20121126230955-usb_keychain

Aladdin: Key to Remember - Open Source Hardware

Aladdin is a USB keyboard that remembers your password to unlock computers/websites. Aladdin works with Windows/Mac/Linux, smartphones and tablets. No software.

This campaign will only receive funds if at least $50,000 is raised by Tue Jan 08 at 11:59PM PT.

Aladdin is a USB keyboard, not a USB drive. It remembers the keystrokes of your password, not passwords in text files. It saves you time whenever you need to enter passwords.

Aladdin also improves the current situation of people using short, simple or identical passwords everywhere by removing the need to memorise passwords.

"what if you lose it? It is a good question - but that is not what Aladdin is trying to solve - it is trying to solve a bigger problem - trying to remember," by security blogger alapan

Aladdin works with Windows, Mac, Linux as well as smartphones and tablets that accept USB keyboards (See FAQ).

Aladdin also works with passwords managers such as LastPass, KeePass and 1Password. After all, you still need a password to protect the safe!

Aladdin also works across remote sessions such as RDP, VNC, Synergy, SSH and Telnet.

Aladdin is fully open source.

2012/12/11 We are featured on Indiegogo homepage!

Indiegogo Homepage

2012/12/12 Security blog

Aladdin - Password on a USB Stick

Problem 1 - Identical Passwords (Password Leaks)

Problem 2 - Simple Passwords (Dictionary Attacks)

  • The 25 Most Popular Passwords of 2012 - Gizmodo

    1. password (Unchanged)
    2. 123456 (Unchanged)
    3. 12345678 (Unchanged)
    4. abc123 (Up 1)
    5. qwerty (Down 1)
    6. monkey (Unchanged)
    7. letmein (Up 1)
    8. dragon (Up 2)
    9. 111111 (Up 3)
    10. baseball (Up 1)
    11. iloveyou (Up 2)
    12. trustno1 (Down 3)
    13. 1234567 (Down 6)
    14. sunshine (Up 1)
    15. master (Down 1)
    16. 123123 (Up 4)
    17. welcome (New)
    18. shadow (Up 1)
    19. ashley (Down 3)
    20. football (Up 5)
    21. jesus (New)
    22. michael (Up 2)
    23. ninja (New)
    24. mustang (New)
    25. password1 (New)

Problem 3 - Short Passwords

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.


Solution to Problem 1 - Use Different Passwords

Solution to Problem 2 - Use Complex Passwords

Solution to Problem 3 - Use Long Passwords

However, these solutions actually create a new problem because mighty as we may be, we cannot remember so many long, complex, and different passwords. This leads back to problems 1, 2, 3. Remembering passwords may be a necessary evil in the past, but it doesn't have to stay that way.

Now, ask yourself, how do you open your front door? "I use my key!" you shouted. How do you unlock your car? The list goes on... We have used keys to unlock things for centuries so why not computers?

"But...keyboard...password...computer..." I hear you muttered along those lines. Part of the problem is that computers have been using passwords for as long as they have existed. It is unlikely to change everything that's already built from the login screen to websites. However, shouldn't technology work for people, not the other way round?

What if there is something that can remember my password and unlock my computer & websites just like a house key?

Solution to Problems 1, 2, 3 - Aladdin

Here, I proudly present to you - Aladdin: Open Source Hardware Key to Your Online Security. It is the key to your computer & websites. You should treat it like your house key. Put it on your key chain and keep it with you at all times. OK, maybe not in the shower.

Aladdin Prototype 2 & PC
Prototype 2 & PC

In short, when you plug Aladdin into your computer, he types your password so you don't have to. Simple, isn't it? There is no software to be installed on your computer because it appears as another USB keyboard to your computer. Everything you need to use Aladdin already exists on your computers.

How to Use Aladdin

Method 1 - Single Aladdin

You can simply unlock your computer as seen in the demo. It is usually used when it is more important to maintain physical security than worrying about being hacked. Of course, never leave your key and the lock together unattended. You can also protect your password safe with this method.

Method 2 - Single Aladdin

Think of something you can remember, but different, let's say fb for Facebook and link for LinkedIn.

Then, coupled with a red Aladdin which outputs chahb3Id, you can set up your passwords like:

Website
Password
Facebook fbchahb3Id
LinkedIn linkchahb3Id

Now your password is formed with something from your brain that's easy to remember, but different and something complex that's from Aladdin and the resulting password is long.

