#45633745)

... the Mandylion Password Manager? http://www.mandylionlabs.com/

if you can access it on a website (2, Insightful)

YesIAmAScript (886271) | about a year ago | (#45633805)

It's not offline.

This really is some guy just using a system he thinks is less likely to be compromised. Well, that's what everyone else does too.

Re:if you can access it on a website (4, Informative)

chihowa (366380) | about a year ago | (#45633899)

The way it's described in TFA, you can't "access it on a website" (whatever that means).

It's a USB device that generates and stores passwords. The stored passwords are encrypted using a key contained in a smartcard. When you want a password, you use the touchscreen on the device to generate or decrypt a password and spit it out to the computer (presumably, the device looks to the computer like a HID keyboard device).

The only communication would, therefore, be from the device to the computer. All user interaction is through the device's touchscreen. The smartcard handles the security.

It's not a bad approach, though it would/could be ridiculously clumsy to use once you have accumulated hundreds or thousands of passwords.

Re:if you can access it on a website (1)

Anonymous Coward | about a year ago | (#45634045)

The way it's described in TFA, you can't "access it on a website" (whatever that means).

It's a USB device that generates and stores passwords. The stored passwords are encrypted using a key contained in a smartcard. When you want a password, you use the touchscreen on the device to generate or decrypt a password and spit it out to the computer (presumably, the device looks to the computer like a HID keyboard device).

The only communication would, therefore, be from the device to the computer. All user interaction is through the device's touchscreen. The smartcard handles the security.

It's not a bad approach, though it would/could be ridiculously clumsy to use once you have accumulated hundreds or thousands of passwords.

Tools like Keepass have browser plugins to recognize what site you are on and call up the right password (or whatever fields need to be filled) accordingly. This sounds like taking that and moving the key onto an external device to remove the chances of a keylogger giving the perps the password to your whole keychain. Its effectiveness is limited by the fact that you very well could be giving away your most important passwords anyway, if a keylogger is around. The best defense is still a strong antivirus/antimalware app, plus good browser practices and limited privilege escalation. Put that together with an externally stored keychain that's well encrypted and you will be safe from all but the most determined nation-state hacker enclaves. This device puts you into "defend against a national threat" territory.

Re:if you can access it on a website (0)

Anonymous Coward | about a year ago | (#45634113)

On the other hand if you encrypt you HDD, it would be handy to have a device to type that really secured encryption key for you.
OS isn't up yet and this is something a browser plug-in won't help either. Not everything is on a web browser (at least not yet)!
It could be the BIOS key, Windows login, a very long WPA2 AES key etc.

If you rely on a browser plugin to recognize the website, it is not that secured. Might as well let the browser manage your password for you.
Browsers and plug-ins are probably the most popular infection vectors out there.

Re:if you can access it on a website (1)

YesIAmAScript (886271) | about a year ago | (#45634117)

Oh. Okay. The single page project page wasn't all that descriptive so I went by the summary partly and stated you had to go to a website and enter a PIN to log in. It wasn't particularly clear.

If this is just a smartcard, then this system has been in use for at least a decade. MS' internal VPN system used a smartcard login system, and IE supports it. That system is even more secure actually because it uses a challenge response and a PIN, it doesn't just decrypt a password which can be captured on the host computer and reused.

Re:if you can access it on a website (-1)

Anonymous Coward | about a year ago | (#45634269)

Wow. Reading for comprehension is clearly not your strong suit, is it?

Re:if you can access it on a website (3, Insightful)

SuricouRaven (1897204) | about a year ago | (#45634137)

Clumsy is precisely the problem.

Three mail accounts. Laptop bios, laptop login, laptop root. Several encrypted archival hard drives. Slashdot login. The Register account. Furaffinity account. Home server user password, home server drive encryption password, home server root password. Minecraft account. Ukfur forum password. Work user password. Work domain admin password. Work test user account passwords. Ebuyer account password. Ebay password. Paypal password. GPG private key password. Retroshare private key password. Three sites I'd rather not mention. 1and1 hosting password. Domain name registrar password.

