These days, there’s really no excuse to not be using some sort of password security system – and the Mooltipass Mini BLE Authenticator is a great choice if you’re looking for one. Reusing passwords is just begging to be a victim of a credential stuffing attack. With literally hundreds of millions of username/password combinations floating around online, every single Internet user should have at the bare minimum a software password repository. These are reliable and time-proven, but they do have some drawbacks. Any device that can’t install the required app or browser extension has to have password manually entered. If you lose your phone or have to factory reset it, it can be a pain to get signed into your phone and get everything set up again. Or you might have more stringent requirements due to work or personal preference.
The Mooltipass Mini BLE Authenticator is the latest iteration in the Mooltipass series of hardware security devices. I’ve had a Mooltipass Mini (non-BLE) for a number of years now, and while I use a software-based password storage system primarily, I use the Mooltipass for a number of security-critical files and passwords. Knowing that physical access to the device, the smart card, a and my PIN are all required to access the device gives me great peace of mind. The Mooltipass is also a fully open-source project, meaning you can look at the code yourself or have it audited for security issues. The new BLE design segregates the BLE processor from the crypto processor, providing another layer of separation. All passwords and other data is stored using AES-256 encryption, which has no known feasible attacks – even by nation-states with huge amounts of computing power and time.
The new Mooltipass now integrates BLE, making it even easier to use with phones/tablets and many other devices. Whereas a USB OTG cable was needed beforehand, now a BLE connection can securely enter passwords for you without having to carry a cable around. Combine the Mooltipass BLE with a FIDO/U2F device (like the Yubikey) and you can have ultimate access control to your most important online data.
Author’s note: Full disclosure – I used to hang out with Stephan in IRC and have been a personal fan of his hardware and software hacking for many years