[PetaWatt]

Background

I was struggling a bit to manage all the usernames/passwords/PINs belonging to different websites/cards/accounts I hold. Till last decade things were pretty manageable due to less number on online services (hence accounts), but now I got around 21 different accounts. Initially I was reusing the same passwords across the different accounts, then one good day my brother (who works in IT security and ethical hacking domain) explained me why I should not reuse the passwords. He suggested me to keep different usernames/passwords for different websites/accounts and if I can’t remember all the details, I should maintain a hardcopy of details and keep it safe. He also advised me not to keep this sensitive information either on my Laptop or on my Smart Phone.
I experienced, keeping hardcopy of usernames/passwords/PINs is a bit difficult task because of the 2 reasons. First, few accounts enforce us to change the password every 3/6/12 months, which is laborious to update on the hardcopy. Second, controlling the access of the hardcopy is difficult to maintain, as anyone who can get the access of the hardcopy can read everything.


Requirement

I was looking for an electronic device with the following requirements:

1. Can store all the usernames/passwords/PINs I got.
2. Should have access control. Only I should be able to access the content of the device and no one else should be even if they get the physical access of the device.
3. Portable enough to be carried in the jeans pocket without restricting my movement.

Devices considered

1. Royal Digital Password Vault (product not listed on the website and only manual is there to download https://www.royalsupplies.com/pda/Ro...ion_Manual.pdf )
   
   
   
2. Password Safe (could not find a website)
   
   
   
3. Password Fast ( www.passwordsfast.com )
   
   
   
4. Dijori ( www.evolinsystems.com )
   

Comparison on the basis of requirement




Why I picked Dijori?

Royal Digital Password Vault and Password Safe were eliminated in the first round itself. They didn’t match with my requirement of portability because of their massive size. Selecting one among the Password Fast and Dijori was difficult because of their comparable size and mutually exclusive specifications. Password Fast has capacity to store 125 entities which is more than the double of Dijori’s. Also, Password Fast has full qwerty keyboard where Dijori has 3 x 4 touch keypad. On the other hand, Dijori got OLED display which is far better than LCD display of the Password Fast. Moreover, Dijori comes with a rechargeable battery.

I selected Dijori over the Password Fast as Dijori’s advantages outshined the Password Fast's advantages. I have 21 account information to store which is less than the half of the capacity of Dijori (50 entities) so, selecting Password Fast with the storage capacity of 125 entities was unnecessary. Though Password Fast has full qwerty keyboard, it is of push button type and won’t be as convenient to operate as the capacitive touch keyboard of Dijori.


Booking and Delivery experience

Dijori is currently available only on eBay.in as indicated on the product page ( http://evolinsystems.com/product-dijori.html ) so I didn’t have any other option. The good part is that I bought it on the offer price of INR 999 from the eBay.in. Delivery was not smooth though, seller sent it through the DTDC. When I tracked the package in the evening on the day it was expected to arrive, I saw the status “Not delivered, Receiver not available” though I was at home full day. Package was delivered the next day in good shape.


Inside the box

Box contains 1 Dijori, 1 USB cable and User manual. USB cable is to charge the device only. Device is not detected by computer when connected.




What I like

1. OLED display, works well in dark as well as under the sun
2. Rechargeable battery and its backup
3. Intuitive flow for all the functionalities it provides
4. Small size factor
5. Can be operated by just one hand

What I don’t like

1. Doesn’t auto lock after sometime if left idle unlocked
2. Doesn’t have live battery status indicator. It just gives warning when battery is low.

Experience so far

I am quite happy with my Dijori and have added all the account details to it. Using the 3x4 keypad reminds me of my Nokia phones 5110 and 3310. The display is Mono OLED and work pretty well under the sun as well as in the low light environments as shown in the picture below.




Dijori comes with rechargeable battery. When I switched on the device for the first time it displayed the warning that battery is low and I should charge it, I forgot to take the photo of the message and plugged in Dijori to my mobile charger. Before the first use I recharged the battery to the full capacity. After that I entered all the 21 entries I had and using the device till today and battery is still going well. It doesn’t have live battery status indicator. It just gives warning when battery is low. When Dijori is charging, a small Red LED light appears at the back panel and disappears when Dijori is fully charged.




