This is an idea I've had for some time, but I've not yet thought about implementing it. It work something like this.

You plug this device into a USB port, where it registers itself as a USB keyboard. It works in a similar way to a key logger, taking note of the key presses you make. If it sees a certain string, it activates one of its functions.

The first function, the device's primary purpose, it will send a series of backspaces followed by a sequence of characters. The purpose of this is to enable the device to enter your passwords into a password box, web form, etc. For example:

(you type)
<master password> bankingpassword

(device sends)
<number of backspaces required to delete what you typed><whatever your online banking password really is>

and thus, the device retrieves your internet password. By leaving no electronic presence, and hopefully by your choice of a decent master password and a decent non obvious name for the password field, its more secure than those (frankly, stupid and dangerous) password storage features that many browsers and operating systems have.

This is probably not a new idea, but I would like to hear ideas. I could feasibly build one for myself, if I can work out how to build a hardware key logger; there are tutorials online.

I can think of a few obvious downsides to this being a physical device, which may or may not counteract the ability to have much stronger passwords and no need to either remember them manually or have them stored in software. (e.g. if you get robbed, it'll be a goldmine for an ID thief or somebody who wishes to empty your bank account)

This is an idea I've had for some time, but I've not yet thought about implementing it. It work something like this.

You plug this device into a USB port, where it registers itself as a USB keyboard. It works in a similar way to a key logger, taking note of the key presses you make. If it sees a certain string, it activates one of its functions.

The first function, the device's primary purpose, it will send a series of backspaces followed by a sequence of characters. The purpose of this is to enable the device to enter your passwords into a password box, web form, etc. For example:

(you type)
<master password> bankingpassword

(device sends)
<number of backspaces required to delete what you typed><whatever your online banking password really is>

and thus, the device retrieves your internet password. By leaving no electronic presence, and hopefully by your choice of a decent master password and a decent non obvious name for the password field, its more secure than those (frankly, stupid and dangerous) password storage features that many browsers and operating systems have.

This is probably not a new idea, but I would like to hear ideas. I could feasibly build one for myself, if I can work out how to build a hardware key logger; there are tutorials online.

I can think of a few obvious downsides to this being a physical device, which may or may not counteract the ability to have much stronger passwords and no need to either remember them manually or have them stored in software. (e.g. if you get robbed, it'll be a goldmine for an ID thief or somebody who wishes to empty your bank account)

I did something similar to this before. I wrote key logging software and put it on a flash drive with an auto run ini file. Me and another friend put it in our mutual friend's usb port while he was logging in to WoW. This was for an April fool prank. Striped his night elf hunter down to nothing and put him in to the center of Orgrimmar.

I don't know exactly how "all web browsers and all operating systems (or all third party tools)" implement their stupid password storage, but a reasonably stupid encryption with a reasonably stupid initialization vector is about an octillion times better than any master password that you could possibly think of and remember, or type in reasonable time. Which means the master password is the weak link, not the fact that information is stored on the hard drive.

The same will apply to your hardware implementation, with the added bonus that any lamer can carry it away with ease if you accidentially forget it. It is somewhat suspicious leaving an office with a computer tower under your arm. Opening a case attracts curious eyes. On the other hand, pulling an USB stick is a quick sleigh of hand, and nobody would notice or object to the presence of an USB key in your pocket (one could probably even swallow an USB key without harm effects...).

Add to that the fact that the password still goes through the operating system's message system with any hooks and keyloggers that may be present, so if one assumes that the machine can't be trusted, anything is futile beyond that point anyway. And then there's that curious thing called internet in between which transmits the information over some cables and strage boxes with blinking lights that you don't own and don't control. Sure enough there is SSL and your bank will hopefully use an encrypted login and properly authenticate, but then again ask someone at Debian about how secure a proper SSL implementation can be or ask someone at Citybank about proper user authentication.

In one word: Wrong end to optimize.

There are two types of users that should be kept in mind here. First, there's your typical end user that happily downloads malware and storing their passwords in their browsers. They won't want to complicate the process any further by using your product. Then, there's the professional user (not just paid but also knows what they're doing) that tends to be more careful since their mortgages are riding on their security. These are the people that handle their passwords the only correct way: memorize.

There is a demographic in between that may see this and think it's secure (or they watched too many 007 movies as kids and just think it's cool that their top-secret information is in transport... in their pocket... on their key chain next to the scanny thingy from the grocery store). If you're okay with taking advantage of the naivete of others, then have at it (there's much money to be made here =b). Otherwise, I don't see how keeping passwords on a key fob capable of transmitting the passwords unencrypted (as keystrokes) is better than keeping them encrypted on the harddrive.

Otherwise, I don't see how keeping passwords on a key fob capable of transmitting the passwords unencrypted (as keystrokes) is better than keeping them encrypted on the harddrive.

How about when you're not at YOUR computer?

Password transmission, as keystrokes, is no less secure than password transmission, as keystrokes... as in, typing your password in on a keyboard.

Nothing says the data can't be encrypted on the device itself. Such a tool means you get to remember one password for all your accounts, assuming you have the device, while someone else trying to log into your accounts still requires unique and complex passwords for each account. It is a fair bit better than writing everything down on a post-it note.

Such a tool means you get to remember one password for all your accounts, assuming you have the device, while someone else trying to log into your accounts still requires unique and complex passwords for each account. It is a fair bit better than writing everything down on a post-it note.

How many passwords do you have, that you need to write them down on post-it notes? I actually find it harder to remember which password is current for a given site, than it is to remember the passwords themselves...

And for the old-timers (among which demographic the post-it note solution seems to be most prevalent), most of them are going to lose the damn key-chain sooner or later.

I never save passwords and I certainly wouldn't write them down. Every site and server I have access to has a different strong password and I use a system that makes them all easy to remember. These are periodically changed as well. I take no chances with security. Most of the work I do is remote from home so I won't even allow anyone else besides myself to use my desktop. Working from an employer's office, there's just no way in hell I'd use anything not specified in their security policy.

Now, if you're involved in a ton of online forums and you don't want to use the same password for each AND you want to be able to access them from anywhere, I could see it being of some use to some people. Personally, I'd prefer my own system of memorization but, as you can see, I'm pretty strict. I would put something in the warranty about storing bank passwords. ;-)

I think it would be useful if you have a lot of passwords, travel a lot, and don't lose things easily.

I use KeePass, and keep my encrypted password file on DropBox. My master password is strong, and KeePass is available on my Android phone, iPad, and any reasonable PC. If I wanted it on my keychain, I'd just install KeePass portable on my USB stick; problem solved. That said, some people may need the hand-holding your approach gives, and be willing to pay. As far as security goes, it's just a matter of how strong the master password is.

Meh. I work in IT security, and I save all my passwords on both my desktop, laptop and work machines, and have SSH keys setup to allow auto-logins to all the servers from any of the 3. In addition, I write down all complex server passwords into a text file stored on a central server.

Strong passwords are pretty much a red herring when it comes to security. If you are compromised, it's rarely because someone guessed your password - much more likely they key logged you or guessed your password reset question...