dekuNukem / duckyPad

Do-It-All Mechanical Macropad
MIT License
1.22k stars 169 forks source link

Protecting sensitive data entry #77

Open jose1711 opened 3 years ago

jose1711 commented 3 years ago

duckyPad is NOT intended to be a security device, so use at your own risk.

Despite the warning I am pretty sure many users will be tempted to use DP for automating tasks involving typing passwords, passphrases and what not. Currently this can only be achieved via a password stored in plain text on SD card which is almost on par with a sticky note on a computer screen.

To improve this situation DP could add a new command SECRETSTRING which would be a combination of DP serial number (some, password typed during boot (disabled by default) and actual password. As passwords can (and should) contain different sets of characters it would be quite challenging to guess the correct password. That means that the DP password would not be validated at all and it will be only used in macros using suggested SECRETSTRING command. Password validation will be carried out by the actual server/service which should mitigate brute-force attacks.

excenter commented 2 years ago

I'd adore it in the same vein if it had either a fido key or the ability to pass one through.