PasswordPump Passwords Manager

This is the PasswordPump, a USB device that manages credentials for up to 254 accounts. Credentials (account names, usernames and passwords) are stored ONLY on the device itself, on two removable EEprom chips using military grade encryption (AES-128). They are not stored in the cloud or in a file on your computer where they are more exposed to hackers. Credentials are backed up on the device itself; i.e. encrypted credentials are moved from the primary EEprom chip to the backup EEprom on demand. You may remove the EEprom chips from the device (perhaps to keep a third or fourth backup). Credentials are entered either via the rotary encoder (on the left) or via keyboard and serial terminal. The device itself is approximately 1 1/8 x 2 3/4 inches, or 29 x 71 millimeters. Currently it's not housed inside of a case, but it should be and will be once design of the case is complete.

Features

• Store up to 254 sets of credentials on a single 25LC256 EEprom chip.
• Credentials are stored in alphabetical order for easy location.
• Up to 10 failed attempts to enter the master password are allowed, then an automatic chip wipe and factory reset occurs.
• All credentials are encrypted with AES-128, the master password is hashed with SHA-256.
• All encrypted accounts and the hashed master password are salted.
• The device is not vulnerable to standard password attacks.
• Backups on external EEprom are encrypted.
• All credentials can be dumped into a text file for an additional backup (e.g. to a thumb drive that's stored in a safe or safe deposit box, and encrypted).
• Entry of credentials is supported via keyboard and serial terminal or rotary encoder.
• Only one master password, up to 14 characters long, is required to access all of your credentials.
• Automatic logout after 1 hour of inactivity.
• Optional password generation, 31 characters of random letters, symbols and numbers, for extremely strong passwords.
• Configure the display of passwords on the device to be on or off.

If you're interested in acquiring a kit including the custom PCB, visit www.5volts.org.

Menu Hierarchy
Visit https://www.5volts.org/home/passwordpump to view the menu hierarchy; I initially placed it here but the indentation wasn't preserved.

You move through the menu items by turning the rotary encoder, clockwise to move down the list and counter clockwise to move up. Account names are stored in alphabetical order. To select an item you click down on the rotary encoder (short click). To backup you hold the rotary encoder down for more than a half second (long click).

Operation
To turn the device on you simply plug it into a USB port/receptacle using a micro USB Micro-B plug to USB-A plug cable, the same cable that you'd use to charge an Android phone. The first time you plug it in a driver might need to be installed. The driver is available for download in the source code repository referenced below in the Source Code section. If I shipped the device to you it arrives already flashed with the program and the lock bits are set. See the data sheet for the Atmel ATMega 32u4, section 28.1, for more information about setting the lock bits. Since this is an open source project it doesn't really matter anyhow.

Setting the lock bits serves to better protect the hashed master password and the source code.

The first time you power the device on you'll see :

Master Password March 11 2019 (or the date of the most recent compile)

At this point you'll want to enter your master password. Try to select a master password that you'll be happy with, because if you want to change it you have to Reset the device, and that wipes out all of your credentials. There is only one way to get the credentials back into the device after that, by keying them in via keyboard or rotary encoder. Also try to select a password that can be more quickly entered into the device. It should be a combination of upper and lower case, with numbers and maybe a symbol or two. I like to pick a password that can be typed almost entirely with my left hand, I find they are easier to input via the rotary encoder. You should select a strong password; a combination of letters, upper and lower case, numbers, and special characters, between 7 and 14 characters long. To enter a character turn the rotary encoder until the character appears and then press the rotary encoder down (short click) to select the character. There's presently no way to back up if you make a mistake so be careful (or enhance the code yourself, if you can squeeze it in!). Once the entire master password has been entered long click the device (click down the rotary encoder for more than 1/2 a second). You've just entered the master password and now you're ready to enter a set of credentials.

You move through the menu items by turning the rotary encoder, clockwise to move down the list and counter clockwise to move up. Account names are stored in alphabetical order. To select an item you click down on the rotary encoder (short click). To backup you hold the rotary encoder down for more than a half second (long click).

