HighSec Mooltipass FAQ

Not at all. Having our code open source allows everyone to check our security implementation, which actually leads to a better code quality and more trust from our final users.

The AES-256 used in the Mooltipass has been compared against standard Nessie test vectors for correctness. Moreover, our security chain has been checked several times by qualified individuals and companies.

We are using the most secure encryption algorithms and have designed our case to make it tamper evident. Our solution is therefore perfectly suited for individuals wanting to improve their credentials’ safety.

We are using AES-256 encryption in CTR mode, brute-forcing the encrypted credentials would take more than fifty years.

Not at all, as the Mooltipass system is exactly like a chip & pin bank card: 3 false tries will permanently block the smart card. Access to the AES-256 encryption key will then be blocked and credential decryption made impossible.

Websites are compromised on a daily basis. If you are using the same password for different websites, an attacker could use one stolen password on all of them.

A piece of paper contains passwords that can easily be read when you are not paying attention to it. The Mooltipass stores encrypted passwords that can only be read when providing your PIN code.

You have the option to synchronize your credentials between multiple devices. This allows you to have one Mooltipass at work and one at home.

There are many reasons, the main one being that it is much easier to carry a smart card around than any other object. This smart card is a secure element that contains your credentials’ encryption key; it is cheap and may be cloned without compromising the system security.

The Mooltipass is enumerated as a composite HID keyboard / HID proprietary device. The credentials are sent over the HID proprietary channel when using the browser plugin and over the keyboard channel when using the Mooltipass through its touch interface.

All the integrated circuits (ICs) are directly purchased from their official manufacturers.

Your encrypted credentials can be exported to your computer. If you lose your device, you may purchase another one and restore your credentials or buy a simple inexpensive smartcard reader to extract your encryption key and decrypt your credential database.

An offline password keeper needs to provide a way to prevent impersonation. The user has to check that the website/service for which they approve the credential request is the same as the website/service they are using, as a malicious program could emit forged requests. Moreover, having a display allows the user to operate the Mooltipass without the browser plugin, by using the dedicated touch interface.

Our device is shipped with two smartcards, so you can keep a copy somewhere safe. The Mooltipass allows the user to clone their smartcard as many times as they want, provided that the card PIN is correctly entered.