That's just what I can remember right now, so it's probably around half of what I actually have. How do I remember so many? I don't. Very few humans are capable of that. It's bordering on impossible. You need to either have a list somewhere written down, or reuse passwords a lot. Neither option is ideal - both introduce security vulnerabilities.

Re:if you can access it on a website (2, Insightful)

SuricouRaven (1897204) | about a year ago | (#45634163)

Thought up some more: Furrymuck, latitude and SPR much passwords. EVE online password. two IRC nameserv passwords. Work computer bios passwords. Work network switch passwords. Combination to my wall safe. Unlock code for my phone. Unlock code for my tablet. Two internet banking passwords. Somewhere out there, a disused Second Life account from before I concluded it is crap.

At least I don't have a facebook account.

Re:if you can access it on a website (1)

antdude (79039) | about a year ago | (#45636251)

Actually, you do have a Facebook account since I am your account with your password. [grin]

Re:if you can access it on a website (0)

Anonymous Coward | about a year ago | (#45637361)

They could be clever and have a plugin in the browser which can signal to the device which password it needs, and then the user only has to confirm that selection/do the decryption on the usb device?

And maybe a quick selection menu for stuff outside the browser which doesn't have the plugin (e.g. games, although with an appropriate sdk you could probably get all developers integrating support pretty easily).

Re:if you can access it on a website (-1)

Anonymous Coward | about a year ago | (#45635217)

Furaffinity account... [snip]... Three sites I'd rather not mention.

you probably could have just avoided telling us you were a furry. twice since your own reply lists another furry site. i'm not so sure password security is your biggest hurdle in life.

Re:if you can access it on a website (1)

Chozabu (974192) | about a year ago | (#45635407)

Well, it does not have to be clumsy, particularly on your home computer with a little extra software
  • it could have decent search on the device
  • it could launch websites, and login
  • auto login to websites
  • launch apps and login?

Re:if you can access it on a website (2)

hughperkins (705005) | about a year ago | (#45637553)

You can use a single password, combined with the url of the website, to generate unique passwords for each website, via a hashing algorithm.

One implementation of this is: https://github.com/hughperkins/openpw [github.com] , which is a derivative of http://angel.net/~nic/passwd.current.html [angel.net] There are other implementations around.

The advantage of this system is:
- only one password to remember
- if a website gets hacked, that password can't be used on other websites, and can't realistically be used to obtain your master password, assuming they even know which algorithm you're using, which is unlikely
- unlike a password safe, you don't need to handle making backups, replicating the backups around, and so on

Re:if you can access it on a website (0)

Anonymous Coward | about a year ago | (#45637693)

Furaffinity? What the flying fuck.

This is a key management device, ask an expert (1)

davecb (6526) | about a year ago | (#45634145)

If we seriously wanted to know if it was necessary and sufficient, I'd suggest we ask Whitfield Diffie, who is a nice man and would probably answer...

Re:This is a key management device, ask an expert (0)

Anonymous Coward | about a year ago | (#45634675)

If we seriously wanted to know if it was necessary and sufficient, I'd suggest we ask Whitfield Diffie, who is a nice man and would probably answer...

I found a standford email for him and did so.

Re:if you can access it on a website (1)

Vesvvi (1501135) | about a year ago | (#45634199)

I don't understand why there is so much effort placed on storing passwords. We already know what to do with passwords from the perspective of the server: discard them as soon as possible!

The password should be salted and hashed immediately, and it should never be stored in plaintext. So let's not store them at all: let the user remember the risky password, and encrypt it as soon as possible. It's a validated methodology, and it removes many/most of the trust issues of the user/server relationship: I don't care if the server fails to salt my password if it's already encrypted.

