65536 Password Vault Moderators: adafruit_support_bill, adafruit

[LesHall]

I was very impressed with John Park's Password Vault (https://learn.adafruit.com/circuit-playground-password-vault/password-vault-coding?view=all) so I made my own version. The first attempt was unsuccessful but the second try I got it right. It's nothing more than a Circuit Playground with M3 machine screws and M3 nuts in the eight terminals and some code, and it provides 65536 passwords. I didn't even 3D print an enclosure for it but I guess Adafruit already posted one that is wrist-mountable.

The code is simple and now that I'm beginning to get the hang of GitHub I can share it if anyone wants it. The operation is very simple: You use capacitive touch on the eight bolts to set the LED's either Magenta or Aqua (tasty colors IMHO), then press button one to set the seed of the random generator in binary. Then you repeat with the second button to select one of 256 pseudorandomly generated passwords. 256 x 256 = 65536 possible outputs, all grambly scrambly like a good password should be.

You could even go nuts with it - add yellow for trinary, RGB and black/white for octal on each pin, get the accelerometer in on it to tap out an entry key, and put a code in the software to create uniquely different password vaults.

The only problems I see at this point are that the passwords don't go into my iOS devices so that's a major bummer that the Bluefruit EZ-Key (https://www.adafruit.com/product/1535) should solve. Also if you lose your password vault, yer toasted. So make two of them and store the spare in a lock box I guess.

Thanks for the fun Adafruit!
Les

[adafruit_support_mike]

Post a photo if you have the time. We'd love to see it!

[CreatorLes]

i don't seem to be able to transfer anything from iOS.

[adafruit_support_mike]

This page shows how to to take screenshots in iOS:

https://support.apple.com/en-us/HT200289

and the Camera app has a range of ways to share images with other devices: email, Photo sharing, etc.

[CreatorLes]

Great, thanks Mike.

Here is a photo. It's just got some bolts for touch surfaces and some LED's Lit up. Not much to it really.

Les

Circuit Playground Password Vault - 1.jpg (116.14 KiB) Viewed 1646 times

[adafruit_support_mike]

Working projects are always cool. ;-)

Would you mind posting the code?

[CreatorLes]

Sure, np - here it is.

It makes passwords like these: 71rfhzv2L9d3, u5ch95PSvlPx, and NoM47hs006Ht76.

Anyone - beginner or expert - can readily modify the code to make their own custom Password Vault. All you have to do is mess around with the details of how the random numbers get converted into passwords, or maybe throw in some extra random calls.

I was thinking of using the tap code example to tap out an entry passcode, or the light sensor to measure skin tone or microphone thingie, something or other - lots of ways to add features exist.

Les

Code: Select all | TOGGLE FULL SIZE

/////////////////////////
//
// Password Vault
// by Les Hall
// created Thu Apr 6 2017
//
//



// include libraries
#include <Adafruit_CircuitPlayground.h>
#include <Wire.h>
#include <SPI.h>
#include <Keyboard.h>



// global variables
unsigned int value = 0;  // numeric encoding of selected bits
int bright = 20;  // how bright the pixels are , 1 to 255
int pins[] = {0, 1, 2, 3, 6, 9, 10, 12};  // Circuit Playground pins
int led[] = {3, 4, 1, 0, 6, 8, 9, 5};  // LEDs assigned to pins
bool leftButtonPressed = false;  // status of left button
bool rightButtonPressed = false;  // status of right button

 
void setup() {

  // allow Circuit Playground to act as USB HID device
  Keyboard.begin();
 
  // start the Circuit Playground features
  CircuitPlayground.begin();
}



void loop() {

  // read in the capacitor sense values
  // and set the value accordingly
  do {
    // loop thru the bits
    for (int i = 0; i < 8; ++i) {
      // set b to the cap sense bit value
      int b = bitRead(value, i);
      if (CircuitPlayground.readCap(pins[i]) > 25)
        b = !b;
      bitWrite(value, i, b);  // write each bit accordingly
      // display each LED as purple (b = 0) or aqua (b = 1)
      CircuitPlayground.setPixelColor(led[i],
        bright*(1-b), bright*b, bright);
    }
    // check for either button pressed
    leftButtonPressed = CircuitPlayground.leftButton();
    rightButtonPressed = CircuitPlayground.rightButton();
    delay(250);
  } while ( !(leftButtonPressed || rightButtonPressed) );  // exit if pressed
  delay(500);
 
