![]()
Introducing the Mooltipass
Logins and passwords are critical elements we need to remember to access the different websites and services we use daily. To achieve good security, each of these credential sets should be unique and passwords should be long and complex. But remembering many long complex credentials is hard.
We therefore created the Mooltipass, a physical encrypted password keeper that remembers your credentials so you don't have to. With this device, you can generate and safely store long and complex passwords unique to each website you use. A personal PIN-locked smartcard allows the decryption of your credentials and ensures that only you have access to them. Simply visit a website and the device will ask for your confirmation to enter your credentials when login is required.
As shown in our video, it is extremely simple to use the Mooltipass:
- Plug the Mooltipass to your computer/tablet/phone. No driver is required.
- Insert your smartcard, unlock it with your PIN. Without the PIN, the card is useless.
- Visit a website that needs a login. If using our browser plugin, the Mooltipass asks your permission to send the stored credentials, or asks you to save/generate new ones if you are logging in for the first time.
- If you are not using the browser plugin or are logging in on something other than a web browser, you can tell the Mooltipass to send the correct login and password. It will type it in for you, just like a keyboard - so it can be used anywhere!
![]()
Campaign Over: Order Your Device!
If you missed our crowdfunding campaign and want a Mooltipass unit from our current production run you may follow
this link or
this link. Our official website is now
www.themooltipass.com
![]()
A Unique World-Wide Collaboration
Over thirty people
from all around the globe contributed to bring this project to where it is now, including software and firmware engineers, designers, mechanical engineers, artists, project managers, students and security engineers.
Our project
started a year ago with a call for feedback and contributors. It turned out that people were thrilled by the idea of an open source password keeper and didn't hesitate to commit some (if not all!) of their personal time to join this adventure.
![]()
How YOU Can Help
We need a high production volume to get low prices for the components we use. By backing this campaign you'll help us realize our goal of bringing the Mooltipass to people who care about their credential security.
We also need funds to hire professional javascript developers as our core team's main experience is primarily on the hardware side. We want to provide a slick and simple user interface for the Mooltipass management software and browser plugins. Finally, we'll need to setup a proper website and online store once the campaign is over.
Any contribution is appreciated. Please help spread the word by sharing our campaign with your family and friends.
![]()
Referral Contest and Stretch Goals!
![]()
We'll be giving away two Mooltipass sets, one for the person who refers the most friends to our page, and one for the person whose referrals resulted in the most pledges.
You don't even need to back our campaign to participate! Simply visit our campaign's page while you are logged into your Indiegogo account and click one of the buttons located below our video to share it with your friends and family.
![]()
Security Through Transparency
![]()
Our team believes that great security can only be achieved through complete transparency. That's why we have been publishing everything that goes into making the Mooltipass on our GitHub repository from the project's start.
Just like Linux-based operating systems, open source allows our product to benefit from many engineers' expertise. This results in better code quality, more trust from our final users and verified security implementation.
We publish everything we do to provide you with the best security device.
![]()
A User Friendly Device
![]()
The Mooltipass is designed to be as simple as possible to use. Dozens of beta testers of all backgrounds and ages have been using it for several months and are providing us with invaluable feedback on how to make the Mooltipass even better.
![]()
What's more, the Mooltipass doesn't just store website credentials! You can use it to keep logins and passwords for computers, services, and more.
![]()
Compatible with all Platforms and Devices
![]()
The Mooltipass emulates a standard USB keyboard, and can therefore type your passwords for you on Windows, Linux, Mac and even most Apple and Android devices (through the USB On-The-Go port). It doesn't need any special drivers to function.
Integration with websites is done via a Google Chrome plugin and we are working to implement plugins for other major browsers. While all password recall functionality is done through the Mooltipass device, credential management is done through a dedicated application.
![]()
Designed to be Carried in your Pocket
![]()
(USB stick shown for size comparison only)
The Mooltipass is smaller than a typical smartphone. That means you can easily carry it with you. Or you can have one for home and one for work and only carry your personal smartcard.
![]()
Each Mooltipass is shipped with two smart cards so that you can make a duplicate of your primary card to use as a backup. Similarly, you can securely backup the credentials stored in your Mooltipass on your computer to protect them from loss.
You may design your own smart card art by opting for the dedicated pledge.