Adding Credentials
To add a set of credentials via the keyboard you need to open a serial terminal. The one that works best for me is the Arduino serial terminal. So if you open the Arduino IDE go to Tools->Ports and select the Arduino/Genuino Micro port. Then select Tools->Serial Monitor (or Ctl+Shift+M). Next, on your PasswordPump navigate down to Keyboard OFF and change it to Keyboard ON with a short click. Navigate back up to Add Account and short click. You'll see:

Account Name Add Account

Short click, then switch back to the Arduino Serial Terminal and enter the account name, followed by the return key. Then long click on the Password Pump. You should now see:

Edit Username [the account name you entered]

Short click again, switch back to the Arduino Serial Terminal and enter the username, followed by the return key. Then long click on the Password Pump. You should now see:

Edit Password [the account name you entered]

Short click again, switch back to the Arduino Serial Terminal and enter the password, followed by the return key. Then long click on the Password Pump. You should now see:

Indicate Style [the account name you entered]

Short click again and use the rotary encoder to specify either 0 or 1. Specify 0 if, while supplying username and password, the Password Pump should send a carriage return after sending the username and before sending the password. Specify 1 if, while supplying username and password, the Password Pump should send a tab after sending the username and before sending the password. Then long click on the Password Pump. You should now see:

Account Name [the account name you entered]

Long click again and you'll see:

Find Account [the account name you entered]

You've finished entering the credentials.

Note that you can also enter credentials using just the rotary encoder. Keyboard can be ON or OFF, it doesn't matter. Simply enter the credentials using the rotary encoder in a fashion similar to how you entered the master password.

Sending Credentials
Navigate to Find Account and short click. Use the rotary encoder to scroll through the list of credentials you've entered. When you've found the account name associated with the credentials you want to send to your computer, place the input focus in the username text box in the window prompting you for credentials on your computer. On the Password Pump you should see:

Send User & Pass [the account name you selected]

Short click to send the username, a carriage return or a tab character (depending on the style setting), and then the password. If you selected the correct style you should now be logged in to your account / application.

If you only want to send the password to the computer, followed by a carriage return, scroll down once using the rotary encoder until you see:

Send Password <RET> [the account name you entered]

And short click to send the password and the carriage return character.

Similarly you can send just the username or just the account name.

Editing Credentials
To edit a set of existing credentials first decide if you're going to edit the credentials via the keyboard or just the rotary encoder. If you're going to edit the credentials via the keyboard follow the instructions in Toggling Keyboard Entry. Then use Find Account to navigate to the account you want to edit and short click. Then scroll down to Edit Creds and short click. Then scroll to the attribute you want to edit; Account Name, Edit Username, Edit Password, or Indicate Style. Now short click. Use the keyboard to re-enter the attribute in the fashion described in Adding Credentials, or just use the rotary encoder to re-enter the attribute. Then long click to save the change. If you are generating a new password for the account then follow the instructions in Generating a Password.

Deleting Credentials
Make sure you have a current EEprom backup. Navigate to Find Account and short click. Use the rotary encoder to select the account that you want to delete, and short click. Using the rotary encoder scroll down to Delete Acct and short click. Confirm your desire to delete the account by selecting Y with the rotary encoder and short clicking. The account is gone now and it's wiped from the primary EEprom chip. It isn't wiped from the backup EEprom yet, so if you accidentally delete an account, and you have a recent backup, you can restore the backup and the account will reappear. Navigate to Find Account and verify that your account is deleted. If you're not able to scroll through all of your accounts, a intermittently occurring defect has occurred and the linked list that manages the display of all of the accounts is corrupted. Restore the latest backup from EEprom. If you backup the EEprom immediately after deleting the account it is also wiped from the secondary EEprom.

