A friend of mine brought this device to my attention today:

pwvault

This is the Reczone Password Safe, which has gone through a few revisions, and is sold by a number of online retailers.

The premise is that rather than conveniently (and ostensibly, insecurely) storing your life’s credentials in a software-based password manager like LastPass/KeePass/Dashlane, you put them into an airgapped black box that is protected by a PIN. “Can’t be Hacked!”

The PIN can consist of 4-16 characters, although it is unclear if it is truly a PIN in the sense that it only accepts numerals.

Unfortunately what does not have a PIN is the device reset function.  With a paperclip, one can depress a button and wipe the entire thing.

Because there are no means for connecting the device to anything, you’re done.  You have no backup.  It’s just over.  If someone finds this and grows frustrated with it, or simply doesn’t like you, they’ll just nuke it.  Not that you’re likely to get it back anyway.

I guess that’s the real problem with this thing.  If you keep your passwords in a little paper notebook, presumably you’re hiding that somewhere.  But this device doesn’t improve upon that in any way.  You can’t leave it out for the sake of convenience, because someone can walk by and blow the whole thing away with a thumbtack.  So you’re back to hiding it.

The glaring difference is that if you lose your little paper notebook, there’s no protection, whereas if you lose your Password Safe, there’s a PIN.  You might have lost all 400 passwords on the subway, but they’re not immediately readable.

But I’d venture there is no encryption on this device.  If someone is committed, they’re likely to find a way into it.  It’s unlikely, but I would never rule it out.

I guess the idea makes some kind of improvement upon storing your passwords in a paper-based system, but with a lot of complication, and the tremendous risk of absolutely zero backup.  At least you can photocopy a piece of paper and store it in multiple secure locations for redundancy.

You may be freaking out about paper – paper does make sense for certain applications.

In my tenure with DoD, I instituted a paper-based password escrow system, where we stored certain credentials, handwritten in a template, that was secured in a safe.  Usernames and passwords did not exist electronically, and unless you were getting through layers of physical security, the threats were minimal and managed – basically a co-opted insider, or a third party somehow escaping from escort and walking out with a safe that couldn’t easily be walked out with.

For your personal day-to-day that does not involve the protection of Naval nuclear propulsion secrets, it’s OK to trust password managers.  There are too many benefits.  Strong passwords, encryption, two factor authentication, unparalleled convenience and usability compared to transposing information and relying on your own creativity.

These other things like the Password Safe…stick to paper.

Advertisements