  // apply the unique personal seed mask
  if (leftButtonPressed) {

    // set the seed value
    randomSeed(value);
 
  } else if (rightButtonPressed) {
   
    // print out a password
    int numChars = int(random(12, 16));
    for (int i = 0; i < numChars; ++i) {  // loop thru the length
      float percentage = random(100);
      if (percentage > 67)
        Keyboard.println( char( random(int('a'), int('z')+1) ) );
      else if (percentage < 33)
        Keyboard.println( char( random(int('A'), int('Z')+1) ) );
      else
        Keyboard.println( char( random(int('0'), int('9')+1) ) );
    }
   
    // set up for next time
    CircuitPlayground.playTone(500, 100);  // sound a beep
  }
 
  // reset for next password
  CircuitPlayground.clearPixels();  // turn LEDs off
  delay(1000);
}




[adafruit_support_mike]

Awesome.. thanks!

[josephcsible]

This doesn't seem very secure. Looking at the code, it seems that anyone who uses this has the exact same set of 65536 possible passwords, which isn't very many when they're shared. They could all be easily added to cracking dictionaries.

[LesHall]

RTFM, I mention several ways to make each digit have more colors including octal which would increase the number of codes to 281,575,976,710,656. Put that in your cracking dictionaries and crunch it.

Les
p.s. in a bad mood, oh well.

[josephcsible]

I know you can modify it to be secure. My point that it's not secure if you use it unmodified, which I expect a lot of people will do.

Also, I looked closer at the code, and I'm not sure how you're supposed to even get all 65536 combinations. I get that you set your color combination then hit the left button (256 combinations), but after that, further changes to the colors don't affect what the right button will do at all. Unless I'm missing something, you really only have 256 combinations (or 16,777,216 if you make all of the colors octal), unless you count pressing the right button multiple times without pressing the left one in-between (which would be very inconvenient, since you couldn't get later passwords without typing earlier ones).

[LesHall]

Thank you for your reply. It takes a level headed person to react calmly when a hot-head like me spews junk. Yeah there are other issues as well like how do you remember a 16 digit multicolor code? Or what if they watch you use it and see the colors? stuff like that - it's really not super secure.

However, it does give you scrambley junque-ish passwords that takek more effort to crack than our typically remembered passwords. Sorry t snap at you, I just found out bad news.

Les

[LesHall]

If I were to make another Circuit Playground password vault, I'd use some AI speech and biological authentication plus color palette password selection.

I'm finding that the password vault that I describe to you here was, like so many of my projects, a step in the right direction and useful for learning however not fully practical for general purpose use as you mention. At any rate, it was a fun project to cobble together.

[adafruit_support_mike]

It takes a level headed person to react calmly when a hot-head like me spews junk.

It also takes strength to stop, rethink, apologize, and change direction. What I'm seeing is a good demonstration of community spirit. Thank you for that.

BTW - putting all 65636 codes in a file wouldn't create a dictionary attack. A dictionary attack pre-calculates the encrypted values of known strings, then stores those in a lookup table with the plaintext. An attacker with an encrypted string can simply look for that string in the table to find the plaintext without actually 'decrypting' anything. You can make dictionaries for all possible combinations of N characters, or for a subset of commonly-used patterns (like words in the dictionary), but each encryption algorithm produces a different dictionary for the same input set.

An attacker with a list of 65636 possible passwords is still looking at a brute-force attack over a 65636-item keyspace. Statistically, a brute-force attack has to test about 60% of its keyspace before it finds a hit, so a person with a list of 65636 passwords will average about 39,000 attempts before getting in. That's small compared to the 47e27 possible 16 character strings from a 62-character alphabet, but if a security system allows 39k failures without saying, "uh, dude?", the size of the keyspace is the least of your problems. ;-)

[josephcsible]

if a security system allows 39k failures without saying, "uh, dude?", the size of the keyspace is the least of your problems. ;-)

Good point. This attack is only really practical in offline-attack scenarios (like a local computer login or hard-drive encryption), or if the hash database gets stolen.