Now take this to the next step. The user-side "passwords" can be pretty weak, since they need to be memorable but not high-entropy. We don't want to re-use the same "password" everywhere (different sites/services), since that's a risk, but we can come up with a weak per-site salt that's easy to remember. Combine that with a relatively weak password and we have a winner

Use-everywhere password: invsqrt
Site: slashdot.org. "Salt": modmadness. Full password: invsqrtmodmadness
hashlib.sha256(getpass.getpass()).hexdigest()[::2][:16]
Password sent to server: "dee4ea048518f588"

Use-everywhere password: invsqrt
Site: stackexchange.com. "Salt": xyproblem. Full password: invsqrtxyproblem
hashlib.sha256(getpass.getpass()).hexdigest()[::2][:16]
Password sent to server: "be6065c67f055583"

Yes, I know it's just a hash, but this is a simple example. There's some loss of strength from key vs hash lengths, re-using "passwords" etc, and I've thrown in some complication, but I think the general idea is sound. The most important fact is that insecure, memorable, secret information never leaves my brain. Ok, in practice it does: I enter it onto an offline encryption device, but it never goes anywhere else.

  • There is no private key to lose.
  • I don't have to store private information.
  • The public-side "passwords" are high-entropy and pseudo-random.
  • The user-side "passwords" are highly memorable.
  • An offline encryption device adds security, but it isn't necessary: in an emergency I can generate hashes nearly anywhere, since I carry my secure passphrases around with my in my brain.

You can stack additional levels of complication to make it more robust, but even the crudest implementation put you in the top 0.01% of hardest-to-crack passwords. For example, your encryption fob can contain a private key: smash the fob and you have securely destroyed the ability to re-create passwords. It also would make the outgoing passwords much more secure.

Re:if you can access it on a website (1)

tepples (727027) | about a year ago | (#45634557)

How would your HMAC-like method of combining the site name with your private key work around error messages like these?
  • Your password doesn't have an uppercase character.
  • Your password doesn't have a punctuation mark.
  • Your password contains a forbidden punctuation mark.
  • Your password is too long.
  • Your password has expired; please change it.
  • Your password matches a password that you have previously used on this site.
  • Your laptop/tablet is not allowed on our network. Instead, use our [possibly keylogged] Internet terminal.

Re:if you can access it on a website (1)

Vesvvi (1501135) | about a year ago | (#45637187)

It doesn't specifically solve any of those problems (except forbidden punctuation mark), although it simplifies them a bit.

Required characters (uppercase, punctuation, numbers) can be added post-hash as an insecure suffix to meet site requirements. These don't add any security, so you can carry them around with you, put them on a public website, or leave them on a sticky note on your monitor: "work suffix: #U1_. Github suffix: (#$JHi/."

The same thing can be said for length issues, although I've found that most systems these days are happy with 16. Admittedly, with the character set restriction it would be better to keep it long, but I would argue that by avoiding sending plaintext to the servers, we're avoiding the vast majority of vulnerabilities.

Expiration is made more simple by making it easier to remember passwords: changing one isn't a big deal. This continues onto your next point as well: you'll never have an error message that your new password is too similar to your old one.

I think your last shows another benefit of terminating private passwords as soon as possible. On insecure hardware, your public (hashed) password is exposed, and of course it could be captured for future use. But that will limit exposure to a single service, and it won't reveal any hints about your password trends.

You actually overlooked the most important point: if we're hashing passwords on a secured and user-controlled device, it's very easy (space-, energy-, speed-efficient) to get the public/hashed passwords off (LCD), but it's still a bit annoying to get the private passwords onto the device. UI concerns are a problem: I can do it extremely fast an efficiently if I'm working on a desktop, but it's a bit slower even on a tablet. The further we go towards hardware which can be fully locked down (keyfob with a single chip), the harder it is to get the data onto the device.

Wrong architecture (0)

Anonymous Coward | about a year ago | (#45633905)

The device should never return credentials. It should return a set of hashes of your credentials. You also cannot use a standard network stack, but one crippled to provide limited valid responses.

If you add a way to encrypt data by streaming it through the device (or text written/ video taken on the device)and view it, without exposing the entire device, then you are on to a winner.

Paper (2)

tsa (15680) | about a year ago | (#45633941)

I store my passwords on a piece of paper. Works fine for me.

