HOWTO: Easy AVR USB Keyboard Firmware - Embedded strong password generator
metalliqaz@geekhack

=============================
Generating Strong Passwords
===========================

This features is meant to assist you in creating and remembering strong
passwords for use online.  It is by no means a perfect or complete security
solution.  If you are already under surveillance, then it is too late and this
tool is of no use to you.

Data breaches happen frequently.  If you have created a login at a website
that is later compromised, then you may assume that your username and password
hash has been released into the open.  If you use a weak password, then the
hash can be decrypted within seconds.  If you use the same login at multiple
websites, then the attackers will have the ability to, for example, read your
email, spam with your social accounts, or even steal your money.

If you use a particularly weak password, then attackers could brute force your
account without even needing a data breach.  Don't use a password like "12345"
or "password".

Strong passwords are much more secure, however they are difficult to remember.
Here is an example of a strong password: (qV2>ckmym>{/nKUBz]CfjB96
Good luck remembering that.  It is also difficult to type quickly.

With a programmable keyboard, you may be tempted to simply store the password
as a macro.  Then you don't have to remember or type it.  However, anyone who
has access to your keyboard will now have access to your accounts.  You may as
well have your password written on a sticky note under your mouse pad.

This is where the strong password generator comes in.  It allows you to store
your secret information in your keyboard while also requiring a key to access
it.

There are a few terms that must be defined.  The "secret string" is your root
password.  It must be long and random to have any kind of security.  It is never
actually seen by any of your account providers.  You also have a "key string".
This is used to mangle the secret string into the actual password that will be
used for your logins.

Someone who sits down at your keyboard will thus have potential control over
your secret string, but will not be able to log in to any of your accounts
because they don't know your keys.  Even better, you can use the same root to
generate different strong passwords at different websites by just varying the
key.

Remember, this is not a solution for hardened security.  This is meant to keep
you safer in the event of data breaches at your account providers.

=============
Configuring
===========

After creating your layout, open the password generator from the 'View' menu.
The firmware can store up to four secret strings.  They can be configured and
tested in this screen.

For each of the four configurations, you have the option to either enter your
own secret string or generate one randomly.  The secret string can be hidden by
checking the '*' option box.  This can be any ASCII string.  It should be at
least as long as your desired output.  Note that it is not encrypted in layout
save files, so they must be kept secure as well.

Once your secret string is chosen, you then configure how the generated
passwords will look.  The password length should be 12 characters at a minimum
and is limited by the size of the RAM Macro buffer for your keyboard (either 20
or 40 characters).  You can select which characters are allowed in the generated
output.  The more character sets are selected, the stronger the password will
be.

With those few settings, your password generator is configured.  It can then be
tested by entering a key string.  The tool will display the output generated
by the combination of the configured secret string, the generation parameters,
and the entered key string.

Note how small changes to your key string cause large changes to the generated
password.  This allows you to use one secret string to generate passwords for
several accounts.  For example, for Facebook I could use a key string of
"myfacebook" to get "IcmYp82lV5NEuuBSwntQ" as a password, and for Twitter I
could use a key string of "mytwitter" to get "nEAN0q7qlV9fqWTbTj0m" as a
password.  Both are highly resistant to cracking and an attacker who discovers
one will not be able to figure out the other.

========================
Using Strong Passwords
======================

To use the strong password generator, map one of the four PW keys to your
layout and program it to your keyboard.  PW1 corresponds to configuration #1 and
so on.  When you are ready to generate your password, press the PW key.  Then,
type your key string followed by either Enter or Tab.  The text of your key
string is not sent to the PC as you type.  Upon completion, the generated
password will be sent to the PC automatically.  It will also be loaded into the
RAM Macro buffer so it can be played again without having to enter the key
string (see functions.txt).  To remove the generated password from the RAM
buffer, you can either record a new RAM Macro or unplug the keyboard.

===================
Technical Details
=================

The algorithm that generates passwords from the secret string and the key string
is a relatively straightforward hash function based on additions, shifts, and
XORs.  I have tested the algorithm over millions of inputs and it appears to be
uniformly distributed.  If you use very short secret strings and key strings,
you will compromise the ability of the hash to work as intended.

The algorithm is not cryptographically secure.  That is to say, if someone knew
several of your passwords and the corresponding key strings, they could
determine your secret string.  However let's be honest, who is going to bother?
This thing has to run on a tiny 8-bit microcontroller, you can't expect much.

I developed this tool mostly as an exercise for my own discovery into the
capabilities of a keyboard.  Further development is unlikely.