![]()
Better security than closed or software-based solutions
![]()
A software-based password keeper uses a passphrase to decrypt your credentials database located inside a device (computer, smartphone, etc.) This means that at a given moment, your passphrase and your database are stored inside your device's memory, a malicious program with access to both of those pieces can compromise all your passwords at once! The Mooltipass offers the following advantages over software-based solutions:
-
Better security: Mooltipass reduces the number of attack vectors by typing your passwords for you.
- A non-proprietary device: Anyone can develop new tools for Mooltipass.
- An open-source platform: Being able to read the code allows you to check and enhance the security of our Mooltipass.
- A trusted platform: Only code that has been tested by us and reviewed by the community is running on the Mooltipass, ensuring that no viruses or malicious programs compromise your stored credentials.
![]()
Cases and Arduino Shields Compatibility
With a simple knife anyone can convert their Mooltipass into an
Arduino platform. Projects are only limited by your imagination, when combining our on-board peripherals with standard Arduino shields which can be purchased on the Internet.
![]()
ABS case on the left, Aluminium case on the right
In order to keep costs low, the Mooltipass cases will be made of
injected ABS. However, backers preferring the more professional look of anodized aluminum may opt for the dedicated pledge. Please note that the aluminium version lacks cutouts and is therefore
not Arduino compatible, but is 2mm thinner than the ABS version.
![]()
Technical Specifications
- 1Mb storage flash (can be extended up to 32Mb)
- With 1Mb storage flash, can store up to 384 credential sets (ascii based)
- Proximity and touch sensing (6 keys)
- ATMega32U4 main micro-controller
- Full-speed USB (microUSB connector)
- Card recognition limit: 37 cards
- User limit: 15 users
- 1Kb read protected smartcard
- 256x64 pixels OLED screen
- AES-256 bit encryption
![]()
Frequently Asked Questions
Since the project's start we have received many questions about our project :
-
Is your solution better than a piece of paper? A piece of paper contains passwords that can easily be read when you are not paying attention to it. The Mooltipass stores encrypted passwords that can only be "read" when providing your PIN code.
-
If I only need to remember a PIN code, does it mean the Mooltipass is not safe? Not at all, as the Mooltipass system is exactly like a chip & pin bank card: 3 false tries will permanently block the smart card. Access to the AES-256 encryption key will then be blocked and credential decryption made impossible.
-
Why do I need different passwords for different websites? Websites are compromised on a daily basis. If you are using the same password for different websites, an attacker could use one stolen password on all of them.
-
Why not make the device very tiny? Size is a compromise between transportability and user friendliness. As the Mooltipass is intended for many different users we decided to opt for a normal-sized OLED screen providing a good readability and therefore a better user experience. The device also includes Arduino headers that will allow any Arduino shield to be connected to it. Hence, we made the Mooltipass as small as possible while keeping its great features.
-
Why do you need an OLED screen? An offline password keeper needs to provide a way to prevent impersonation. The user has to check that the website/service for which they approve the credential request is the same as the website/service they are using, as a malicious program could emit forged requests. Moreover, having a display allows the user to operate the Mooltipass without the browser plugin, by using the dedicated touch interface.
-
Why are you using both a smart card and a main Mooltipass device? There are many reasons, the main one being that it is much easier to carry a smart card around than any other object. This smart card is a secure element that contains your credentials' encryption key; it is cheap and may be cloned without compromising the system security.
-
What if I lose my smartcard? Our device is shipped with two smartcards, so you can keep a copy somewhere safe. The Mooltipass allows the user to clone their smartcard as many times as they want, provided that the card PIN is correctly entered.
-
Can a smartcard be used with multiple Mooltipass devices? You have the option to synchronize your credentials between multiple devices. This allows you to have one Mooltipass at work and one at home.
-
What if I lose my Mooltipass device? Your encrypted credentials can be exported to either your computer or the Mooltipass official website. If you lose your device, you may purchase another one and restore your credentials.
-
Are you sure about your encryption implementation? The AES-256 used in the Mooltipass has been compared against standard Nessie test vectors for correctness. Moreover, our security chain has been checked by qualified individuals.
-
Can I use it on Windows/Linux/Mac? Yes, as no drivers are required to use the Mooltipass. It is recognized as a standard USB keyboard that will enter passwords for you.
