Huh, I was thinking someone could buy up a ton of cheap usb sticks, load this on there, have it autorun, and then have the payload sent to a server over HTTPS in AWS (who is going to block HTTPS traffic to AWS? everyone runs out of there) that would catch it and notify the attacker via webhook.
USBdriveby emulates a keyboard that types commands at inhuman speeds, and since keyboards are plug and play.. you can probably guess what happens next ;)
This is pretty nifty. Obviously there's a lot of malicious uses for this, but as someone who supports a lot of seniors with near inability to remember passwords, this sort of thing has a practical use.
Passwords which can be recovered with a tool by someone other than the user to whom they belong, and passwords which tend to be forgotten by the user to whom they belong, are two different failures of the whole function of passwords.
Its true that the first failure can be used to mitigate some of the visible harm of the second, but any place that features a coincidence of the two failures really should be taken as a particularly strong sign that, in that place, passwords of the type used are entirely the wrong tool for the job.
Sure, dragonwriter, I'm not contesting that. But I live in the "real world", and this is a real world tool that will help me help users who, whether you like it or not, fail at technology.
passwords generally suck. I prefer a physical (paper) notebook with my passwords (actually diceware[1] passphrases) in obfuscated form. IMO the only way to reduce attack surface (single point of failures) from services such as LastPass or offline Password Managers. One would need to get physical access to my home or bag (then make sense of it).