I like the way this device works. All the flows are intuitive and I don’t need to remember anything other than the PIN of the device itself. The first operation I did on device was the ‘Change PIN’ to set my own PIN. It verified the Old pin (default PIN is 12345678) and then asked me to enter the new PIN twice. One more thing, as mentioned in the user manual, if we Reset the device using its current PIN, in addition to erasing all the data, it will also set the PIN to the default value (12345678). Below are the few photos of the device functionality.

When device is switched on, it lands on this page. It has the options to do a factory Reset, Change PIN and Login.




Once Login is pressed Dijori ask for the Device PIN. This is the only PIN I need to remember.




If login is successful, it lands to the list view of all saved entities.




Scroll button can be clicked to navigate to the next entity




In the list view, we can just type to search any specific entity. Like here I am trying to search for test entity I created for this review.




Opening the entity for checking the details. Notice the edit and delete buttons.




Deleted the test entity I created.




Small size factor (this photo is taken from the product website)

[whitewing]

Interesting tool, thanks for sharing. But don't you find it cumbersome to use when compared to a s/w based password manager?

I personally use a offline password manager - keepass and find that convenient and 'think' that it is reasonably secure, given that someone has to get access to a offline DB and then spend time trying to crack the master password.

[typlo]

Why not use Lastpass? I've been using it for a year now and is free, for most features (and syncs passwords to my android). Comes with soft perks as well like informing you if some of your data was involved in a site-wide leak and prompts you to change the password. It is secure, requires a one-time internet connection on computer startup to obtain a decryption key from the server and requires fingerprint auth/two-factor auth on android.

I'm wondering how secure your handheld device is, if god forbid, it falls into malicious hands? (Edit: Of course, the PIN maybe brute forced/data stored on the memory extracted without PIN if not encrypted)

[PetaWatt]

Quote:

Originally Posted by whitewing

But don't you find it cumbersome to use when compared to a s/w based password manager?

Actually I find it easier to operate when I need to fetch my ATM PIN standing in front of the ATM. Also, yesterday I called the ACT customer care and they asked me confirm my ID (12 digit number), I was talking on phone with one hand and logged in to my Dijori from another hand to search, view and tell my ACT ID to her.

Quote:

Originally Posted by whitewing

I personally use a offline password manager - keepass and find that convenient and 'think' that it is reasonably secure, given that someone has to get access to a offline DB and then spend time trying to crack the master password.

If the same PC is connected to internet, I am not sure if DB should be called offline. I think cracking the master password on a hardware device with touch input will be more difficult and time consuming than cracking a master password on a PC (automation can be used on multiple different Computer to crack the key). Here is one of the recent incidents which demotivates me from saving passwords either on my PC or on my Smartphone. Anyone Can Hack MacOS High Sierra Just by Typing "Root".

Quote:

Originally Posted by typlo

Why not use Lastpass? I've been using it for a year now and is free, for most features (and syncs passwords to my android). Comes with soft perks as well like informing you if some of your data was involved in a site-wide leak and prompts you to change the password. It is secure, requires a one-time internet connection on computer startup to obtain a decryption key from the server and requires fingerprint auth/two-factor auth on android.

I don't think anything is free. Facebook is a good example to consider, it appears to be free but we are actually selling our information. Things is, we can provide false information to Facebook but we won't store a wrong password on any Password Vault Software/Service.

Twitter and Apple are not able to defend their passwords, how can we trust some XYZ company with all of our passwords?

Quote:

Originally Posted by typlo

I'm wondering how secure your handheld device is, if god forbid, it falls into malicious hands? (Edit: Of course, the PIN maybe brute forced/data stored on the memory extracted without PIN if not encrypted)

At-least guy with malicious hands(and intention obviously) will need the physical access of my Dijori. Applying Brute force manually on a 3x4 keypad to break 12 digit passwords will be definitely time consuming. I think I'll know my device is missing before he could break into it. Data is stored encrypted as specified on the product's website so data cannot be extracted without the PIN. Check the second point under the Disclaimer in the below photo of Dijori's manual.