Generating a Password
Read through all of these instructions before attempting to change your password to a new generated password. The most powerful feature of the PasswordPump is it's ability to generate random 31 character passwords and remember them. These passwords are extremely difficult to guess and are not as vulnerable to brute force attempts to break into an account. Before performing this operation you should be sure that you have a current backup of all your credentials. To generate a password for an account simply find the account via Find Account and select the credentials by short clicking on the account name. In your application on your computer navigate to the change password feature and place input focus in the Old Password text box. On the PasswordPump navigate to Send Password (NOT Send Password <RET>) and short click. In your application on your computer place input focus in the new password text box by hitting the <TAB> key. In the PasswordPump scroll down to Edit Creds and short click, then scroll down to Gen Password and short click. This changes the password to a randomly generated series of 31 characters. Now long click once, navigate to Send Password (NOT Send Password <RET>) and short click. If you need to confirm the new password then place input focus on that text box in the application on your computer and short click again. Confirm your password change by hitting the return key or otherwise clicking on the appropriate button. You now have a random 31 character password on the account, and the only place where that password exists is on the encrypted EEprom chip on your PasswordPump. At this point it's a good idea to Backup to EEprom and Backup to a File, and to be sure that you can somehow recover from a lost password on that account. Warning: If the attempt to change your password fails because the old password is not accepted be aware that you have just overwritten the old password with your new generated password. To restore the old password you'll need to either Restore a Backup from EEprom and try again, or go to the encrypted backup file on your thumb drive to get the current password for the account, or recover the password from the account using whatever mechanism is available to you via the application or web site. Think ahead and be careful so that you don't lock yourself out of your account!

Logging Out
When you want to log out of the device navigate to Logout using the rotary encoder and short click. The RGB led changes from green to blue. You're now logged out and must enter the master password again in order to use the device. If you're walking away from your computer to get coffee it's good practice to lock your computer and logout of the PasswordPump.

Toggling Keyboard Entry
Navigate to Keyboard ON/OFF. Short click to toggle the setting. When the keyboard is on you may enter credentials via the keyboard using the process described in Adding Credentials. Keep the keyboard set to OFF when you're not entering credentials. This setting is not saved when the device powers off and the default is Keyboard OFF.

Showing/Hiding Passwords
Using the rotary encoder navigate to Show Psswrd ON/OFF. Short click to toggle the setting. This setting is saved when you log out and power down the device.

Backing Up to EEprom
On the Password Pump navigate to Backup EEprom using the rotary encoder. Short click, then confirm that you want to backup from the primary EEprom to the secondary EEprom by selecting Y with the rotary encoder and short clicking. The RGB will be yellow while the backup is taking place, and then change back to green.

Back Up to a File
On the PasswordPump navigate to Backup to File using the rotary encoder. On your computer open a text editor (one without an autocomplete feature), notepad.exe works best, and place input focus inside the text editor. Personally I use UltraEdit because it has built in encryption. Then short click on Backup to File. The contents of the primary EEprom chip (all of the credentials stored in the PasswordPump) are dumped into the text editor. The RGB led turns purple, then to green when the operation is complete. It's best to encrypt this file by zipping it up with a password using WinZip or similar, and storing it on a thumb drive that you can, in turn, store in a safe or safe deposit box. Delete the original file from your computer and empty the trash. Keep this file up to date by periodically executing this operation. I carry the encrypted file with me on a thumb drive that is securely attached to my key ring, and I keep a backup of that file elsewhere.

Restore a Backup from EEprom
If you decide that you want to restore the EEprom backup (or, in other words, have the contents of the secondary, backup EEprom overwrite the contents of the primary EEprom), then navigate to Restore Backup on the PasswordPump. Short click and confirm the operation by selecting Y with the rotary encoder and short clicking. The RGB led will turn yellow until the operation is complete, then it changes back to green.

Performing a Factory Reset
You want to wipe out all of the encrypted credentials on the primary EEprom and factory reset the device. On the PasswordPump navigate all the way down to Reset using the rotary encoder. Short click. Confirm that you want to factory reset the device and clear all of the credentials and the master password by selecting Y with the rotary encoder and short clicking. The RGB will flash blue and red slow and then fast while the device is factory resetting, then change to blue. At this point you can enter a new master password. Note that a Factory Reset doesn't wipe out the credentials stored on the backup EEprom. If you use the same master password you'll be able to restore the backup and see the credentials. If you want to wipe out the backup EEprom as well, select Backup EEprom after you've entered your new master password, or swap the position of the primary and backup EEprom chips and perform another factory reset.

