I'm about to put #Signet devices on #sale. Actually no, not sale, I'm just going to lower the price on my store, where people pay in #bitcoin. #Fiat prices will remain the same.
https://hax0rbana.org/signet to buy, but might as well wait until tomorrow when the price drops.
#security #infosec #cyber #cybersec #cybersecurity #OpenSource #hardware #privacy
For people who have NOT joined the #Signet project, nor bought a device. I want to hear from you.
Too expensive ($45)?
Don't feel it's more secure than pure software?
Don't feel you can trust it?
Don't use a password database?
Not enough time to help (provide feedback, report bugs, contribute code, etc.)?
What's holding you back and how can we fix it?
I haven't heard of this before, but for me it's the fear of losing the physical device that would give me the jeepers.
I keep mine on my keychain and don't lose my keys for very long. It's also backed up on a hard drive in the safe. If it got lost, I could restore it toa new device and be good to go. Thanks for the feedback.
I'm pretty happy with KeePassXC + Yubikey. I love open source stuff but I'm in a small country in SE Asia and shipping is a bitch here.
Yeah, even normal international shipping is pretty painful and expensive. Just shipping from the US to Canada can cost almost as much as the device.
I'd be happy to have someone in various regions to help with the shipping. It'd be great to ship a batch to Europe and only have to deal with customs, VAT and all that bureaucracy once.
KeepassXC really is great. KeepassDX too.
What's the lifespan of the key ?
It's hard to say since I've never seen one go bad. I've had mine since 2019 and use it every day. The button is rated for 1,000,000 cycles. I tried to find something about the STM32 lifecycle from the data sheet, but couldn't find anything.
So all I can say for sure is at least 5 years.
Onlykey is more useful on devices where you don't have software install control.
I see the OnlyKey has software that runs on the computer, is that optional? How would you choose which password you want to have it type in without any software?
It is required to set the device up, but not to use it. They have 6 buttons and unlock by typing in a pin on the device. The password pairs get selected by short or long press on each button for a total of 12 possible user/pass pairs on device. It acts like a keyboard to most applications.
You need the application to configure your passwords initially or change them. Once they are configured, you can use it with only the key. That way you can use it for OS login and use it on devices you can't install software on by setting up the account information on a different computer first.
What is it? Like a signing device? I've also been looking at Moolti-pass for passwords...
It's just a password manager (although, with some firmware and client tweaks, it could be a signing device), and only $45.
I've never heard on moolti-pass before but it looks legit! The whole knocking on wood thing is weird, but they seem legit about being open source, as opposed to being like most companies that claim to be open source because one component is open source. I saw mooltipass has published kicad files.
"Just a password manager"... LOL. Password ENHANCER! Sounds fancier... I've been trying to emulate something like this with a 2D barcode scanner and physically pre-printed QR codes... In my mind I see little icons/emojis in the corner/center of each QR code and it's a book format, so only I can know the correct sequence of QR codes to "generate" the super secret squirrel mega-password...
I do remember the knock thing... Yeah, weird like politics. The card thingy for multiple users to share the same EXPENSIVE device was a nod to the shareability of tech. I agree with your simplicity approach.
Since you're a security researcher, do you have an opinion on Foundation Devices' Passport bitcoin airgapped signer? I'm excited about bitcoin but want to start with a good tech foundation, so the name seems baity or good marketing... I don't know how to verify anything...
I've only seen it in passing, not looked at the hardware or software or tried to verify any of their claims. But here are my quick thoughts:
- Good design to not have any wireless hardware
- Open source hardware allows people to verify that fact
- CPU is actually the same make as is used in the Signet, but theirs looks much more complex model (based on the picture)
- Form factor is pretty cool, but if customs asks you to turn on your "phone" to prove it works, things might get awkward
The first thing I'd want to know is what secrets are stored on the device, if any. Since it has a secure element, I'm guessing the secret is on the device. The next question is about the ability to make a backup, and how is the secret protected?
I prefer simplicity in design to banking on a secure element that I can't fully audit.
I've poked around in the codebase for SeedSigner and I can say that it's legit. It doesn't store your secrets at all. You enter it each time you boot. Requires you securely store your seed phrase, but that's not a problem for me. π
Thank you!
Looks interesting. This is the first I've heard of the project. I would definitely need USB-C to make much use of one. Also, given that it can produce a backup file and I would need to store that securely, I'm not sure I see value over and above something like Vaultwarden/Bitwarden. But it is definitely something to think about.
Thanks for the feedback. I'm working on a model with USB-C now. π
One advantage over bitwarden is that the backup file can be stored offline and the device provides physical control of the passwords. Nothing has to be on an always online server.
I might add a comparison between bitwarden and Signet. I do like BitWarden and look forward to setting up a self-hosted version for an organization that I'm part of. That'll give me a deeper understanding of their internals so I can better compare and contrast.
First time I hear of it. How does it differ from a Yubikey? Can it be used to sign nostr notes?
A yubikey can only store one password, so you can't use it to log into accounts that take passwords, enter passwords to decrypt files and so forth. It does second factor auth, FIDO2 auth and things of that nature.
#Signet does store passwords (and other secrets like seed phrases, answers to security questions, and so forth).
The current firmware doesn't have the ability to sign nostr notes, but that could be added. Plus, it's open source so you don't need my permission to patch that feature in. π
#Signet is an open source project, so we don't have a well funded marketing department. We have me, posting notes on nostr, trying to spread the good word that there are non-corporate, non-centralized, hardware based solutions to password management. β
Wow that sounds amazing! So it's like the hardware version of KeePass?
I see a KeePass mirror on your gitlab. Does it already synchronize the passwords stored in the hardware with KeePass?
Yup, exactly.
I want to buy one! I live in a semi. How can I get one shipped to me?
How do you get anything you buy online shipped to you? Do you have a PO box or UPS box or something that you drive by from time to time? I'll ship it anywhere in the USA. Can be a friend or relative's home, their employer, or whatever. Doesn't matter to me.
Trust. Also, can I sign nostr events with this signet thing? Like a hardware replacement for amber...
The hardware scematics are public, as is the firmware and the client. The electronics are very simple (only one IC). So we're doing our best to earn people's trust, not just expecting it like closed source hardware.
It doesn't do signing. It coukd with some additional firmware code, but I'm reluctant to put a bunch of extras in there because it'll increase attack surface and make it harder to audit.
Having an alternate firmware that runs on the same hardware would be cool though. No reason it couldn't handle it.