Re:Paper (0)

Anonymous Coward | about a year ago | (#45634073)

I store my passwords in slashdot comments. Of course, the usernames are stored in comments on a completely different website. I am not an idiot.

d34F2sxxe^2
5$d92_s2X

Dumbass. (0)

Anonymous Coward | about a year ago | (#45634115)

Now I'm logged in as you, huh huh huh.

Re:Paper (1)

jones_supa (887896) | about a year ago | (#45634281)

I store my passwords on a piece of paper. Works fine for me.

Never tell anyone how you store your passwords!

Re:Paper (1, Funny)

TeknoHog (164938) | about a year ago | (#45634731)

I store my passwords inside your mom.

Re:Paper (0)

Anonymous Coward | about a year ago | (#45635203)

Yes, I noticed you changed your Facebook password last Thursday.

Re:Paper (0)

Anonymous Coward | about a year ago | (#45635205)

Is this because it only takes you couple of seconds to enter them in?

Re:Paper (0)

Anonymous Coward | about a year ago | (#45637241)

I store my passwords inside your mom.

Password rejected: too short. Must be at least 4 inches long.

Re:Paper (1)

Red_Chaos1 (95148) | about a year ago | (#45639863)

Dammit, this shit is funny, why is it getting modded down? Truth hurting a bit much? :p

Too bad I don't have mod points anymore, I would've modded it up for funny.

Re:Paper (0)

Anonymous Coward | about a year ago | (#45634787)

Maybe they're lying?

Rex6000 (0)

Anonymous Coward | about a year ago | (#45635853)

An offline PDA with a pin code protection. Enter the secret passwords as notes, and then you have all your passwords with a good pin, on a device that would be too slow to bruteforce the 8 digit pin.
Battery lasts 6 months, its the size of a credit card. You could program it by plugging it into the PCMCIA slot of a laptop but I cut off that port for security.

http://www.engadget.com/products/xircom/rex-6000/

It's sadly no longer made, but if they were made they could be much thinner, much easier to use with a battery lasting a year or two.

Re:Paper (1)

Barlo_Mung_42 (411228) | about a year ago | (#45640413)

Is it "pencil" this week?

Re:Paper (1)

Dabido (802599) | about a year ago | (#45641261)

So do I. Just wish they all weren't 'password' though.

More NSA propaganda on Slashdot (0)

Anonymous Coward | about a year ago | (#45634129)

The NSA ***LOVES*** morons who use encryption services where an encrypted copy of the 'key' (password) exists. Why? Two reasons.

1) The NSA seeks to accumulated statistical 'wisdom' about the common behaviour of the sheeple. The 'passwords' we choose are of immense interest to the NSA, since the psychology of selection means the NSA can refine speculative attacks on likely password choices. 'Long' and 'strong' password choices may show statistical tendencies, and this knowledge is golden to intelligence agencies.

2) The most common attack against encryption is known as REVERSE LOOK-UP. Put simply, intelligence agencies create TRILLIONS of password keys, and calculate their equivalent encrypted 'twin'. Then they can look up any given encrypted key, compare against their database, and likely find an entry for the original password. Their are actually commercial services that offer, for a fee, password 'recovery' for all the purposely WEAK encryption options provided by major providers like Microsoft and Apple, using such database methods.

Clearly, when your password is used to identify you, not merely activating decryption (as with Truecrypt), the service providing the recognition either stores lists of passwords in plain text (yes, many still do this) or use the very vulnerable encrypted twin method. The NSA actively seeks to accumulate every possible (IN USE) password to store on its password cracking database. While the space of all possible passwords is far too vast to crack, the space of ALL passwords actually in use is trivial to store in a giant database. The NSA assumes 99.999% of all password cracking tasks can be achieved by referring to this database of 'passwords actually used by people'.

And before the usual vile shills step in, of course it is ALWAYS possible to 'create' a password that is NOT vulnerable to this form of attack, but most people following this route will create an IMPOSSIBLE to remember random string that they WILL write down in some easy to guess place. Using good logic, it is possible to create password phrases that are both easy for the individual to recall, but fiendishly difficult for the NSA to attack. You will notice the TOTAL lack of Slashdot stories on how to create such password phrases.