RGB Colors and Meanings
Green - Logged in
Blue - Not logged in
Red - Failed login attempt / error backing up or initializing EEprom
Purple - Sending creds
Yellow Backing up to EEprom
Fast Flash Red / Blue - Initializing external EEprom
Slow flash Red / Blue - Initializing internal EEprom

Hardware Connections
Visit https://www.5volts.org/home/passwordpump to view the detailed hardware connections. I initially placed them here but the spacing wasn't preserved.

Libraries
The following libraries need to be installed in your Arduino IDE if you're going to compile the source code:

• https://rweather.github.io/arduinolibs/index.html - AES and SHA library, MIT License.
• https://github.com/LennartHennigs/Button2 - Used for the button on the rotary encoder, Copyright (c) 2017 LennartHennigs, MIT License.
• https://github.com/brianlow/Rotary - Used for the rotary encoder, GNU GPL Version 3.
• https://github.com/arduino-libraries/Keyboard - Used to send characters to the keyboard as if typed by the user, GNU Lesser General Public License.
• https://www.arduino.cc/en/Reference/EEPROM - Used for internal EEprom
• https://github.com/greiman/SSD1306Ascii - for SSD1306 display device, Bill Greiman <fat16lib@sbcglobal.net>.

Source Code
The source code is found here. It's heavily documented in-line, so I'm not going to go through it line by line here.

I'm certain that there are defects remaining in the program (in fact, all of the defects that I"m aware of are listed in the comments section at the top of the program, along with a list of the defects that I've addressed). Therefore use the product at you own risk. IMPORTANT: I recommend keeping your secondary EEprom up to date by backing up changes made to the primary EEprom when you add, remove or edit credentials. Then use a third EEprom so that you have two backups of your credentials. On top of that, periodically dump the credentials out to a file that you store in an encrypted file on a thumb drive, and secure the thumb drive in a safe or a safe deposit box. Finally, keep your accounts up to date so that if you need to reset a forgotten password you can do so. This product has not been professionally tested for quality purposes and it's possible that you'll lose your credentials. You have been provided with the source code so that you may correct any defects you find. That said, I've been using the device without incident for a couple of months now, and I am storing all of my credentials on it, with many of them using the generated password feature, so if I lose the device and my backups I'll need to reset my accounts, because there is absolutely no way for me to know what the passwords are at this point. I am also maintaining backups as per my recommendations above.

IMPORTANT DISCLOSURE: Using a supplied encryption library I've endeavored to encrypt all of the credentials that get stored on the external 25LC256 EEprom with AES128 (and hashed the master password, which is stored on internal EEprom with SHA256). I have salted the hashed master password and each set of credentials. This project is the first time I've ever used encryption, and there's been no formal code review, so I could have done it wrong, and the standard disclaimer (buyer beware) applies in this case. I have examined the content of the external EEprom chips (after storing many sets of credentials) using a PC and a CH340 24/25 series EEprom flash BIOS USB programmer and all of the usernames, account names and passwords appear encrypted. However, I am painfully aware that encryption is something that is very easy to do incorrectly, therefore proceed with caution. If you are skilled in this area I would appreciate a code review and some constructive feedback (please contact me directly).

The sketch presently uses 97% of program storage area and 66% of dynamic memory. This makes it extremely difficult to add new features to the product without exchanging them for existing features. There are several new features that I'd like to add but I can't because of the memory restriction. For example, after 1 hour of total inactivity the device times out and you're logged out of it. I would like to make that time period configurable (e.g. you could set it to 2 hours if you like), but I simply don't have the room to add that feature. I think one hour is probably a good compromise, and while at work with the device at my side I periodically turn the rotary encoder a click or two in any direction to push the automatic logout up an hour.

