SatoshiLabs newly-announced TREZOR Password Manager will store and manage passwords securely and is available for public beta testing for all TREZOR hardware owners, the company announced on Medium. A Chrome extension is available.
The new password manager uses advanced cryptography. A user can encrypt each password entry using their personal TREZOR device. The password manager automatically uploads the encrypted data to the user’s private cloud storage, where it is available as needed.
TREZOR now addresses the most pressing flaw in password managers, the chance that the master password will unlock the entire database. An attacker can gain access to stored data in the password manager should there be keylogger malware running on someone’s computer. Stolen login credentials are often sold on the black market.
Second-factor authentication via an email or an app provides an extra security layer, but this can cause discomfort. Biometric authentication can be dangerous. Should a fingerprint be compromised, an attacker can use it repeatedly without the possibility of change.
The TREZOR device itself acts as a second-factor authenticator. It unlocks the passwords without any need for third party authentication apps or access to email or a mobile phone. Rather than typing a master password to unlock the password database, the user simply “unlocks” the device using a secure PIN entry that is protected from keyloggers.
The PIN additionally prevents improper physical access.
Even in cases where a Dropbox account is hacked, it is nearly impossible to read the stored passwords. TREZOR provides still another security layer by encrypting the password entries one by one with a unique encryption key derived from TREZOR.
The password manager serves as a showcase for approaching individual cloud storage security.
The password manager automatically syncs each password entry to a user’s private Dropbox account. This provides availability from any online computer. More cloud storage options will slowly be added.
TREZOR devised an easy way to securely and privately back up the device. The user, during initial setup, is prompted to record and store a backup sentence consisting of 24 words. The user only needs to store the paper in a safe place to be able to restore all the keys into a new device.
TREZOR serves as a secure long token with visual and physical verification and as an encryption device.
An import/export feature will be added following the beta version. TREZOR may also add an Android app, based on user requests.
Users still only have to remember one password, which is for their Dropbox account. To overcome this limitation, TREZOR is working to enable a direct login to Dropbox with the device.
TREZOR established itself as a bitcoin security pioneer with its 2014 release and is sold to nearly 100 countries. TREZOR last year rolled its TREZOR Connect API, a passwordless login to websites. The TREZOR Compact API is easy to implement for websites dealing with sensitive data. TREZOR can also work with admin access to WordPress and SSH login websites.
Images from Medium/SatoshiLabs.