Method 3 - Multiple Aladdin

You can simply unlock your computer as seen in the video, but some argues doing that is less secure so how about two Aladdin? You can make up at least 6 unique passwords by plugging them in up to two times individually as well as sequentially.

For example, if A is a red Aladdin key and B is a green Aladdin key, then they can make up to at least 6 unique passwords:

Key
Password
A chahb3Id
B dah4Ohxi
AA chahb3Idchahb3Id
AB chahb3Iddah4Ohxi
BA dah4Ohxichahb3Id
BB dah4Ohxidah4Ohxi

With more Aladdin, the number increases very quickly due to permutation, and with just 3 Aladdin:

  • Number of 1-unit length passwords (1! + 1! + 1!) = 3
  • Number of 2-unit length passwords (2! + 2! + 2!) = 6
  • Number of 3-unit length passwords (3! + 3! + 3!) = 18

These make up 27 unique passwords, which should be more than enough to most people.

Mixed Mode

How about combining these methods? You can even invent your own method, e.g. instead of typing something before or after plugging in Aladdin, you can delete something after it's plugged in!

I personally use the mixed mode; I use a really long password as you've seen in the demo for my laptop because I never leave Aladdin alone with my laptop unattended. For online accounts, I used method 2 for social websites and methods 3 for banking sites.

Features

On its own, Aladdin can:

  • Unlock your computer and websites;
  • Generate and store one random password;
  • Re-generate the stored password.

With host software, it can also:

  • Reset to its default state;
  • Change the length of the random password (default = 8, max 255);
  • Replace the stored password with your choice;
  • Switch between automatically enter the stored password or not (default = No).

Most Asked Questions

  • Q: What if I lose my Aladdin?
  • A: Because Aladdin is mapping digital security to physical security, you would do what you do when you lose your house key, i.e. call a locksmith. Since it is for your computer, you'll ask a computer locksmith (Administrator) to reset your password. If it is for a website login, then you'll request a password reset email to be sent to you. Resetting password is just like replacing the lock in the physical world. Of course you can save yourself the trouble by having multiple Aladdin keys just like you have spare house keys.
  • Q: What if someone stole my Aladdin?
  • A: Report it to the police, seriously. You should do what you do when someone stole your house key. You should change your locks (passwords) as soon as possible. The thief would still need your home address or your login in order to gain access though.
  • Q: Compared to a house key, wouldn't it be easier for someone to pick up my Aladdin and plug into his computer so he knows my password while I have no idea my password was copied?
  • A: Compared to Aladdin, wouldn't it be easier for someone to pick up your house key and press it into a piece of soap so he now has a copy of your house key while you have no idea your house key was copied?

Progress

When I had the idea, what I first did was doing a Google search. No surprise that there exist similar things, however, none of them are at the stage as a finished and affordable product. However, they provided great starting points. One, in particular, is Joonas Pihlajamaa's Code and Life blog - DIY USB password generator which Aladdin has improved upon. In collaboration with Joonas, Aladdin will be released under the GNU General Public License (GPL) too.

Timeline 1

In the past few months, I've completed:

Prototyping - two working prototypes have been made, Prototype 1 with a breadboard with the circuits shown below, and Prototype 2 with a red pre-assembled PCB called AVR Stick from SparkFun as seen in the video. By combining the Atmel ATtiny85 micro controller and objective development's V-USB (an open source firmware-only USB driver), a viable USB device can be implemented totally based on open source software. OK

Aladdin Prototype 1

Aladdin CircuitsPrototype 1

 Alddin Mini

Aladdin Prototype 2

Prototype 2

Programming - both the firmware that generates and types the password and corresponding command line interface (CLI) to reset/change the stored password were written (see Features above). OK

Researching - finding out all the logistics including industrial design, manufacturing, certification, licensing, packaging and distribution...etc... OK


Funding

Nothing can be made with nothing so that's where you come in. In order to free everyone from the burden of memorising passwords, and make Aladdin a reality, it needs to tap into the economies of scale. This means a manufacturing run of 10,000 units minimum.

Timeline 2

The funding will be used between Jan-Mar/2013 to do:

Programming - a better firmware and possibly a nice graphical user interfaces (GUI) to be written to make the whole experience more awesome. The software will be published on the web under GPL. Extra features that are being experimented with the host software include:

  • Insert user name;
  • Press Ctrl-Alt-Del;
  • Press Win-L;
  • Any combinations of above.

