1 month ago

DIY Hardware Password Keeper

Do you use Password123 for all of your online services? David Crookes looks at a Pi Zero-based device that should help you come up with more secure logins

DIY Hardware Password Keeper  

Experts suggest that we should use a different password for every online service we access, but, as many users know, trying to remember them all can be rather difficult.

Better, then, to have a secure and convenient system that can store and recall them for you, which is why Eugene Dzhurynsky has created a hardware password storage device based around a Raspberry Pi Zero and radio frequency identification (RFID) technology.

See also

Eugene is a Ukrainian software engineer living in Boston, Massachusetts and he is currently working as a data engineer and machine-learning specialist.

Inspired by a thread on Reddit which explained how the Pi Zero could function as a USB device, Eugene noted that the Pi Zero could control another computer and act as a keyboard.

“It was a ‘wow’ moment and I was stunned by the possibilities,” he recalls.

With this in mind, Eugene got to work. He wanted to create a device that couldn’t be hacked remotely over a network. What’s more, he didn’t want users to have to type in a password to unlock the device and he wanted it to be relatively small, with secure and encrypted storage.

Password keeper: quick facts

  • The device stores encrypted passwords
  • The software was built using the language Go
  • It makes use of an RFID key fob
  • Passwords are added via a web interface
  • Eugene wants to add voice recognition
DIY Hardware Password Keeper 2

The RFID RC522 sensor is inexpensive and allows this system to become unlockable only when an RFID key fob is presented

Password Keeper: securing the system

Encryption, he says, was the easy part. “I could use any industry standard encryption,” he explains. The tricky aspect was the key – the component that would unlock the encrypted file containing a user’s passwords.

Eugene intended to store the passwords on the Pi Zero, so he figured that placing a private key on an RFID fob would work well. With the Pi-based device wired to an RFID card reader and connected to a computer, he reckoned a user would only need to bring the fob close to unlock the device and allow the passwords to be accessed and shared. A user could then log in to whatever service they were trying to access.

Certainly, the Pi Zero proved the perfect fit. “It has a Linux OS, it’s easy to manage, it’s developer friendly, and it has enough memory and network adapters,” Eugene says. He coded it using the programming language Go and he fitted the device with a small OLED SPI display before allowing it to be controlled via some buttons positioned on the front. All were placed in a self‑made case.

DIY Hardware Password Keeper 3

When activated, the screen shows accounts that have stored passwords and allows them to be used on a linked computer

Playing it safe with passwords

In order to add and manage the passwords, Eugene then made use of a web interface which was put together with the help of friend Maxim Vassilyev. “Pi Zero can present itself as network interface as well as a keyboard so by navigating to the local address http://10.101.1.1, the web interface for the password management will be accessible,” Eugene explains.

He says it only works in the presence of the fob: “So if someone will try to plug the Pi into a computer, they won’t be able to access passwords.” And yet the system is not quite perfect.

“The key can be compromised if it’s used with some cheap RFID cards,” Eugene admits. “But if you just keep the key in an RFID-protective cover, then it’s going to be safe.”

So could it be used as a professional tool in its current state? “Tough question,” replies Eugene. “I don’t use it to keep my own passwords, that’s the answer. But it’s just a pet project and there are many things to be added before it will become truly safe and secure.”

Indeed, he wants to add backup and restore options for the internal storage and RFID key, and he wishes to improve the web interface, add a help section, provide an easy way to add more keys and users, have the device generate passwords, and add a real-time clock for random seed generation. “People seem to like the approach I’ve been taking,” he says.