project idea: portable password safe

Werner Almesberger werner at almesberger.net
Mon Sep 9 13:13:20 EDT 2013


Ron K. Jeffries wrote:
> >> A lot of my usage involves mobile devices. Not clear if you plan to
> address that need.

If they have a USB host port to attach a keyboard (or equivalent),
things would be the same as for any other PC.

If they don't, then you'd have to fall back to traditional passwords
or simple challenge-response schemes.

It would be nice to have Bluetooth, to be able to talk to mobile
devices that don't have a USB host port, but as far as I know, BT
is still troubled territory when it comes to chip and documentation
availability.

> Password safe with keyboard and display.

The keyboard seems to be on its way out. Maybe for version 2.0 :-)
It would have been small anyway, OQO 01 grade.

> Passphrase required to open safe, plus challenge response.

Well, with a simple input scheme, it would be a PIN, or a set of
PINs (e.g., one to "open" the device at all, and another one to
get to the juicier bits, like ATM codes.)

That PIN could be the result of a weak challenge, but maybe it's
not worth the bother. In any case, since one can change the
firmware, there's plenty of opportunity to experiment with
authentication and user interaction schemes.

Speaking of which, the "official" firmware should of course be
signed. But one could add other signatories and/or just accept
unsigned firmware.

> In a dream world, some form of biometric authentication.

Most of the easily available biometric authentication seems to
be more a gadget than a serious defense. I wouldn't bother with
it. If the government tells you they need it to fight evil and
it's infallible, probably neither is true :-)

> The goal is to store passwords, and display password when needed. Period.
> In other words, it remembers passwords I do not have memorized.

It can do that. Plus "type" them to the PC, so that you can pick
nasty passphrases, or even go to challenge-response (if the
software on the PC plays along with it). The problem with ordinary
passwords is that we're approaching the point where it's easier
for machines to brute-force them than for humans to remember. A
bit like some of those captchas. So it's nice to have some room
for making things a bit harder for those who wish us ill.

> Making the device tiny is not on my wish list, since I'd expect a decent
> display e-ink?

E-paper still seems to be too hard to source for this sort of
project. What you want are heavily commoditized components that
are used in millions of products. That doesn't only keep the
price down but it also decreases the risk of getting stuck with
just a single source.

> and a keyboard large enough for human fingers, and with enough keys that at
> a minimum numerals get a dedicated row.

If you make it too big people will not want to carry it around
with them. I think the 3 x 8 cm form factor should be a good
compromise. You still get a display that's almost 15 mm tall, so
you can have two lines of illuminated letters of some 6-7 mm,
maybe 6-7 such letters per line. Or have some monster font of 15
mm that they could even read from the ISS, but then lateral
scrolling may get a bit excessive :)

You can make an experiment: take your favourite drawing program
and draw letters of varying size, from 10 to 20 pt (3.5 - 7 mm),
in a bold sans-serif font on a black background. Make the letters
a little grey to simulate the difference in contrast between
paper and displays. Then print this and see down to what size you
can still read it in a room with dimmed lights.

> A capability for the password safe to construct passwords would be useful.

I'd definitely want that, yes.

> If that was included,
> needs to allow setting rules to affect the pattern so as to improve ease of
> typing or human memory.

It's also needed to match what the other end accepts. I'd want
the ability to generate password that are never even shown to
the user. You can't blab what you don't know.

> But think about an aging population, where a way to remember
> decent if not NSA-quality passwords would be VERY useful.

None of us are getting younger ;-) I've learned to hate dimly lit
restaurants where the menu is printed in a gracile 6 point
font on stylishly colored paper ...

- Werner



More information about the discussion mailing list


interactive