Like many businesses out there, [Joonas Pihlajamaa’s] employer requires him to change his password every few months. Instead of coming up with a complex, yet easy to remember password again and again, he built a small USB device to do the work for him.
He dismantled an old USB memory stick, fitting it with an ATtiny85 with its required components on a small piece of perfboard. Using the knowledge he gleaned from his previous USB HID tinkering, he programmed the ATtiny to act as a USB keyboard which enters his password for him whenever he plugs it in.
The USB dongle not only types his password in for him, it can generate a new password with a few simple keystrokes whenever he desires. Obviously it merely takes someone getting their hands on his USB stick to compromise security, but it does beat a Post-It under the keyboard any day.
Continue reading to see a short video of his USB password dongle in action, and be sure to swing by his site for more details on how it was all put together.
[youtube=http://www.youtube.com/watch?v=kpNSycoUCZM&feature=youtu.be&w=470]
Very nice implementation. This isn’t the first time somebody has made one of these (I believe HaD has featured at least one previously), surprised I haven’t seen these commercially produced yet.
Unless I’ve just missed it?
yubikey.com
I’ve got one that I use with a 12 digit and 24 digit static password setup. Windows logon is short press + 4 digit pin. Email is long press + different 4 digit pin.
Well at least one product has *some* sort of security to it. Generally with a key fob you want the user to know *something*, even if it’s a static 4 digit key code — that way people can’t just steal your key fob and go on using it.
A compromised device doesn’t have to mean a compromised password. Just like the RSA tokens, you can have the generated password (from the dongle) and then append your own.
Nice diy!
checkout yubikey. 🙂
That seems like a lot of work when he could have just bought a YubiKey. It would have also been smaller, more durable, and let him have both One Time Passwords along with the static one.
Of course, he would not have gotten on Hack a Day for his purchase.
Hi John,
Since you mention, I thought of the same thing. The problem with Yubikeys is the limited base of applications on which it can be used. Something like this, or even better, as xMob suggests, would let you use the doo-dad anywhere you see fit, instead of whoever YubiCo can ply to include support.
I’d also be into something that takes a “keychain” password from input (as a key catcher) and then outputs a mangle of it/stored password/something else entirely as a login password. Just spitballing 🙂
The Yubikey has two locations and allows storing of static passwords. So the Yubikey would allow for:
1) Use of the Yubico OTP services PLUS act just like the device above
or alternatively
2) Store two static password and function as TWO of the devices above in a single package 1/4 the size (which is how raidscsi mentions he is using his)
It isn’t a lot of work. You could build that thing in an hour (two including developing the software) and a lot cheaper. Most of us probabbly have those parts laying around.
I just have security concerns about that thing. This basicaly passes by the security policies of the company. Even with the sugessted generated password + own password thing. When somebody gets that thing (and it may be for a few seconds) he only has to guess a probabbly much weaker suffix.
Yubico now have a nice, free Radius server. Combine that with your logon and you’ve got strong, secure, cheap multi-factor auth.
OpenKubus does the same, has a hackable
AT90USB micro with bootloader, and free development tools.
HAK5 advertises the “Rubber Ducky” which does exactly the same thing and more. I think its around 30$
$79.99
Nice hack, but useless for me, as I tend to
forget my gadgets at home.
I’m glad that my brain is permanently installed 🙂
I’m glad to hear it is, but it seems a lot of people are born with brains that oscillate on and off.
So what happens when the USB stick dies from being yanked out all the time and you don’t know your currently generated password?
I would store a newly generated password in a safe place which can be accessed if the device suddenly stops functioning (EEPROM can be recovered from ATtiny85 unless a failed MCU is the reason for failure). “Safe place” means encrypted with a strong but not necessarily changing password. I’m using my own cryptiki.com for that myself, it does all the encryption on client-side using Javascript so server compromise is not an issue, but other services and gpg exist, too.
You’ll need the password written down somewhere in any case when you change the password, unless you want to regenerate the password blindly in the middle of changing it, as Windows does not allow copy-paste into its password fields. 🙂
paste doesn’t work?? sure it does Ctrl V works most every time.
Can’t remember pasting in password fields not working in windows.
ok this is an idea but flawed.
1st off; the usb is a diy project. so i could break or stop functioning.
2ndly; even if it stores a randomly generated code somewhere so u can access it to login whats stopping my plugging in my usb stick with linux on it accessing our windows configs in sys32 and wiping your password, rebooting and logging hassle free ?
and finally; the usb could just be used and a virus in the wrong hands; i.e plug it in open regedit delete the keys for firewall and antivirus downloading and installing some software urning off notifications . next person to use it, say they login to there bank. all the key strokes are now being sent to the person that plugged in that usb.
what yourselves.