The sheeple are NEVER encouraged to engage in strong security practices, for obvious reasons.

Re:More NSA propaganda on Slashdot (1)

VortexCortex (1117377) | about a year ago | (#45634183)

1) The NSA can get the statistical wisdom from huge PW leaks posted by skiddies who dumped an SQL DB -- Or from those DBs themselves by deploying a single zero day vulnerability against the service.

2) Salted hashes are impervious to rainbow tables.

Spiraling down, Slashdot... Thanks, Dice Holdings. (0)

Anonymous Coward | about a year ago | (#45634153)

People are getting tired of the ads carefully camouflaged as articles...

This one is a deal with SupplyFrame, who recently acquired hackaday (Good bye hack-a-day.)
Hopefully somebody comes up with a better slashdot in a couple of years...FSCK DICE HOLDINGS!

So it's something you have... (1)

93 Escort Wagon (326346) | about a year ago | (#45634161)

And something else you have?

What's the point of introducing a PIN-locked smart card? The PIN is what matters in this case, since both the device and the card need to be kept together anyway. All adding complexity does here is create an easier way to lose access to your credentials.

Why not handle it like OS X's Keychain, where your passphrase unlocks the encrypted secret... while the secret and the data store are on the same device?

Re:So it's something you have... (0)

Anonymous Coward | about a year ago | (#45634687)

They have to be together to be used, can be stored separately, I find a smart card easier to store securely and less of a target for theft. Having my MacBrook Pro stolen while traveling is a bit of a personal nightmare for me.

Re:So it's something you have... (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#45634793)

Why not handle it like OS X's Keychain, where your passphrase unlocks the encrypted secret... while the secret and the data store are on the same device?

The trouble is that you end up storing your secret and your data on the same device as your big, complex, modern OS, your web browser, and all the other neat network connected stuff you may have installed. Anything goes wrong with all that, and it isn't a secret anymore.

Why not implement CACs? (0)

Anonymous Coward | about a year ago | (#45634209)

Why is it 2013 and we still are not using something like a Common Access Card? Banks and credit card issues are really missing the boat on these things.

For example, set up a profile with American Express, and they send you a credit card which doubles as a smart card, and they also send you a USB reader. You want to by something from the brand new site example.com, you add it to your cart, then on checkout you authenticate against the card with a PIN, which then authenticates a PKI certificate with the provider. Upon success, the shipping info and payment is provided to the vendor on the backend.

You never had to login to example.com or provide any information, example.com can't retain anything but metadata, a shipment address and that you paid with an AmEx card. Clearly there are better solutions which could swallow/blackout additional information, but I'm just very surprised banks aren't all over this.

Why not a browser plug-in? (0)

Anonymous Coward | about a year ago | (#45634303)

Other than my browser forgets my passwords at the worst possible time, why not do this in a browser plug-in? Right-click a password field, generate a GUUID or something, save it, and use it as the password? You could encrypt the passwords in a file as easily as on a hardware card - same encryption.

Keepass + Dropbox (1)

idji (984038) | about a year ago | (#45634489)

.....gives me that already

Re:Keepass + Dropbox (0)

Anonymous Coward | about a year ago | (#45634641)

Worth noting that dropbox has zero security.

Re:Keepass + Dropbox (0)

Anonymous Coward | about a year ago | (#45635197)

The security is in the encryption from keepass. If you are such a valuable target that people are going to go beyond the effort required to break an encrypted store then you are already hosed anyway as the inconvenience of anything more secure is a pain in the ass,

Re:Keepass + Dropbox (1)

gnoshi (314933) | about a year ago | (#45634795)

No, it really doesn't!
If someone compromises your machine, they can capture your keepass database and your password.

With this device, you're not entering your password into a system running piles of software that virtually no-one ever personally fully verifies (and how can they? Too much code), and furthermore if your password is captured you can't just clone the database to get all the passwords.