[typlo]

Quote:

Originally Posted by PetaWatt

I don't think anything is free. Facebook is a good example to consider, it appears to be free but we are actually selling our information. Things is, we can provide false information to Facebook but we won't store a wrong password on any Password Vault Software/Service.

Twitter and Apple are not able to defend their passwords, how can we trust some XYZ company with all of our passwords?

I'm aware of the Twitter and Apple leaks. Some user information (and presumably some password HASHES) were leaked into the wild. This is a brilliant example of either social engineering or penetration vulnerabilities. Note that the passwords weren't leaked directly but the one-way hashes were and the aforementioned companies asked affected users to reset passwords as a preventative measure (with enough computational power, anything can be cracked).

Apple, Twitter and the password managers are completely different companies, technologically and via their business models. To be honest with you, I can't promote the fact that some XYZ company won't sell your information, but Lastpass has had some great reviews and works on a fremium business model (and a lot of corporate houses use them too!). They claim the passwords are encrypted before they leave your machine which corresponds to the way Lastpass functions. I am a premium user and I have found the service to be worth it.

P.S: Facebook never claimed to be a free company. Read the fine print (Terms of Service & Advertising Policy) and you'll probably the first one to sanitize your account. But ain't nobody got time fo' reading the fine print.

P.P.S: Bugs/Glitches in the software do get fixed. Especially if it is a SaaS. Hardware? That's hard to do.

Quote:

Originally Posted by PetaWatt

At-least guy with malicious hands(and intention obviously) will need the physical access of my Dijori. Applying Brute force manually on a 3x4 keypad to break 12 digit passwords will be definitely time consuming. I think I'll know my device is missing before he could break into it. Data is stored encrypted as specified on the product's website so data cannot be extracted without the PIN. Check the second point under the Disclaimer in the below photo of Dijori's manual.

If the person with the malicious intent gets a hold of your Dijori, he will rip off the entire thing and pry open the logic board. He will connect it to another logic board (and/or do the required soldering) which will be connected to a computer and that will try millions of combinations per second. Your 6-digit PIN won't stand well against that.

Finally, using your logic against you. If you don't trust a software company to protect you, so be it. How are you so sure that the device of your XYZ company is even encrypted, or is it even a secure encryption? (Ex - A = z5 should not be the way to do it). You do have the physical access advantage here, but do consider the two-factor auth and user encryption entitled to you by the software companies too! I would go with a known business to store my passwords and make my life more convenient, not the other way around. But sure, paranoia hits hard and makes you wonder if my Dijori has a backdoor built into it too (communicates over the network when connected to the computer, satellite chip built into it, agreement with the NSA?)

Not to bash anyone, just letting the truth out there. The world is built on compromises. Just the way you sacrifice fuel efficiency for performance, you sacrifice privacy for convenience.

Edit: Just saw your attachment. Grammatical and literal mistakes in the user manual = steer clear of the product, at least for me (Xiaomi? *winks*)

[blackwasp]

Quote:

Originally Posted by PetaWatt

Why I picked Dijori?

I selected Dijori over the Password Fast as Dijori’s advantages outshined the Password Fast's advantages. I have 21 account information to store which is less than the half of the capacity of Dijori (50 entities) so, selecting Password Fast with the storage capacity of 125 entities was unnecessary. Though Password Fast has full qwerty keyboard, it is of push button type and won’t be as convenient to operate as the capacitive touch keyboard of Dijori.

Interesting. I am in a similar quandary and currently relying on Apple's Keychain built in password manager. The advantages include, auto fill-in, suggestion for passwords (when signing up at some site) and it syncs across other Apple devices.

However, the Dijori is an interesting device. The small form factor makes it a good to have backup for passwords.

[binand]

Quote:

Originally Posted by PetaWatt

1. Can store all the usernames/passwords/PINs I got.
2. Should have access control. Only I should be able to access the content of the device and no one else should be even if they get the physical access of the device.
3. Portable enough to be carried in the jeans pocket without restricting my movement.