CAD Designing - cases that can be attached to the key chain will be designed and funders will vote on their favourite case which goes into production. It may or may not look like the photos shown and it is totally dependent on funders' votes.

USB Key thumbUSB Key key

PCB Designing - circuits need to be turned into a PCB that fit inside the case. Once a case is voted the favourite, a PCB will be laid within the footprint. One possible design is shown below.

USB Key Animated GIF

Package Designing - a blister pack with instructions will be designed to protect Aladdin during transit.

The next phase will take place between Apr-Jun/2013 and involves:

Manufacturing - in addition to assembling the components, there are also the CE or FCC approval requirements. Several suppliers have been contacted and they all have their pros and cons. UK suppliers cost three times more than their overseas counterparts, but it might be easier to communicate with them. Overseas suppliers are cheaper, but come with a greater risk of delay. Hence, UK companies with local design capabilities and overseas manufacturing facilities were contacted. Aladdin is "Designed in Europe."

Distribution - several distribution companies have been contacted. Amazon.co.uk seems to be the most reliable choice, but they currently do not ship outside the EU. Dependent on the locations of the funders, more than one shipping company may be needed.

Your Aladdin is on its way to you in Jun/2013.


FAQ

  • Q: What problem does Aladdin solve?
  • A: Aladdin is trying to improve the current situation of people using simple or identical passwords everywhere by removing the need to memorise passwords. Imagine this, we never try to memorise the exact imprints of our house keys, we just have to remember which key is to which lock. Similarly, we don’t have to memorise our passwords, we just have to remember which Aladdin to which computer or website (e.g. by colours).
  • Q: Why is using the same password such a bad thing?
  • A: Using the same password means you trust your secret to a third party which may not adhere to the best practice, e.g. LinkedIn stored unsalted password hashes.
  • Q: How do I unlock my computer and websites with just a solo Aladdin?
  • A: Although you can use the same password, it's not recommended. However, there is nothing stopping you from typing something before or after plugging Aladdin in. Now your password is formed with something from your brain that's easy to remember, but different and something complex that's from Aladdin and the resulting password is long.
  • Q: What kind of computers can I use Aladdin with?
  • A: Since Aladdin emulates a USB keyboard, it works with Windows, Linux, Mac OS and more...
  • Q: What about tablets?
  • A: It is believed that Aladdin may work with iPad via the iPad Camera Kit, but the truth is that it has never been tested. Android tablets with USB OTG functionalities may support Aladdin too.
  • Q: What browsers does Aladdin support?
  • A: Aladdin works with Google Chrome, Mozilla Firefox, Internet Explorer, Opera and more...
  • Q: What websites accept Aladdin password entries?
  • A: Virtually all websites including Facebook, Hotmail, Amazon and more...

Risks and Challenges

Supply Chain - while we have every confidence in the suppliers, it is dependent on their manufacturing capacities and capabilities to ensure on-time deliveries.

Things out of Our Control - if future USB standards become backward-incompatible, then it might stop Aladdin from working. However, the chance is probably lower than winning the lottery. As long as USB keyboards are still being made, Aladdin will continue to work.


Origin

The story began when 6.5 million LinkedIn passwords were leaked in Jun/2012. My password was one of them. I, like everyone else, used the same password across multiple websites. Consequently, I had to change passwords for 10+ websites. I have been working on a feasible solution since then.

This project also comes from the maker/hacker community. The software and the circuits are open-sourced by me or others. However, because there has never been a suitable enclosure that was designed and manufactured, the maker/hacker community cannot use it in daily lives (you wouldn't be able to carry a bare printed circuit board (PCB) on your key chain without the risk of damaging it). One aspect of the project is to design a sleek and minimalistic enclosure voted by funders that looks cool and can be attached to the keychain. Another is to improve its usability. All codes are released under GPL. CAD and PCB designs are Creative Commons Attribution-ShareAlike (CC BY-SA) licensed.


Who

Hi, my name is Alvin Chang, and I have been an independent IT consultant since 2010. I've seen many cases where computer technologies have fewer contributions to human convenience than TV remotes. I wanted to change that after I attended the Open Source Convention 2011. Therefore, I founded CHANGTECH Labs aiming to make technologies work for people, not the other way round.


Why Open Source

Team on This Campaign: