Snopf Is a DIY USB Password Token
Build your own USB device to generate and remember strong passwords.
If you aren’t yet taking your security seriously, then you should really start. Even if you don’t use your computer for anything “important,” you’re probably still doing things like online shopping. If you use a single password for multiple services or websites, then an attacker only needs to compromise one of those services to be able to access all of them. The best solution is to use strong, unique passwords for each site and multi-factor authentication. Snopf is a USB password token that you can make yourself to handle the former.
There are many software password managers available, including the one built into macOS, that can generate and remember strong passwords for every site and service you use. The problem is that if your computer is comprised by a remote attacker, they will gain access to all of those. Snopf eliminates that possibility by remaining physically separate from your computer. All of your passwords are contained on the USB token and are only provided to the computer when requested. When that happens, such as when you try to log into your bank account, Snopf will imitate a keyboard and type the password in — completely avoiding the clipboard or storing any password on the computer.
Snopf is built on a custom PCB with a Microchip ATtiny85-20SU microcontroller, which contains a 128-bit secret that is used to generate passwords using the SHA256 hashing algorithm. The generated passwords will be the strongest allowed by the service you’re using. They’ll be as long as possible, contain special characters, numbers, and both upper and lower case letters. Software tools running on your computer, including a command line interface, GUI program, and browser extension, allow you to access the passwords stored on Snopf. If you lose your USB token, you can retrieve your passwords with a 12-word pneumonic that corresponds to the secret key. This isn’t a perfect solution, as it is still vulnerable to physical attacks if someone gets their hands on the key itself, but it is much better than a software password manager.
