pi2pwd

USING THE PI ZERO AS A PASSWORD MANAGER

If you want a proper password manager, see this project. If you want something that does the job and is quite possibly the simplest Pi Zero project ever, keep reading!

ASSISTIVE TECHNOLOGY

I decided it was time for me to implement password best practices and use different strong passwords for all sites I log into. Since the old brain has deteriorated recently, I needed some kind of password management. An online solution didn't seem very secure. I use several different computers, so installing software wasn't an option. A flash drive with the passwords on it would probably work, but I don't like putting passwords in the paste buffer. Yes, I'm that paranoid. So, I needed to build a password manager: something that would emulate a keyboard and type out stored passwords on command. I decided to use the Pi Zero for this since I had already done something similar.

KEEPING IT SIMPLE

I always try to make my projects as simple as possible: partly to lower cost, but mostly because I hate wiring stuff up. I get super paranoid that I've wired something wrong and the magic smoke is going to escape. And it gets worse as more wires are involved. Simplifying this one, though, stumped me. The breakthrough came when I decided navigation between entry fields would be done manually (with the mouse) to handle the differences in login forms. This let me break the remainder of the problem into simple steps that applied to all the systems I wanted to log into:

• Go to a system's login page and set the cursor at the username field (using the mouse).

• Tell the manager which system you want to log into.

• Tell the password manager to type out the username.

• Set the cursor at the password field using the mouse. This may not be on the same screen/page.

• Tell the password manager to type out the password.

• Click on log in (or similar) with the mouse to finish the login process.

Since the manager would have several passwords, I would need some method to select one. This meant some kind of output (to display which system the password was for), and some kind of input. The amount of buttons necessary for input could be minimized by displaying each system name in turn with a pause between each. Then I'd only need one button to select, and this same button could to tell the manager to type the username and then the password. So I'd need a one line display and one button.

After thinking some more I realized the system cursor is already on a username field, where everything you type is displayed. It's exactly like a one line display! Send keystrokes to type things, backspaces to erase. This could be the display for system names: display one for a second or two, backspace it out, display the next one, etc. A seperate display wasn't needed at all. Yay! So now I needed no display and one button.

Then I remembered something you may not know: the keyboard lock lights aren't controlled by the keyboard keys directly. If you push/release a lock key, the keyboard sends the corresponging lock key down/up code, but doesn't change the corresponging lock light. It's up to the attached system to send a command to the keyboard to turn the proper light on or off . (This is also why the lights can become mixed up: a light command was missed by the keyboard.) Furthermore, if multiple keyboards are attached and you press a lock key, the lock lights are updated on ALL keyboards (at least for Linux and Windows). And the Linux HID gadget can receive these events. This meant there was actually a way to communicate with the manager using the lock keys on the system keyboard. I didn't need any display or button: just the Pi Zero, about as simple as you can get!

I decided on the following convention: Use the scroll lock light as an activation key since it isnt't used by MS Windows or the Linux windowing system. This would prevent accidental activation of the manager. It would cycle through system identifiers as long as all three lock lights were on. It would type a username when the caps lock light went off, and a password when the num lock light went off. Any time the scroll lock light goes off, the manager will stop and wait for all three lock lights to go on to begin the process anew. There was one problem: the Pi doesn't handle scroll lock. But with a little searching I found a way to make it work using Xmodmap.

THE UNIX WAY

"Simple programs, each doing one thing well, combined together to make a larger program." 

I decided to follow that philosophy with this project: a shell script handles the program logic, with two simple C programs handling communication with the HID Gadget device.

BANISHING SD CARD CORRUPTION

I decided to use my mini-init technique to limit SD card corruption. I found that with a little work the mini-init shell script could do double duty as the password manager shell script. I also added code to detect an attached keyboard and run the regular init process. That way I could use it as either a plain Pi Zero or a password manager. I could have a Pi with me at all times!

DISADVANTAGES

If someone has the manager, they have all the passwords, the same as a list of passwords on paper. So don't lose it!

BUILDING IT

Copy the latest Raspbian image (lite is OK) to an SD card.

NOTE: You can do the next several steps on another Pi. Just boot from the new SD card in the other Pi, do the steps, shutdown, then move the card to the Zero. That way you won't need the special keyboard and HDMI adapters.

• Boot it up, log in and set the date: sudo date -s 2016/8/30

• OPTIONAL: Configure Raspbian: sudo raspi-config

• Back up the boot partition: sudo cp /r /boot /backup

• Download the archive from Github: sudo wget https://github.com/mincepi/pi2pwd/archive/master.tar.gz

• Extract the archive, ignoring errors: sudo tar --strip-components=1 -C / -xzf master.tar.gz

• Edit the /etc/data file and put in your passwords. The provided file has entries for two systems, you can have as many as you like.

• Do a proper shutdown: sudo poweroff

BUILDING STRONG PASSWORDS

Did you know the Pi has a hardware random number generator? The following command uses it to generate random characters. I suggest you pick a twelve character or longer portion that contains at least one number for your password: sudo dd if=/dev/hwrng bs=512 count=1 | tr -c -d [:graph:]

USING IT

• Plug a micro USB to regular USB adapter cable into the Zero's USB connector, the one closest to the HDMI connector. The cable needs to have the data lines connected to work - I've found some short cables that come with chargers or battery packs don't.

• Plug the other end into a USB port on your computer.

• Wait 20 seconds for it to become ready.

• If your computer is a Pi or other Linux system that doesn't support the scroll lock light, run the following command : xmodmap -e 'add mod3 = Scroll_Lock'

• Go to a login page and set the cursor at the username field.

• Turn on the scroll lock light, the caps lock light, then the num lock light. System indentifiers will appear in the username field one by one.

• When the proper one is displayed press the caps lock key once. The username will be filled in.

• Set the cursor at the password field (it may be on another page).

• Press the num lock key once and the password will be filled in.

• Click the log in button (or similar) to log in.

• Turn the scroll lock light off to disable further output by the password manager.

This site has been tested to display correctly using Gnome Web on the Raspberry Pi.