Flashing the Program
I'm using an external programmer to burn the program onto the device. i.e. from the Arduino IDE I"m selecting Sketch-->Upload Using Programmer to send the program to the ATmega32u4/Arduino Pro Micro. I'm doing this in part because it overwrites the boot loader, and I want to overwrite the boot loader because by doing so I have more space on the device for the program. I don't think the program will fit onto the Pro Micro if the boot loader is present, but I haven't tested this. I also don't think the device will work correctly with the boot loader present for other reasons. Therefore, I use the Pololu USB AVR Programmer for this. I still have to power the device via the USB cable while programming with the external programmer. If you build the device by sourcing the parts on your own or if you build with the kit, be sure to refrain from snipping the header pins after you have soldered the Arduino Pro Micro to the PCB board if you want to be able to load new firmware. If you snip the header pins flush with the PCB board there won't be a way to re-program the device; you need to connect VDD, GND, RST, MOSI, MISO, and SCK to the Arduino Pro Micro from your external programmer to flash the program. Instructions for doing this are found here. Rest assured that my initial setting of the lock bits will not prevent you from re-flashing the program. If you want to reset the lock bits after re-flashing the program you can do so. For me the easiest way to do that was to use Atmel Studio and my USB AVRISP XPII. But you don't really need to set the lock bits because the source code is now available to everyone, anyhow. The only advantage to setting the lock bits is to more securely store the hashed master password. The master password, stored in internal EEprom, is hashed with SHA-256.

License
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

This program and device are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Known Defects (and there are unknown defects, too!)

• When \e is embedded in an account name (or username or pw), it is interpreted as the ESC character, and the input arrives empty. e.g. INSIGHTORADB\entmetrics. Only an issue when input via keyboard, not encoder
• Sometimes deleting an account corrupts the doubly linked list that manages the order in which the credentials are displayed. When this happens the user needs to restore from EEprom to get missing credentials back.
• DisplayLine2 needs to be blanked out after retuning from Find or Add acct.
• When entering an account name 29 chars long via keyboard, nothing gets entered.
• automatic initialization after 10 failed logon attempts is prompting the user to confirm the action.
• in the switch statement for EVENT_SINGLE_CLICK the case statements are not in order. When they are in order it doesn't evaluate correctly.
• The female micro USB connection is extremely fragile.

Future
I'm currently constrained by the amount of flash memory available to me in the ATmega32u4, 32k. All of the space is consumed by the program. If I had more room I could add additional features. In particular, I'm interested in writing GUI that would run on the computer that would interface cleanly with the PasswordPump. Using a Arduino serial terminal to add credentials is awkward at best, but I think more memory would be required to rectify the situation. I'd also like to have more EEprom room so that 64 bytes could be used for usernames, passwords and account names. Additionally I think it would be better to use AES-256 for encryption. A device that might meet all of these requirements is the Adafruit ItsyBitsy M4 Express with ATSAMD51; here are some of the advertised features from the web site:

• Cortex M4 processor running at 120 MHz
• 512KB Flash (16 times bigger than the ATmega32u4)
• 1.4" long by 0.7" wide (smaller than the Pro Micro)
• 2MB of SPI Flash (compared with 64k from the two 25LC256 chips)
• Native hardware I2C and Serial (to interface with the SSD1306 display)
• Built in crypto engine with AES, 256 bit (to replace the encryption library)
• Native USB supported by every OS (to send credentials like a keyboard)
• Can be used with Arduino IDE
• Built in RGB DotStar LED (to replace the RGB on the PasswordPump)
• Reset button
• Power with USB

On the downside some of the libraries I've used for v1 of the PasswordPump will not work with the ItsyBitsy; the keyboard library in particular will be a problem as well as the library for the SSD1306. The other libraries could be tossed and code would more easily be written to accommodate the associated functionality. The biggest con is the price of the ItsyBitsy, at $14.95 it would triple the cost of producing a PasswordPump.