Keepass on Dropbox + keyfile on local devices + password is pretty good, but it isn't as good as this device from a security perspective.

ironkey (0)

Anonymous Coward | about a year ago | (#45634533)

Sounds very much like ironkey ( ironkey.com)

passwords are not the issue (0)

Anonymous Coward | about a year ago | (#45634643)

The Secret Questions to reset your password are.

Re:passwords are not the issue (1)

cmeans (81143) | about a year ago | (#45634901)

I store the secret questions & answers in my KeePass file, and I make sure to use suitably different answers from the questions being asked, so there's no correlation between the two...they're like additional passwords.

Been wanting to do this with an old phone (1)

gnoshi (314933) | about a year ago | (#45634753)

I've been wanting to do this for quite some time with an old Android phone. It provides a touch-screen interface. Many include a MicroSD meaning you can add software/updates to it without ever networking it. Kernel source is available for many, so you can build with the Linux HID Gadget driver to make it behave like a keyboard. Plus, people have the devices sitting around idle.

so basically an ident-i-eeze. (4, Interesting)

pezpunk (205653) | about a year ago | (#45635313)

Douglas Adams, right again.

"It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense. "
-Mostly Harmless, 1992

Smart card + OpenID (1)

manu0601 (2221348) | about a year ago | (#45636159)

OpenID enabled websites offer you the opportunity to go further: send no password at all over the network.

OpenID relies on an Identity Provider (IdP) to validate your identity. You can set up your own IdP, and if you have a PKCS11 compliant smart card, your web browser can use it to perform client certificate authentication to the IdP using the certificate and private key stored in the smart card.

No extra device needed (1)

Burz (138833) | about a year ago | (#45636873)

Just use Keepass or a text editor in a trusted AppVM, plus the secured copy+paste in Qubes OS.

I doubt any remote attacker could take your passwords then.

I came up with this *years* ago! (0)

Anonymous Coward | about a year ago | (#45637005)

It's a large notepad with "DON'T READ THIS! SECRETS INSIDE!" written in large, visible text on the outside. I haven't lost the penny from my bank account yet!

social engineering is overlooked far too often (0)

Anonymous Coward | about a year ago | (#45637175)

A ten million character password will not save you from companies that practice bad verification habits vs social engineering. I've been able to get my password reset with less than 25 percent accurate information, no lost password it was just out of curiosity. I have it reset on AOL with every single security wrong except my name because I have an "honest" voice.

You're going after anything you can pick up on by shooting the shit
Mood - bad mood = call again and get new rep
Gullibility - telling a story that's obviously bullshit - which will work with intellectual superiority very nice
Age - helps the topic
Misdirecting questions - to break their train of thought on company policy
Intellectual superiority - because people like teaching, it makes them feel smart especially if they think they're helping someone too fucking stupid to even remember their security questions.
Shift times - to catch people that's about to get off because they just want to go home asap
Are you allowed to chat at work because you sound like one cool mother fucker and if yes strap in because they're opening up the possibility for a world of hurt..
Death - people are more likely to help someone they feel sorry for
That's just for starters..

That's is ok for me (0)

Anonymous Coward | about a year ago | (#45637725)

Just have one general passwords for all the public sites + the site name to generate a single password using md5 or sha hash

For example. To enter to slashdot acount:

echo -n "mypassword-slashdot.org" | openssl dgst -sha -binary | base64 | cut -c 2-12
The password is: BlcjPe1rmBD

Or if you have multiple acounts in one website:
echo -n "mypassword-websiteusername-slashdot.org" | openssl dgst -sha -binary | base64 | cut -c 2-12
SeDzD5LzFtF

That's will be great to implement inside a arduino :D

This has already been done: LASTPASS (0)

Anonymous Coward | about a year ago | (#45640461)

This idea of one password to rule them all is not new, in fact, Lastpass [lastpass.com] has already developed a perfect TNO (Trust No One) password storage system.

And it's free on all your computers

They charge $1 per month to use on mobile devices.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?