Tag Archives: Password Security

Mooltipass is an open-source offline password keeper


This portable device is like Post-It notes on a monitor, but much more secure.


In the wake of the latest string of security attacks, the necessity for two-factor authentication is clearer than ever before. And, while log-ins and passwords are critical elements required to access the sites and services we use on a daily basis, remembering complex credentials can be quite difficult. In an effort to minimize the number of ways a password could be compromised, the Hackaday community recently devised an offline password keeper aptly named Mooltipass.

7650501397598654279

Having successfully garnered $109,112 on Indiegogo, the portable device is described by its 30-plus creators as “a physical encrypted password keeper that remembers your credentials so you don’t have to.” Meanwhile, a personal PIN-locked smart card is equipped for each user to gain access to stored credentials. Upon visiting a website, the pocket-sized Mooltipass will ask for confirmation to enter one’s unique credentials when log-in is required.

20141017022320-render_single

Its team — which is made up of Makers spanning across the entire globe — selected an ATmega32U4 MCU to power the offline password keeper, which also boasts an easy-to-read OLED screen, a read-protected smart card (AT88SC102) and Flash memory to store encrypted passwords.

20141017030605-mooltipass_diagram__4_

“The ATmega32U4 is the same microcontroller [found] in the Arduino Leonardo, allowing us to use the numerous libraries that have been developed for it. In the final schematics, we’ll add an expansion connector so users may connect additional peripherals (we may switch to a FOUR4 layers PCB at this point),” project manager Mathieu Stephan explained in an earlier post. “The microcontroller’s USB lines are protected from ESD by the IP4234CZ6. For encrypted password storage, we found the cheap 1Mbit AT45DB011D FLASH which also has 2/4/16Mbits pin compatible versions. If our beta testers find that 1Mbit is not enough, upgrading the Mooltipass would be easy.”

As noted above, Atmel’s AT88SC102 was chosen to be the secure smart card, which offers 1024bits read/write protected EEPROM. In terms of the display, the team says it has temporarily for the OLED screen, although the creation of another mooltipass version with an IPS LCD is more than likely. Given that the device is intended for many different users, the normal-sized OLED screen provides great readability, and therefore, better user experience.

“The Mooltipass emulates a standard USB keyboard, and can therefore type your passwords for you on Windows, Linux, Mac and even most Apple and Android devices (through the USB On-The-Go port). It doesn’t need any special drivers to function. Integration with websites is done via a Google Chrome plugin and we are working to implement plugins for other major browsers. While all password recall functionality is done through the Mooltipass device, credential management is done through a dedicated application.”

20141017022544-render_text

As its page highlights, how the Mooltipass works is fairly simple:

  • Plug the device into a computer/tablet/phone. (No driver is required.)
  • Insert smartcard, unlock it with PIN. (Without the PIN, the card is useless.)
  • Visit a website that requires a log-in. (If using its browser plugin, the Mooltipass asks your permission to send the stored credentials, or asks a user to save/generate new ones if logging in for the first time.)
  • If not using the browser plugin or are logging in on something other than a web browser, a user can tell the Mooltipass to send the correct log-in and password. (It will typed in, just like a keyboard.)

The Mooltipass is enumerated as a composite HID keyboard/proprietary device. Credentials are sent over the HID proprietary channel when using the browser plug-in and over the keyboard channel when using the Mooltipass through its AT42QT2120 based touch interface.

20141017053324-IMG_1407

Each Mooltipass is shipped with two smart cards, which allow a user to make a duplicate of their primary card for backup. Similarly, you can securely backup the credentials stored in your Mooltipass on your computer to protect them from loss.

In addition, the team says that anyone can easily convert their Mooltipass into an Arduino platform by using a knife or similar utensil. The device boasts Arduino headers that will enable any ‘duino shield to be connected to it. “Hence, we made the Mooltipass as small as possible while keeping its great features… Projects are only limited by your imagination, when combining our on-board peripherals with standard Arduino shields which can be purchased on the Internet.”

The project is open-source with its code readily accessible on Github, surely giving a boost to its security claims. After all, its team believes that “great security can only be achieved through complete transparency.”

Interested in learning more about Mooltipass? You can head over to its official crowdfunding page, as well as can find a detailed breakdown of the device here. The password keeper is currently being prepared for production which is slated to begin in March 2015.

“A few days ago we had the awesome surprise to receive 250 ATmega32U4 MCUs together with 250 AT42QT2120 touch sensing ICs. We would therefore like to thank the awesome Atmel team in Norway who wanted to support our completely transparent and open-source device! We are extremely grateful,” Mathieu recently shared.

The password insecurity complex

Cartoon 2

The thing about passwords is that their whole purpose is to provide security. But passwords are hardly secure themselves, as we all know now due to the recent string of breaches… Once passwords get out into the clear, it’s like Christmas for cyber-criminals. So what we need are secure passwords… obviously.

Passwords are big fat target for hackers. The fact that Target stores were the “target” of hackers it is almost poetic. Heartbleed is another dangerous example of private information being bleeding out into the open. An unsecured password  is sort of like leaving your keys in the car on the street in a really bad neighborhood. In cyber-city, where all of us now live, every neighborhood is really bad. So, what can you do? Why not try to embed some hardware security to protect passwords? In fact, it’s rather easy to do with hardware key storage devices like Atmel CryptoAuthentication. Hardware key storage devices lock up the password and keep it from getting out of the system where it is entered, such as from a computer or ATM keyboard. In such an example, the only things that get transmitted between the keyboard and the authorizing system are cryptographic information; Specifically, what is transmitted is a random number from the crypto device to the keyboard system and cryptotographically processed response in the opposite direction. Let’s take a closer look at the details via the video below.

The platform here is a keyboard entry device on one side and the secure key storage device (in this case the ATSHA204A) on the other. The input could be from a smartphone or other things as well. The password is securely stored in the protected hardware memory which protects against hackers reading it. The secure memory is in the ATSHA204A device. When the password is entered into the keyboard, it automatically tells the remote device with the secure memory chip to send a random number challenge to the keyboard machine. The keyboard machine hashes the random number with the password that was just entered to create a digest using a cryptographic algorithm (e.g. SHA256). That digest is called the “response” (meaning the response to the challenge that was sent over). That response is then sent to the ATSHA204A for comparison to a calculation using the same random number and the stored password on the ATSHA204A. If the response and the hash on the ATSHA204A are the same, the password was correct (real) and the operation of the device connected to the keyboard is therefore allowed.

Secure password protection r0

As you can see, the value of this operation is that a the only places the password go are into the system connected to the keyboard (the local system) and the secure, protected.

Benefits of secure password protection:

  • Easy to implement
  • Secret storage is completely secure
  • Password is never in the clear
  • Several Passwords can be stored in the ATSHA204A (up to 16 slots)

atmel_crypto_496x163

Atmel CryptoAuthentication™ products, such as ATSHA204AATECC108A  and ATAES132, implement hardware-based storage, which is much stronger then software-based due to the defense mechanisms that only hardware can provide against attacks. Secure storage in hardware beats storage in software every time. Adding secure key storage is an inexpensive, easy, and ultra-secure way to protect firmware, software, and hardware products from cloning, counterfeiting, hacking, and other malicious threats.

Interested in learning more about Atmel CryptoAuthentication™ products? Read some of our latest articles in the Bits & Pieces archive here.