If you keep track of the news you’ll know that data breaches are becoming more and more prevalent and Password managers are becoming a necessary – at least until we move to passwordless sign ins.
In the meantime though, there is a bit of a predicament. We know that we should have unique and complex passwords but keeping track of this is tedious.
There are a multitude of online companies, such as Lastpass, who will keep your passwords for you. But these companies are not immune to data breaches and do you really feel comfortable having a database of all your passwords under someone else’s control? Another thing to think about is what will happen in the future – you may be comfortable with the company today but what if the company gets bought out or relocates to a country that you are uncomfortable with?
There are also a number of offline password managers, one of the most popular being KeepassXC. The downfall of these is that they are difficult to use with multiple devices – you’ll need to have the application and database stored on each device unless you want to manually type in your passwords. They are also dependent on the security of your device, if any of your devices are compromised and a threat actor is able to get hold of the data base and your master key (for example using a keylogger), then you could be in for a world of hurt.
What is the Mooltipass?
The Mooltipass is an interesting device, it is a hardware password manager. This is not particularly new to the industry, Hardware Secure Modules or HSM’s have been in use for protecting the companies most critical assets for years. What is new is this being easily accessible to consumers.
The idea is fairly straight forward, the Mooltipass is a hardened device that is specifically designed to be a secure notebook where you can keep things like passwords or other valuables such as wallet keys. Because it is a stand alone and hardened device, it is much less likely to be compromised.
Requires physical access to the device
One of the primary advantages to having an offline, physical device is that you immediately reduce the number of threat actors. Sure someone can break into your house and steal it, but requiring physical access to the device ensures that 99.99% of people do not even have the opportunity to try and compromise it.
Card and Pin
Like any good password manager, the Mooltipass uses MFA. This is in the form of a mini card and a pin. You need both to be able to unlock the device – the cards that come with the device are custom Mooltipass ones, however you can use any compatible mini card.
The pin requires 4 characters and any Hexidecimal (0-9 and A-F) can be chosen. On top of this, if you get the pin incorrect 3 times it will destroy the card to stop any brute force attempts. Because of this it is highly recommended that you keep a backup card in a safe place.
Encryption and hardware design
AES 256 encryption as well as the development decisions of the device ensure that even if you lose your device your secrets are safe. For reference AES 256 is used for banking transactions. An example of one of the secure by design choices is to have an entirely separate communication and encryption chips. This means that even when the Mooltipass is connected to another device there is never a direct connection to the area of the Mooltipass where your passwords are stored.
In the spirit of openness and transparency, the Mooltipass is entirely open source. This is important as if you have any concerns about backdoors or vulnerabilities, you are able to check the source code (and compile it from scratch if you want). The Mooltipass is also a crowdfunded device, albeit a very complete one, this means that there is a community built up around it. The creator is very responsive on the r/mootipass Reddit channel as well as Discord and is always keen for feedback or improvement suggestions.
A final positive about being opensource is that you have the ability to create features if you are so inclined. Don’t like the way that the Mooltipass is implementing something? You can delve in and change it.
Besides storing your passwords, there needs to be an easy way to enter them. The Mooltipass has a variety of connection options to ensure that you are able to enter your passwords no matter what.
The most basic way that you can get your password is to simply view it on the screen. Having to manually read off and enter in a 30+ character random alpha-numeric becomes tedious very quickly however and I would not recommend this mode unless you absolutely have to use it.
The Mooltipass has a USB C connection and if plugged into a device will register as a USB keyboard. From there it can enter in your passwords automatically at the press of a button, as an added bonus the USB connection will also charge the Mooltipass while it’s connected. I’ve found that this is the most reliable way to enter in passwords, though it does require you to carry around a USB C cable. Because of this, I primarily use this on my home computer where I can leave the device plugged in all day.
The advantage of both the USB and Bluetooth keyboard (see below) options, is that it does not require access to the internet or the installation of anything on the target computer. This makes it a breeze to use with corporate devices where you may not be able to reach your online password manager or install the required browser plugin due to IT restrictions.
Similar to the USB keyboard, except that you can pair this with a device via Bluetooth. Bluetooth is only turned on once the card and pin is entered to reduce any possibility of attack via Bluetooth and to conserve battery life.
I’ve found that I primarily use this mode when needing to enter anything on my phone where I only have one USB port. Bluetooth works well most of the time, but I have encountered the occasional instance where the connectivity blips out for a second while sending the password, leading to only a partial password being sent through. It only takes a few seconds to retry it, but it is not quite as seamless as the USB option.
If you do have permissions to your device and are able to install the browser plugin, then you are able to unlock a variety of additional features. The browser plugin allows you to authenticate your device and then auto fill in passwords just by tapping near the Mooltipass. The Mootipass detects the vibrations and will log you in automatically – this makes the process extremely smooth if you mainly use the Mootipass with one device.
It also allows you to communicate from the Mooltipass directly to the browser plugin, bypassing the keyboard input, this means that even if you did have a keylogger it would not pick it up.
Lastly it allows you to easily create new passwords when registering a new account.
The Mooltipass is very well rounded, however it is not perfect. There are a number of things that prevent an entirely seamless experience.
No easy Bluetooth switching
These days most people have multiple devices – PC’s, tablets, phones. While the Mooltipass is easy to pair, it is not easy to switch which device it is linked to. It would be great to have an easier option than to manually disconnect it and reconnect it every time that you wanted to enter a password into a different device.
When using the device in USB or Bluetooth keyboard mode, you need to make sure that the Mooltipass keyboard layout matches the device keyboard layout. This is fine for the majority of characters no matter the keyboard, however some of the special characters can be incorrect if you do not have keyboard set up correctly. As a workaround I only generate passwords that do not contain the more obscure special characters.
The Mooltipass requires MFA – Both a card as well as a pin. However the only way to enter in the pin is via a scroll wheel on the side of the device. Using this to continually unlock the device becomes tedious very quickly. It would be nice if the next iteration could incorporate a fingerprint sensor as well.
Database management of passwords is not as advanced as some others. The Mooltipass password manager is functional but does not have as many fields as the more established password managers. You can store URL, Username and Password but cannot give it a more user friendly name. This means that you have to search for your password by URL which can annoying – especially if there are prefixes in the URL that mess with the ordering. For example app.websitename.com would be stored under “A” rather than “W”.
In order to create a tamper proof design, there it is not possible to replace the battery. This means that once the battery dies the device loses a lot of functionality. You will still be able to use it over USB however.
Difficult to backup
There is no way to easily backup your passwords off the device. You can extract an encrypted database from the device, but you will need a card reader to be able to determine the decryption key for it.
The Mooltipass is a very well thought-out piece of hardware for a very specific user. If you are hesitant to use an online password manager or even an offline password manager on your phone then this is pretty much your only option.
With the additional security comes the requirement to carry an additional device around with you which is not for everyone.