November 16, 2014 · aes aes128 encryption kickstarter password ROT13 blooky blooky_ logmeonce everykey gilmo password manager security symmetric asymmetric aes256

Kickstarter Password Managers: The good, the iffy and the dangerous.

Over the last few months, Kickstarter has been awash with password managers.

Unless you're willing to invest and use a ridiculously tiny comments box, it's impossible to comment or ask further questions so others can see their response.

Rather than clutter the comments area, this article will provide a very high-level overview of each product; a summary of why you should/shouldn't use them. Don't forget to bookmark it, as it's likely to be updated frequently.

Gilmo

Kickstarter: https://www.kickstarter.com/projects/gilmo/gilmo-password-manager-the-next-step-in-password-p

Although their Kickstarter campaign wasn't successful, it showed real promise.

Essentially an offline password manager with one crucial difference... it can't be connected to any external devices (PCs, WiFi, Bluetooth or the internet).

Unless this becomes available for purchase, I won't spend too much time on it... but certainly one to keep an eye out for!

Verdict: Good


Kickstarter: https://www.kickstarter.com/projects/everykey/everykey-the-wristband-that-replaces-keys-and-pass

Common sense suggests the wristband would store all your usernames & passwords, but that's not the case at all. Your credentials are actually stored on your PC and encrypted using AES128. This is similar to other password managers, so there's nothing of immediate concern there.

The wristband actually stores the encryption key needed to decrypt your data, as & when it's required. The key is sent over a Bluetooth (LE4) connection, itself encrypted and resilient to replay attacks.

Unfortunately, the team behind the 'Everykey' have given some very questionable responses to some really simple questions.

Most importantly however...

I wouldn't call it insecure just yet, but there's no evidence to suggest otherwise.

I cancelled my pledge on 20/11/2014 and cannot post further comments on Kickstarter.

Verdict: Iffy


Kickstarter: https://www.kickstarter.com/projects/339603800/blooky-wireless-bluetooth-password-key

As ideas for password managers go, this is probably one of the worst.

Two critical issues:

This is akin to fitting the pinnacle of security locks to your front door, then handing the keys to someone you don't know. Crazy!

It gets worse...

Blooky helps keep you safe from hackers by putting your valuable personal information back in your hands, not on a cloud server or "honeypot" for hackers to target.

If your usernames & passwords are securely encrypted, it doesn't matter where they're stored. As a 1Password affiliate, I regularly print & distribute my encrypted keychain during demonstrations. Am I concerned? Not even slightly.

Why App-based Password Managers Aren't Secure

Password managers use one password to unlock a "vault" that secures all your personal information. What would happen if someone gained access to your vault? They'd have access to your bank accounts, your social media, what you buy, where you and your family live, and all sorts of other private information.

There's a rookie mistake, if ever I've seen one.

Absolute security is knowing security isn't absolute. Traditional or "app-based" password managers (the good ones at least) mitigate risk. Products like 1Password and LastPass don't store your cryptographic key anywhere, because doing so would dramatically increase the risk of your key being compromised, thus lowering security.

In this context, a symmetric cryptographic key (derived from a user's password) and an asymmetric private key are identical, in that anyone in possession of them can decrypt the data.

For an asymmetric cryptosystem to be of use, they MUST save the key somewhere. It wouldn't be quite as bad if it never left your environment... but in the cloud?!

Graham Cluley hit the nail on the head, when he said:

Don’t call it ‘the cloud’. Call it ‘someone else’s computer’

Although there's no evidence to suggest it is, Blooky_ could also use hybrid cryptosystem, but it's equally inappropriate.

Verdict: Dangerous


Kickstarter: https://www.kickstarter.com/projects/199263837/logmeonce-your-password-manager-secure-usb-and-pho

Issues so far:

More coming soon...

Verdict: Iffy (so far)