
The Mooltipass, offline password keeper - type0
https://www.themooltipass.com/
======
atrophying
Maybe it's just me, but I see the biggest problem in implementing a 2FA policy
is the friction of the process. Using a password manager isn't as easy as
remembering a single password. Using an offline manager isn't as easy as an
online one. This, though ... this is the most over engineered, least user
centered thing I've seen in a long time. I couldn't even begin to tell you the
amount of task friction and sheer frustration that thing would be for someone
like me who logs into and out of properties all day. All for the low price of
$130, as if I don't get enough PITA for free.

~~~
degenerate
The only reason I remember to bring my cell phone anywhere is because it stays
in my pocket. This password thing looks about the size of an 80s cassette
player. So all of what you said, plus the idea that you have to lug this thing
around... I can't see anyone using this. Ever. If anyone does, please comment.

~~~
nistur
As requested, I'm commenting.

I'm a long time user of the Mooltipass, I backed the crowdfunding campaign and
have now got two devices of my own, plus one of the prototype mini devices.
I'm not officially affiliated with Mooltipass, but I am a strong advocate for
the device, and have got a few other people interested enough to acquire
devices themselves.

Let me do a quick run-down of my thoughts on it. Firstly, not everyone has the
need for a hardware password manager. It solves issues which not everyone has.
I picked mine up originally because it solved issues which I specifically had
(mentioned later) but, as with anything, it's not one size fits all. It's an
extra thing to carry around, an extra step you have to take, if that doesn't
fit in with your workflow, if it's too big of a compromise, that's your choice
to make. However, one of the reasons this is great is that it gives you the
choice to do so if you want.

Next, the size, as limpkin has already mentioned, there is a mini version in
the works, which I have been testing for a while now. My personal feelings are
that I like the standard mooltipass as a desktop device, the form factor is
nice for something that sits on my desk, but I will definitely keep my mini
for portability. My intention is to have my work credentials on one standard
device, my home ones on the other one, and then both on the mini, which I will
keep in my pocket with me at all times. The size for the mini is maybe the
size of two packs of chewing gum, side by side.

Ok, interface and usability. First of all, the standard device has a touch
zone which can be a bit temperamental. I believe the choice was made as it
would reduce the amount of moving parts. The mini however is using a
scrollwheel on the side which is much easier to navigate the menus, and
through testing now, has proven to be strong enough to survive in pockets, at
the bottom of bags, and generally abused. Currently the only officially
supported software for the device is a chrome extension (there are more in the
works) and this picks up passwords you manually type into chrome, and offers
to store it on the device. You can also manually add credentials using a
chrome app (or python one if you so desire). When you visit a website with a
known login, the device will flash and ask for permission to send the
credentials. So that's a single tap on the device to accept the sending of
credentials. That's not all the interaction that's needed, you put a smartcard
in to unlock the device (it contains an AES key to decrypt the password
database) and enter a 4-digit PIN, but once it's unlocked, it can sit on your
desk. If you're not using the chrome extension, you can still use the device
as it will also emulate a keyboard and can type the username and password in.

Why did I decide I need one, let alone more? I used to use KeePass, but there
was a distinct possibility that my work network may get compromised at some
point. I don't think it happened at any point, but if it did, it would be
relatively trivial to set up a keylogger and get the master password, as well
as get the database. I realise it's possible to have a key on a USB drive, but
the fact remains that the lock and the key would have to sit on what could
potentially be a compromised computer at some point together. With the
mooltipass, at worst the passwords I was using could be compromised, but not
the entire database, which might contain bank logins, or other things. I will
say again, this is not necessarily a concern for everybody. Most people are
not going to get targeted, but I felt there was a significant enough risk that
I didn't mind spending a bit of money to help.

I am sure there are more things I could write here, but the post is getting
long enough. Feel free to ask more questions about the usage and I'll attempt
to answer them.

EDIT: Oh, yes, and I can use it on all computers through the keyboard
emulation without having to have access to my keepass db, or setup lastpass
etc

------
limpkin
Creator of the device here. I'll address the few points that were raised in
the comments section:

\- Our device is used by thousands of users from all ages... even by elderly
people

\- We're about to launch a smaller and simpler version (no tactile interface,
just a clickable scroll wheel), which will be sold at less than $50.
Mooltipass Mini Prototypes have already been used for 2 months, with a better
acceptance factor than the standard version

\- We made a password keeping solution seeing that still very few services
implement the different mechanisms created by the FIDO alliance (U2F &
others). Unfortunately passwords are here to say for several years at least.

------
norea-armozel
I think pairing an app on your smart phone would be an easier solution. It's
not offline as the device presented, but it would be easier for the average
user to get into and to have them start generating different passwords for
each service they use online. Plus, I think it would be easier to integrate
2FA this way as well if we're assuming the average service either uses SMS or
Google's Authenticator for their the process. And another plus is if the phone
has a finger print scanner, it'll make it way easier to unlock the password
manager to filling in the logins.

------
wnscooke
I like the reference to The 5th Element there.

[https://www.youtube.com/watch?v=9jWGbvemTag](https://www.youtube.com/watch?v=9jWGbvemTag)

------
gravypod
I wish I could afford one. An offline password manage seems like it would be
really easy to use.

