passwordsFAST: Not so fast. Handheld Password device for storing personal identities. [ product review ]

Security entrepreneur’s tiny hack-proof password computer

-by Steve Morgan, CSO Cybersecurity Business Report

This product review originally appeared here at CSO Online.

LeAnn Bell, an inventor and entrepreneur from Dayton, Ohio, aims to solve one of the biggest challenges in the security field - managing and protecting passwords. How? By selling everyone a tiny hack-proof password computer.

Her timing is perfect. Passwords are the bane of the security industry, with some even calling it the Achilles' heel.

Microsoft estimates that by 2020 4 billion people will be online — twice the number that are online now. The number of passwords in use (by humans, not including machines) is expected to grow from about 75 billion today to around 100 billion in 2020.

Bell’s product, passwordsFAST, looks like a credit-card-sized Etch A Sketchwith a qwerty keyboard built-in. Priced similarly to the iconic drawing toy - at only $19.99 - the itty-bitty red computer won’t entertain kids at dinner (there’s no knobs or touch-screen), but it’s an interesting conversation piece for seniors.

The gadget originally was sold in a kiosk at a Dayton mall, and then expanded into Bed, Bath and Beyond stores. Bell has honed her pitch on QVC, the Today Show, and others, and it’s quite impressive.

Seniors are known to be gullible, and they’re a popular target for hackers… and for passwordsFAST. The unit’s packaging states “passwordsFAST is great for seniors. Give your master password to a trusted family member, and know that loved ones can access vital account information if needed.”

Can Bell’s audience expand from retailers and infomercials selling to consumers - to tech savvy teens, hip twenty-somethings, business users, and more discerning buyers who know a thing or two about cybersecurity?

We caught up with Bell via email to learn more about passwordsFAST - and to dig into some obvious concerns that security experts and corporate users are likely to raise around the device. I also reviewed a passwordsFAST evaluation unit.

Made in China

A stamp next to the bar code on the passwordsFAST packaging states “SmartieHeads, LLP, Made in China”. A security product aimed at U.S. citizens and organizations - made in China - is a definite eyebrow raiser.

SmartieHeads is Bell’s two-person firm, based in Dayton, Ohio. But the units are manufactured and assembled by Shenzhen Ketuoda Electronics Co., in Shenzhen, China, which has the capacity to produce 100,000 units-per-month.

Bell and her business partner, a software engineer, provides the manufacturer with software for the passwordsFAST units, and the retail packaging files. SmartieHeads is the exclusive distributor for the units.

The big concern of course, is the potential ‘backdoor access’ to U.S. personal identities by a foreign tech manufacturer. Bell says that all of the software for passwordsFAST was developed by her firm, not the manufacturer, and they (the manufacturer) did not program in any kind of backdoor access. SmartieHeads only gives Shenzhen the compiled binary file which is used to program the units.

Hack-proof?

Surprisingly, the passwordsFAST device has not undergone any type of security testing by a third party ethical (white-hat) hacking firm.

Bell says that SmartieHead’s internal testing confirmed that their security implementation (hashing, encryption, etc.) works as designed - but they have not yet given the units to any security experts or white-hat hackers for the purpose of having them attempt to crack the encryption and retrieve the passwords.

The passwordsFAST marketing materials claim that that device is not connected to the internet, so it can't be hacked (come again?). While that may fly on QVC, it’s not likely to get past CSO readers.

Bell clarified, saying SmartieHeads means that their devices can’t be hacked remotely or without a user knowing. If a user has physical possession of their passwordsFAST device, there is no way someone can hack it and get the passwords. If the unit gets lost or is stolen, then it’s extremely difficult for a hacker to break the encryption, giving the victim plenty of time to realize they’ve lost their passwordsFAST device and they need to change all of their passwords.

Password capacity

Grandma and grandpa probably have a couple dozen passwords between them, so the passwordsFAST storage capacity of 125 passwords (max) will suffice. But for many youngins and corporate users with big appetites for social media, and business and web apps, 125 won’t cut it.

SmartieHeads is currently working on passwordsFAST 2.0 - which will store between 200 and 225 passwords, plus additional space for security questions or other miscellaneous data.

It isn’t likely that an IT security pro would use passwordsFAST to store privileged account passwords (unless they’re hoping to get fired) which can number into the hundreds or thousands depending on the organization. If anyone is dumb enough to try, then the password capacity limit becomes a security measure - protecting against hoarding corporate passwords onto the device.

Touch Interface

The passwordsFAST qwerty keyboard is decidedly old school. And its competition could wind up being a new market entrant with a lookalike device sporting a touch screen.

The masses have spoken. Blackberry and its qwerty keyboards are out, iPhones and Android phones with touch screens are in. And there’s no turning back.

Teens can swipe, but they can’t type. Seniors use smartphones to video chat with their grandkids, to store photos, for online banking, and much more.

Interestingly, the first passwordsFAST prototype was touch screen but it cost too much to manufacture and SmartieHeads thought it was important to have a product at the $19.99 price point. So they did a redesign to come up with a keyboard that got them there.

Bell says that there are no plans (at this time) to go to a touch screen device as it’s still too costly to manufacture and be close to their price.

Backup

There’s no way to backup a passwordsFAST device.

If someone drops their passwordsFAST device in the toilet - then they’re dead in the water… literally.

For anyone still reading, Bell reassures potential customers that SmartieHeads is working on passwordsFAST 2.0 - which enables a unit to back itself up to another unit.

If the thought of dealing with an extra hardware device is a potential deal-breaker for someone contemplating one of the tiny password computers, then needing two of the devices for backup could push them over the edge.

Bell says passwordsFAST 2.0 will be available in the 2017 summer/fall timeframe.

If stolen

PasswordsFAST only needs the master password for a user to get in, but physical possession of the device ensures that it cannot be accessed by an unauthorized user.

Bell informs that if a passwordsFAST unit is lost or stolen, someone could attempt to brute-force the password from the keyboard, but passwordsFAST has a login attempt limit (five by default, setting can be changed). When the limit is reached, the device will sit and wait for a short amount of time before restarting itself and allowing the user to try and login again. This should frustrate any brute force attempts, or at least prolong them enough to allow the victim time to change their passwords.

SmartieHeads encourages people to use good password practices when creating the master password for their device.

If a user loses their device, then they need to change all of their passwords and start all over again with another passwordsFAST unit if they dare.

Conclusion

Scott Schober, author of the popular book ‘Hacked Again’ and a top security expert, says that passwordsFAST is secure in an old-school way - and likens it to a little black book for writing down login IDs and passwords. Schober says that the device works as advertised, it’s hard to hack, and worth its price.

Bell says that SmartiHeads has imported 15,000 units to date, and so far they’ve generated $226,000 in gross sales. Things have come along nicely since they started selling out of the mall kiosk in 2015.

For only $19.99, passwordsFAST is definitely worth a try.

-by Steve Morgan, CSO Cybersecurity Business Report

This product review originally appeared here at CSO Online.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.