- Device Security - If it is open source, does it mean it is less secure?
- Device Security - Are you sure about your encryption implementation?
- Device Security - How secure is the Mooltipass, really?
- Security - If I can export my encrypted credentials, does this mean someone could crack them?
- Security - If I only need to remember a PIN code, does it mean the Mooltipass is not safe?
- Security Practices - Why do I need different passwords for different websites?
- Security Practices - Is your solution better than a piece of paper?
- Device Use - Can a smartcard be used with multiple Mooltipass devices?
- Device Design - Why are you using both a smart card and a main Mooltipass device?
- Device Design - How are the credentials sent to the computer?
- Device Design - Where do you source your components?
- Device Design - What if I lose my Mooltipass device?
- Device Design - Why do you need an OLED screen?
- Device Design - What if I lose my smartcard?
Device Security – If it is open source, does it mean it is less secure? #
Not at all. Having our code open source allows everyone to check our security implementation, which actually leads to a better code quality and more trust from our final users.
Device Security – Are you sure about your encryption implementation? #
The AES-256 used in the Mooltipass has been compared against standard Nessie test vectors for correctness. Moreover, our security chain has been checked several times by qualified individuals and companies.
Device Security – How secure is the Mooltipass, really? #
We are using the most secure encryption algorithms and have designed our case to make it tamper evident. Our solution is therefore perfectly suited for individuals wanting to improve their credentials’ safety.
Security – If I can export my encrypted credentials, does this mean someone could crack them? #
We are using AES-256 encryption in CTR mode, brute-forcing the encrypted credentials would take more than fifty years.
Security – If I only need to remember a PIN code, does it mean the Mooltipass is not safe? #
Not at all, as the Mooltipass system is exactly like a chip & pin bank card: 3 false tries will permanently block the smart card. Access to the AES-256 encryption key will then be blocked and credential decryption made impossible.
Security Practices – Why do I need different passwords for different websites? #
Websites are compromised on a daily basis. If you are using the same password for different websites, an attacker could use one stolen password on all of them.
Security Practices – Is your solution better than a piece of paper? #
A piece of paper contains passwords that can easily be read when you are not paying attention to it. The Mooltipass stores encrypted passwords that can only be read when providing your PIN code.
Device Use – Can a smartcard be used with multiple Mooltipass devices? #
You have the option to synchronize your credentials between multiple devices. This allows you to have one Mooltipass at work and one at home.
Device Design – Why are you using both a smart card and a main Mooltipass device? #
There are many reasons, the main one being that it is much easier to carry a smart card around than any other object. This smart card is a secure element that contains your credentials’ encryption key; it is cheap and may be cloned without compromising the system security.
Device Design – How are the credentials sent to the computer? #
The Mooltipass is enumerated as a composite HID keyboard / HID proprietary device. The credentials are sent over the HID proprietary channel when using the browser plugin and over the keyboard channel when using the Mooltipass through its touch interface.
Device Design – Where do you source your components? #
All the integrated circuits (ICs) are directly purchased from their official manufacturers.
Device Design – What if I lose my Mooltipass device? #
Your encrypted credentials can be exported to your computer. If you lose your device, you may purchase another one and restore your credentials or buy a simple inexpensive smartcard reader to extract your encryption key and decrypt your credential database.
Device Design – Why do you need an OLED screen? #
An offline password keeper needs to provide a way to prevent impersonation. The user has to check that the website/service for which they approve the credential request is the same as the website/service they are using, as a malicious program could emit forged requests. Moreover, having a display allows the user to operate the Mooltipass without the browser plugin, by using the dedicated touch interface.
Device Design – What if I lose my smartcard? #
Our device is shipped with two smartcards, so you can keep a copy somewhere safe. The Mooltipass allows the user to clone their smartcard as many times as they want, provided that the card PIN is correctly entered.