Over the past several years of hash(password) cracking, password analysis, and countless articles on compromised databases, I’ve learned three things for certain. Most passwords aren’t hard to crack, people reuse passwords, and no one is safe from having their account information stolen.
The world of password management is saturated with password managers, utilities, and tools, and yet none of them have seemed to catch on with enough popularity to have a drastic impact. Something such as Lastpass is fairly easy for me to use, yet I can’t hope to explain to my Grandma or non techie friends the intricacies of how to use it. Likewise the Yubikey is nice for two factor logins that support it, it can be configured to have a single long password. However the two factor option is limited in it’s uses, and having a single password regardless of it’s complexity for all accounts is an obvious no no.
So what could someone use that can hold multiple passwords or tokens, is easy to use and configure, and secure against being compromised if it were lost or stolen. Enter the Pass-pal
It has been six months since I started development on the Pass-pal. It first started out as a simple non-configurable USB device that would print out a static password when you pressed one of the four buttons. It has since morphed into a fully developed device, with an on-board clock, 10 buttons and able to hold 20 configurable two factor tokens or passwords (text).
Thanks to the ATmega32u4 development board it was easy to program the device to print text on a PC as if it was a USB HID keyboard. The tricky part was coming up with a way to configure the device from a windows client that didn’t involve a programmer or flashing firmware every time I wanted to make a change. The result was a rewrite of the HID descriptors that allowed for the use of feature reports which I spoke about here. Once completed I was able to configure it using a simple windows program (as seen right). If I wanted a button to print a password I simply updated the EEPROM on the device with the new password. When the button was pressed it simply looked in EEPROM for what to print and it typed it as if a human had typed it on the keyboard. This was the basis for future development.
Currently the Pass-pal can store 20 two-factor tokens (OTP) or passwords. By simply pressing or by holding down one of the 10 buttons the Pass-pal will type out a OTP(One Time Password) or password the same as a standard USB keyboard. The benefit being that it requires no special drivers for use on a Windows, Linux, Mac, or even a PS3 for that matter.
Any of the 20 slots can be configured to print standard text up to 39 characters. If someone wanted button one to print an email address, and button two to print the password simply update the two buttons with that text, it’s as simple as that.
The tokens it supports are any RFC-6238 or RFC-4226 SHA1 based style tokens which are the bases for things like Google Authenticator, Lastpass, Battle.net two-factor, Symantec VIP, as well as many other password authentication modules. Additionally it supports a Yubikey style token (however it can’t be registered with Yubico’s servers). Regardless of what the slot is set to do it can also be configured to append a Tab or Enter afterwards.
The concern I had was what if the device is lost or stolen? Unlike the Yubikey which only has one button the Pass-pal has a full ten, this lends itself perfectly to being able to have a pin entered before use. When the device is first plugged in it’s locked, the indicator light is red and none of the buttons can be used to type out passwords or tokens. Additionally the configuration software won’t connect while locked. Once the correct unlock pin is entered the indicator light shows green and the Pass-pal operates as normal. When setting up the device the user can set how many attempts are allowed for the correct pin to be entered, if it’s entered incorrectly to many times the EEPROM is wiped and all saved passwords and keys are erased. Additionally the Pass-pal will keep track of how many times an incorrect pin is entered, and will save the date and time of the last incorrect attempt. The next time the user connects to the configuration software they will be notified that incorrect attempts were made. The user can also elect to have a time out placed on the device. If one of the buttons are not pressed within a set amount of time the device will auto lock itself to help prevent unauthorized people from using it.
The configuration also allows a user to select which orientation they would like the buttons to be in. For example if a user wanted the buttons to be reversed this would allow someone to simply place the Pass-pal in a USB dock and still be able to keep the same button order (when it’s upside down).
Since the Pass-pal acts as a USB keyboard it is able to sense when the user enables caps lock, num lock, or scroll lock on their keyboard. The Pass-pal can be configured to auto-respond to such events by tying one of the lock buttons to a slot. For example caps lock can be configured to ‘emulate’ the pressing of button 4 on the Pass-pal. Once configured the user simply hits the caps lock key twice in secession and the Pass-pal will print out the value for button 4 as if the user actually pressed the button. This feature is great for someone who uses a certain password many times through out the day and doesn’t want to reach over and physically hit the button on the Pass-pal. This feature is disable if the Pass-pal is locked.
Firmware and software are mostly complete for the Pass-pal. The only remaining task is to begin development of a case. Available cases very greatly, from preformed molded plastic, to acrylic cut cases. Once completed I hope to allow for a range of colors for both the case, and it’s buttons.
I’ve been asked if the Pass-pal will be open source. The current version of the Pass-pal firmware and software will be left closed source. However a version of the Pass-pal will be available that will be preloaded with the common Arduino Leonardo boot loader. Libraries will be made available that will allow someone to interface with a PC using the HID feature protocol, and to allow for development of their own password or token uses. My hope is to allow the community to develop new and inventive uses for the Pass-pal hardware and host the firmware, software, and libraires on a dedicated site.