-
Can I use on my computer/laptop/phone/tablet...? Most devices (including smart phones and tablet PCs) include a USB host capable port. The Mooltipass will work with all of them.
-
How secure is the Mooltipass? We are using the most secure encryption algorithms and have designed our case to make it tamper evident. Our solution is therefore perfectly suited for individuals wanting to improve their credentials' safety.
-
Are you planning to make a wireless version? The Mooltipass isn't wireless to skip the added costs of a lithium-ion battery and a wireless interface. Customer surveys also let us know that having a USB cable wasn't a problem for most use cases.
-
Where do you source your components? All the integrated circuits (ICs) are directly purchased from their official manufacturers.
-
How are the credentials sent to the computer? The Mooltipass is enumerated as a composite HID keyboard / HID proprietary device. The credentials are sent over the HID proprietary channel when using the browser plugin and over the keyboard channel when using the Mooltipass through its touch interface.
-
Is it still possible to sniff the passwords sent over HID? In theory, yes. As mentioned in our project description, the Mooltipass aims to reduce the number of attack vectors to a minimum: the device basically types your passwords as if you were doing it yourself. It is therefore as secure as a regular USB keyboard. Perfect security could only be achieved by sharing dedicated secrets or by checking in person public keys with every possible service and website... which is practically impossible to do.
-
If I can export my encrypted credentials, does this mean someone could crack them? In short, no. We are using AES-256 encryption in CTR mode, brute-forcing the encrypted credentials would take more than fifty years.
-
If it is open source, does it mean it is less secure? Not at all. Having our code open source allows everyone to check our security implementation, which actually leads to a better code quality and more trust from our final users.
-
Can I use my bank card / ID card / access card with the Mooltipass? No. Only AT88SC102 based smart cards will work with the Mooltipass, which can be purchased online or via our future store.
-
Can all Arduino shields be used with the Mooltipass? All the shields we purchased so far worked with the Mooltipass. The ISP connector isn't populated but its signals are routed to other pins so in some cases a few solders may be required. We invite you to look at our schematics and our dedicated Arduino folder for more details.
-
Where will I be able to purchase the Mooltipass once the campaign ends? You may already backorder the Mooltipass on tindie.
![]()
Literature Backing our Claims
Our project description made several claims that these links will back :
![]()
Project Timeline
-
November 2013: start of the project
-
December 2013: idea pitched to the Hackaday readership
-
December 2013: first feedback from readers, call for contributors
-
January 2014: first prototypes, shipped to contributors
-
January 2014: more than 10 case designs suggested by Hackaday readers
-
February 2014: official Mooltipass case chosen by the Hackaday readership
-
March 2014: 20 smart card designs suggested by Hackaday readers
-
April 2014: first functional prototype of the chosen case design
-
April 2014: new prototypes shipped to contributors
-
April 2014: official smart card design chosen by the Hackaday readership
-
May 2014: chosen hardware for the Mooltipass considered as final
-
May 2014: call for beta testers, around 100 applications
-
June 2014: 20 beta testers are chosen
-
July 2014: meeting the manufacturers in Shenzhen
-
July 2014: beta units shipped to beta testers
-
August 2014: start of intensive development based on beta testers' feedback
-
September 2014: Mooltipass Arduino example sketches
-
September 2014: Mooltipass firmware 80% ready
-
October 2014: Mooltipass crowdfunding campaign design
-
November 2014: Start of the crowdfunding campaign
-
November 2014: firmware and software development continues
-
December 2014: End of the crowdfunding campaign
-
December 2014: Mooltipass extension development continues
-
Jan-Feb 2015: Mooltipass extension development ends, production starts
-
Feb-March 2015: Production ends, devices shipped to backers
![]()
Risks and Challenges
The Mooltipass project has been been going on for around a year. For several months now more than 20 functional prototypes are being tested by different individuals around the globe. They provided us with key elements on how to deliver final production units that will please everyone.
As shown in our video, we already know our components manufacturers and product assemblers in Shenzhen. We have actually been working with them for more than 3 years on other electronic projects.
However, there will always be unpredictable events that may arise when launching in production more than a thousand units (like plastic injection molding issues). Rest assured that we will keep you updated on our progress
like we've done since the project's start.
Our product has always been made with the final users in mind.