Just wondering, you have not listed the usage of strong encryption as a requirement. Why did you choose not to check for that? After all, it seems to me that if this device is lost/fell into the wrong hands your identify and finances are at the mercy of the possessor.

The reason I ask is, checking out their website I find this gem:

"Custom encryption algorithm makes it impossible to hack into the device without the password."

I am extremely skeptical of anything that claims to use "custom encryption algorithms". It is a big red flag for me. Encryption algorithms need to be well-known, well-understood, well-researched and well-attacked - else they end up being no encryption at all.

Do you know if this company has sent their product to well-known security researchers to do penetration testing?

The key point about ATM security is that it has two-factor authentication. If you store your PIN on this device you are willingly forgoing one of those factors, which doesn't seem to be the right thing to do - unless the benefits are correspondingly high.

[sandeepmdas]

@PetaWatt, what prevents you from changing the passwords of ALL your 21 or so accounts to just two or three? I have umpteen accounts -some trivial (e.g. Pinterest), some very vital (e.g HSBC) - and this is what I did:

- I separated trivial accounts and vital accounts into two lists
- I assigned a single password to ALL of those trivial accounts ( the password is a vehicle number)
- I assigned another password for all social media accounts and yet another password for Google and banks. I am not worried about the HSBC account since logging into that account requires a random number generated by a device that almost looks like Dijori. I chose the passwords from here: https://passwordsgenerator.net/

So, a total of three passwords. Anyone can try this approach, you'll find you can recall the assigned password the moment you go to FB or Gmail or TBHP within a month of use. It's no brainer, you need to remember very little...

BTW, I don't use Windows OS and I don't use phone banking. I have a Macbook but my workhorse laptop is a cheaper Fujitsu loaded with Parrot. I recommend Parrot to everyone in this forum over Windows and Ubuntu: https://parrotsec.org

[TheLizardKing]

Quote:

Originally Posted by sandeepmdas

So, a total of three passwords. Anyone can try this approach, you'll find you can recall the assigned password the moment you go to FB or Gmail or TBHP within a month of use. It's no brainer, you need to remember very little...

You are taking a huge risk here, my friend - the digital equivalent of putting all your eggs in one basket. Only you are using three here. This is definitely not the recommended approach in today's age of increasingly sophisticated cyber-attacks.

[typlo]

Quote:

Originally Posted by blackwasp

The small form factor makes it a good to have backup for passwords.

The password managers do have a backup function, right? Or am I missing something?

Quote:

Originally Posted by binand

"Custom encryption algorithm makes it impossible to hack into the device without the password."

Just visited their website. They sure do not look like a security company to me. This statement made me laugh. A = B, there you go. Custom encryption.

Quote:

Originally Posted by sandeepmdas

So, a total of three passwords. Anyone can try this approach, you'll find you can recall the assigned password the moment you go to FB or Gmail or TBHP within a month of use. It's no brainer, you need to remember very little...

This looks like a very clever approach and I have tried it in the past. I realized it was super dumb to do and I was just making my life harder.

The thing is: only the weakest link has to break. Once a website data gets leaked, the cracker can use that password on other sites as well. While using a password manager, I have to do none of that and remember JUST ONE password (if I forget it, I must have access to my phone or they're gone for good). I keep my SIM card locked by a code as well, for that reason. Do a little research and once you go the password manager way, it is hard to come back.

If that isn't proof enough for you, Apple provides iCloud keychain integrated into their Mac OS and iOS which is essentially a password manager. Don't bother with remembering long and 20 digit passwords, just remember one. Have a look at this article.

[TheLizardKing]

Quote:

Originally Posted by PetaWatt

I was looking for an electronic device with the following requirements:

Absolutely no offense intended, but your post gave me the feeling that I was back in the 20th century. Not only is using a physical device cumbersome and unsafe, the biggest problem is hardware reliability. What if the device falls from your hands or gets wet, and stops functioning? Does it support backups?

Like another user has suggested, please try LastPass. Unlike Apple and Facebook, they are in the business of password management, and their reputation depends on their ability to secure your passwords. I am a premium user for the last two years, and the peace of mind and convenience is completely worth the yearly fee of Rs 1,550.

