PassStrong Is a Portable Password Generator and Storage Device

Most people have woefully inadequate security for their computers, online services, and accounts. We tend to use the same weak passwords for everything, and most of us don’t bother with multi-factor authentication unless the service in question forces us to. If one website or service is successfully attacked, your leaked password will grant bad actors access to all of your accounts. The best way to prevent that is to use strong, unique passwords and multi-factor authentication. PassStrong is a DIY device that you can build to generate and store those passwords.

In practice, PassStrong works a bit like the software password managers that are common today. Anytime you sign up for a new service, you can have it generate an extremely strong password that is unique to that service. No two passwords are ever the same, so a data breach on one service won’t expose your other accounts. No one could possibly be expected to remember those random gibberish passwords, so PassStrong also enters them for you. It does that by connecting to your PC or smartphone as a Bluetooth keyboard, and then types out the password into the field when necessary. That keeps it from leaving any traces on the computer or smartphone.

The device itself is built on an M5StickC dongle, which has an ESP32 module, built-in LCD, and included 80mAh battery (among other hardware) — all in a handy portable enclosure. It costs about $15 through sites like AliExpress. The PassStrong software uses AES encryption for the passwords, which are stored in EEPROM. This is very safe from any kind of remote attack, but it is potentially vulnerable to hardware attacks. That’s because the ESP32 doesn’t actually have any kind of hardware cryptography chip. If someone got their hands on the device itself and had the right skills, they could extract the data from the EEPROM and decrypt the password. Even so, PassStrong is far more secure than what you’re likely using right now, and it is a very solid solution when used in conjunction with multi-factor authentication — which you should be using anyway.