AntiSpook Posted July 16, 2016 Share Posted July 16, 2016 On Linux, how viable is Rubber Ducky as a password manager keyfob. Suppose I define super-secure passwords for someone who won't herself know them. I have authorization to configure her online accounts. She will ask the Rubber Ducky to input a password of choice by magic key combo(s), or maybe a menu in Python or JavaScript or whatever. The data on the Rubber Ducky must be encrypted in case a third party gains access to it. It would be nice if she can put the Rubber Ducky on her keychain with her house and car keys, then only stick it in the PC when she needs to input a password. Would a USB Armory be better or worse for this use case? Any other guidance? Thank you. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted July 19, 2016 Share Posted July 19, 2016 The ducky is just a keyboard so it's not suited for this type of application. Look into YubiKey or something similar if you want 2FA. If a hardware token isn't required then can't you just set up a password manager on the machine like Dashlane or LastPass? Quote Link to comment Share on other sites More sharing options...
AntiSpook Posted July 20, 2016 Author Share Posted July 20, 2016 The threat model is "frenemy" types using her PC while she's logged in. She has to stay with them sometimes and wants them able to use it (they often ask). So a password manager would not work, as it would let the frenemy use any account. The lady involved also wants to be able to tell them, honestly, "I don't know any passwords, my tech set it all up, use the machine without using my online accounts." So basically she wants to let others use her machine but NOT her online accounts. The issue is not 2FA either, really it's just completely offloading the login data to a physical carry device and somehow automating it. Merci! Quote Link to comment Share on other sites More sharing options...
cooper Posted July 20, 2016 Share Posted July 20, 2016 You're busy solving the wrong problem. What you want is the PC to have multiple user accounts - one for her to get serious on, one for the frenemies who can go mental on the thing. At the end of a day, just wipe the frenemy account and make a new one. Quote Link to comment Share on other sites More sharing options...
AntiSpook Posted July 22, 2016 Author Share Posted July 22, 2016 Correct, that is what *I* want. It isn't what she wants. The PC must autoboot into her user account. Frenemies expect to see her usage and certain files; boot it themselves into her account; and she wants to let them. She just wants to offload online passwords a USB keyfob outside their access/control or for that matter, even hers. I will set it up and she can have plausible deniability on how to add or change passwords. That way the frenemies cannot alter her online accounts or set up new ones for her. Maybe Nitro Key would be the right device. Merci! Quote Link to comment Share on other sites More sharing options...
bored369 Posted July 22, 2016 Share Posted July 22, 2016 UBS Armory would also be an option, it's designed for a similar application (password manager being one of them). But being a full linux system on a usb you can customize and use it in a number of ways. The cost compared to the nitro key atones for those abilities though. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted July 26, 2016 Share Posted July 26, 2016 I'd look closely at the YubiKey. Having passwords stored as plain-text on a USB (Rubber-Ducky or not) sounds like a terrible idea. Quote Link to comment Share on other sites More sharing options...
cooper Posted July 26, 2016 Share Posted July 26, 2016 Yubikey is the 2FA device, not a keystore. All you can feign is that you can't find the damned thing, which is quite implausible... Kinda like claiming to not know the passwords. Unless this frenemy is a child this excuse would last about 5 seconds. You're putting a lot of time, money and effort into allowing a girl to be dumb. It's a lot more efficient to tell her to not be dumb. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 30, 2016 Share Posted July 30, 2016 I'd just tell her to kick the asshats to the curb and move on with life. Quote Link to comment Share on other sites More sharing options...
kerravon Posted October 1, 2016 Share Posted October 1, 2016 cheaper option!!! sack her as a security risk lol. Quote Link to comment Share on other sites More sharing options...
Rainman_34 Posted October 3, 2016 Share Posted October 3, 2016 I'm curious as to why it is so important for the frenemies to see her using the computer and on her part of the computer and not just hey you can use my guest account but my account is my account period. User agreements and work policies. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.