[narayans80]

Carrying an additional device is a deal breaker straighaway for me. For a short while I used to have 2 cellphones, and I would either forget the secondary one either at home or at work.

Have been using Lastpass for 4 years now, it serves the purpose well. My previous workplace used to impose a 4 week expiration of passwords and I've been following this on other critical accounts since. Others a little infrequently. Mostly pick 12-15 character long passwords with alphabets and numbers, special characters if the password rule mandates.

[sandeepmdas]

Quote:

Originally Posted by TheLizardKing

You are taking a huge risk here, my friend - the digital equivalent of putting all your eggs in one basket. Only you are using three here. This is definitely not the recommended approach in today's age of increasingly sophisticated cyber-attacks.

Quote:

Originally Posted by typlo

This looks like a very clever approach and I have tried it in the past. I realized it was super dumb to do and I was just making my life harder.

The thing is: only the weakest link has to break. ...If that isn't proof enough for you, Apple provides iCloud keychain integrated into their Mac OS and iOS which is essentially a password manager. Don't bother with remembering long and 20 digit passwords, just remember one. Have a look at this article.

Exactly that's why I said I don't use Windows or Android for business browsing. Your password is an asset that a. either you keep or b. have someone to keep it safe for you (aka password manager or device).

The Keychain is a high-profile platform that will definitely attract a lot of hawkers. It is not recommended IMHO. I use my Mac for leisurely browsing only. My weakest link is contained thus, I believe.

16-char passwords are difficult to brute or guess. The built-in Anonsurf capability of Parrot plus two great browsers (FF and TOR) can hide me very well, compared to an average user. Both also use DuckDuckGo instead of Google. Parrot comes with at least two password managers (GoPass and Titan) but I don't use them.

Totally agree with both of you, having two or three passwords in a Win/Android environment is suicidal.

[typlo]

Quote:

Originally Posted by sandeepmdas

16-char passwords are difficult to brute or guess. The built-in Anonsurf capability of Parrot plus two great browsers (FF and TOR) can hide me very well, compared to an average user. Both also use DuckDuckGo instead of Google. Parrot comes with at least two password managers (GoPass and Titan) but I don't use them.

Totally agree with both of you, having two or three passwords in a Win/Android environment is suicidal.

I'm asking you to forego all of the high-profile stuff, like cracking 16-digit passwords.

I'm asking you to consider the possibility of Twitter/Facebook having a breach and your passwords being used on other websites that have the same one.

I've been using Win/Android since I was born and the security leaks aren't OS dependent. Do the best you can to protect yourself (secure passwords, 2FA) and hope for the best.

[de3p]

Let's do a comparison between the device and an app-based Password Manager ( as you mentioned portability as a major factor)

Device - Can store limited passwords using an un-known encryption method.
App - Can store unlimited passwords using widely tested and proven encryption methods which are updated frequently.

Device - Is standalone, not connected to any form of communication protocol.
App - Can be used on a single device or multiple devices which don't need to be connected to the internet at all times.

Device - A single form of security using a numeric passcode.
App - Can have 3 layers of security. First - the phone passcode lock which can be alpha-numeric which is quote difficult to brute force as multiple entries can be blocked, Second - the app master password which can be alpha-numeric too and third as two-factor auth using another device.

Device - If stolen, no way to wipe off data remotely. Miscreants can try to hack it multiple times unless the device is retrieved by the owner.
App - If stolen, data can be wiped off remotely immediately rendering the stolen device useless.

Device - Chances of the device not being charged and shutting-off pertaining to a busy lifestyle.
App - Highly unlikely as the phone is quite frequently used.

Am not listing the extra features provided by the app such as inbuilt password generator, easy login features etc.

Obviously, no form of security is 100% secure but for a normal Joe software-based security is quite sufficient. Do note, that the FBI had to spend well over USD 1m to get an iPhone unlocked for them from a third-party and that too, those vulnerabilities were patched in the following OS updates and that is just the phone OS, the security level of the app is another major roadblock.