Password safe (My personal use case)

Werner Almesberger werner at almesberger.net
Thu Sep 12 17:57:05 EDT 2013


Ron K. Jeffries wrote:
> I would purchase a couple of password safes if they can be used in a
> low-tech way.

Great ! :)

> >> Small password safe where I store my (many) passwords by initially
> entering them with it's USABLE keyboard & where I can see what I type on
> the display.

I think the idea of integrating a keyboard is pretty much dead.
But that wouldn't preclude you from either "dialing" passwords
or -phrases, connecting an(y) external USB keyboard, or, if you
trust your PC enough, using that one to add things.

> I only absolutely need two data fields but a few others"would be nice."

I think that should be user-configurable as well. Have as many
fields as you like, with content that's either just for display,
for display+sending, for sending only, etc.

The default could be service name + account name + password.
Adding other things would require more typing.

> But the master passphrase for LastPass also must be remembered, securely.

A small piece of paper, stored in a safe ? :)

> Recharging with a microUSB would be convenient.

Naw, no rechargeable batteries. They just make things - starting
with shipping - more complicated, and die far too quickly, after
which you're likely to have a messy replacement. (Unless it's a
really really common cell phone battery, which then would be far
too large for this sort of device. First physically, and then in
terms of capacity, nowadays often exceeding 5000 mWh. So you'd
basically charge it once in its life, and most of the power
drain would come from aging.)

> I (sometimes) use a little "burner" phone,

Why do I have to think of "Breaking Bad" ? :-)

> Make the Werner password safe about the size of a smallish candy bar phone.

See http://downloads.qi-hardware.com/people/werner/pwsafe/shape.pdf

> I hereby place my order for the first two Werner Password safes off the
> line, right now.

Kewl, thanks ! But let's not count our chickens before they hatch.
First step, have a complete and coherent design. Still a few things
missing. I'll also need a basic layout to see if I can make things
fit.

Next step, making one or two prototypes. Then, writing basic drivers
and finding all the gremlins. Next, more PCBA prototypes, as needed.
Then, maybe repeat the same with the RF board. Plan B: extend the
atusb firmware and postpone making an advanced atusb.

Then, make a prototype case. Nothing fancy, two shells held together
by friction, like this critter:

http://downloads.qi-hardware.com/people/werner/ledtoy/tmp/1209-lt-push.jpg

CNC-milled transparent acrylic, so the display can be read through
it, and one can see the electronics and spot suspicious changes.
May not look pretty to the eyes of non-geeks, though. Like this one
(the same thing as above):

http://downloads.qi-hardware.com/people/werner/ledtoy/tmp/1209-menu-transp2.jpg

Per unit cost of such cases is high. This is the material I needed
to make 3-4 acceptable cases of the above device:

http://downloads.qi-hardware.com/people/werner/ledtoy/tmp/acrylic-in.jpg

(The difficulty was in getting the thickness right - the top part
has a very thin section above the components. Making it thinner
breaks it, making it thicker makes the (thicker) part over the
capacitive button too thick. My mill has relatively large absolute
tolerances along the Z axis. I may also have to retool for the
password safe because my endmills can't go very deep, and this one
may have relatively tall sidewalls.)

Then, write enough software to make it do something useful. If other
people want to join the party, that would be a moment to make some
more prototypes. Then, make a video and see if the whole thing can
be crowd-funded.

> I assume it will use a microSD card.

Yup.

> i would like a utility that can backup
> the microSD to a second microSD, no other computer involved.

Hmm, this would mean copying the data of the uSD to MCU memory,
then swapping the uSD, and copying it back. As long as you're
willing to swap uSDs an unlimited number of times, no problem :)

If you don't want to swap them, the data size would be limited
by the maximum memory size one could allocate for this. This
may not be a lot, depending on the MCU chosen. Maybe as little
as 50 kB. Not sure yet how big a typical account record would be.
It would not only include the actual data but also some salts
(random numbers), etc.

But since everything is encrypted anyway and can be easily
checksummed, a copy using a PC should be no problem:

1) attach the password safe to PC, allow USB storage access in
   read-only mode, copy your uSD to the PC. You'd do this for
   backups anyway.

   If you already have an up to date backup, skip step 1 and
   use that.

2) ask password safe to checksum the uSD. It will display a long
   number, which you can safely ignore.

3) attach uSD reader or use password safe as follows:
   a) remove old uSD
   b) insert new uSD
   c) ask system to initialize it
   d) ask system to allow read-write USB storage access

4) copy data over from PC

5) ask password safe to checksum the uSD again. It will display
   a long number and tell you whether it's the same it saw
   before.

> I do NOT
> expect the device to have two microSD slots (too expensive).

I'd say cheap but big :-) I initially thought of having two
slots, just for the scenario you mentioned, but they would eat
up a lot of PCB space and also drive up the pin count.

- Werner



More information about the discussion mailing list


interactive