On a regular basis, my work forces me to change passwords. We’ve all probably been there, and I wonder if it is a terrible idea to put some commonly-used passwords into macros that are stored on the keyboard. For others wiser than me, are there horrific security implications in this? I could even see the use of a password managing plugin, all handled by the keyboard.
I’d say that in general, this is a pretty bad idea, for a number of reasons:
- Anyone with access to your keyboard will have access to the passwords. They can just plug it into their laptops, dump the firmware, and plug it back into yours - you won’t even notice the passwords being stolen.
- Reusing passwords is risky: if one site gets hacked, you have to change passwords everywhere else where you used the same one. That also means you have to remember where you used them. Or sometimes even that you even signed up for a certain service.
- The amount of space on the keyboard is limited, so you won’t be able to store many long passwords.
- They’re not easy to back up.
- You can’t put your sketch online either, because it would also include the passwords (unless you put them in EEPROM, but then you have even less space).
I’d strongly recommend using a password manager like KeepassXC, because it not only helps with keeping your passwords safe, it also helps you with having good passwords (like 128 byte generated ones, that include letters, numbers, all cases, symbols and whatever else you desire). Using a password manager allows you to have a different password for every single thing. It frees you from having to remember passwords at all. Using a password manager, you don’t need to remember what password you used where - it can figure that out for you.
In short: use a password manager, the keyboard’s on-board memory is not fit for this purpose.
That’s about the answer I was expecting. You bring up a good point about the risk of someone gaining access to the keyboard. I guess I was expecting the complexity of customized firmware + layout changes to mitigate the risk.
I’ll checkout your suggested solution. Thanks!
I totally agree with @algernon. My tip for a password manager is 1password. I’m paying plenty of software what I use during the day, but this one is my favorite one. Definitely check it out.
What if you’d build U2F firmware in the keyboard? Similar to a Yubikey.
OK, it still will be vulnerable to people taking your keyboard and using it to log in somewhere. But they won’t be able to steal a fixed password from it.
The biggest downside I see on this, I’d need to take my M01 everywhere. Or maybe that’s not a downside after all?
Or you could just carry a yubikey.
I think sometimes we get carried away with cool projects and think “but what if it ALSO did THIS?”, and forget that sometimes it’s better to optimize one thing for one job. Yes, it is almost certainly possible to implement U2F in firmware, but that doesn’t mean it’s optimal, or even advisable…
I don’t think the MCU in the Model01 is powerful enough to implement both a keyboard and an U2F device. It is also easier to carry a dedicated U2F device around.
A perhaps more viable option would be to use the extension headers to connect another device, which can handle the crypto parts. But then, an U2F key is still a more practical option.