@JCR: Sometimes people like making things. A lot of hacks are re-creations of existing ideas. Luckily, inventing new things is not the only reason to build something.
Someone can get lots of hacking funds selling these with SOIC chips and a pcb usb plug done from Sparkfun custom boards.
Less than $10.00 in parts, sell them for $20.00 as a kit and rake it in.
Personally I would not pay $20 for a kit when a YubiKey is $25 and gives you secure login service via unique One Time Passwords for life, free
The fact that you can host your own backend for Yubikeys is much more appealing to me. You are in no way tied to Yubico if you don’t want to be.
Three resistors (3*0.05$)
Two diodes (2*0.20$)
an attiny (2$)
2 cm² of PCB (0.5$, 20$ per platine which would fit about 40 of those).
an USB-plug 0.50$.
That’s less than 5$, and you could get that lower, as those are hobbyist prices
hmm has anyone tried interfacing with the small form factor fingerprint readers on pabtops?
maybe its possible to implement it in the usb dongle itself for added security(as long as no one steals your fingerprint that is), ergonimaccly it might be a tad inconvenient and the cost would be higher, no idea by how much though.
http://www.amazon.com/Eikon-Go-USB-Fingerprint-Reader/dp/tech-data/B001EHHWNG
what if someone so desperate decides that he can afford to cut off your finger and use it ,just like stealing the dongle 😛
Then you’ve got a problem. But I’d be more worried about the government claiming that they’ve got a right to force you to use your thumb, that it’s just another form of a physical key. (Keys which, unlike passwords, you can be legally forced to give up. In the US, at least.)
This is cool! While it doesn’t fit my needs, as is, I have been wanting to try out USB-HID implementations… actually, that is the reason I started playing with mcu’s in the first place. This seems like such an easy and quick project that I could at least get a ground level understanding of how to expand it into something that does fit my needs and desires.
i had this in mind for years, but never took the time to realize. so now i maybe do with less effort 😉
best thing is when someone is on irc and plugs in one of these things with the wrong window activated.
Nice build but wouldn’t want to bank on its entropy. Also see: http://xkcd.com/936/
Nice but i still use my RFID tag ( same as my flat door to login to my PC / Server 🙂
Seems like it would be a problem changing passwords — you usually need the old password and then a new one, but it appears that this device overwrites the old password with a new one. Also, you have to have a dongle for every account, or use the same password for multiple accounts.
Easy, type in 4 or 5 characters before pushing in the stick. Then you still need to know the 4 or 5 characters because the stick is only the 2nd more complicated half of the password. Only, they don’t know that or how long it is.
I thought that MS BitLocker does the same trick, before the Windows Logon page and directly after booting BIOS.
But man, this could be a handy tool in corporate businesses! Only some users will lose this stick immediately or “forgot” it somewhere…
Nice idea though i’d rather have a USB token (smartcard+reader in one). If I ever get to do it I’d probably use my sansa fuze which is running rockbox. Its usb driver + vsmartcard might eventually do it.
Nice, yes I did the same 2 years ago. Filed for patent in Belgium:
http://dyndns.sitweb.eu shows a demo of also an attiny85 and from your picture I see you even used the same trick of 2 diodes to step down from 5v to 3.3v. I extended the protocol so you can save any password on eeprom and it retypes it when clicking a button.
Regarding remembering which probram etc. you only need 1 password and a keychain application for managing unlocking all passwords for certain apps with the pass stored on the hardware key.
I called mine the AnyKey 😉
Mine needs a seperate app to change the password (really like the capslock tap idea). But yours then again can’t change the password to what you want (mine you type it in a textbox and save it to the key). Also yours types straight away without a button which I think is not that handy it’s better to have it inside your laptop and press the button on the dongle whenever you need the password and take out the dongle when you leave the laptop/pc.
1/2 factor authentication!
Something you have and something you have!
Years ago, i wrote a password generator program. I seeded the random number generator with the time of day. This turned out to be a security issue. A program that knows how the passwords are generated can generate the password for each of second for the past year or so and try them.
These days, i want generally quite long passwords that are unique for every site i visit.
I have an mp3 player that i recently upgraded to Rockbox recently. Now the player can run all sorts of applications. I needed a metronome. But the thing plays chess. There’s huge amounts of resources in there. And, Rockbox, being open source, can provide me a platform to write all sorts of apps. It’s got USB (as a client), a 200+ MHz computer, a screen, a microphone, stereo headphones, a bunch of buttons, a fair amount of memory and gigabytes of solid state disk. It was $13 new, 4 years ago. One app i’d like to write is a bat detector. Bats call ultrasonically. The microphone can sample much faster than the standard 20KHz. It’s got a screen to show results, or, it could emit something to headphones.