My new cyberpunk stateless password manager implant

Premise: I’m into cyberpunk and and I’m into cryptography.

Being into cyberpunk eventually led me to hang out with grinders, which in turn ended up with me installing electronics under my skin.

Being into cryptography made it very easy for me to decide that one of those implanted chips needed to be the Vivokey Apex: imagine an NFC powered, programmable smartcard in your arm, that can do everything a YubiKey can plus some. I needed one of those and, since it became part of me, I’m using it every day.

Now that we have a general context, let’s get to the main topic: the other day my wife and I were escaping the hot weather by doing one of those Netflix afternoon marathons and, since we weren’t exactly watching cahiers du cinema material, I ended up multitasking/fiddling with Termux on my phone.
After some random poking, my geeking focused on a still unused feature of my implant: HMAC: I realized this was the perfect opportunity to implement a stateless password manager, a concept I always found fun, so 5 minutes later I was coding the thing on a tiny vim screen, using an on-screen keyboard (I know, I ask myself why I do this to me).

So: what’s a stateless password manager in the first place?

A stateless password manager generates passwords on demand instead of storing/encrypting/decrypting your passwords like traditional password managers.

The idea is that you eliminate some of the annoying parts of password keeping; i.e. you get rid of:

• the need to find a safe and always accessible place to store your passwords

• the need of backups

• the need for a master password to encrypt/decrypt your vault

It's an idea cryptography people have been discussing for quite a while; google it, if you want to learn more.

How do you use it?

Super easy: let's say you want to generate a password for your email: you punch youremail@yourprovider.com into the account field, you scan your implant and you get your password.

You want a password for your account at randomwebsite.com? Just type yourusername@randomwebsite.com, or any other string that contains references to your user and the service you're trying to access. You get the idea.

How does it work?

I use ykdroid to interact with the HMAC-SHA1 applet on my apex implant:

• first the applet takes the account string, adds a unique salt (that is generated inside the implant itself and can never leave the hardware) and computes an hash

• then the app renders the computed hash as a string of the desired length, making sure it contains at least 1 lowercase character, 1 uppercase character, 1 digit, 1 symbol.

So where’s the code?

It’s here.

It’s WIP and the UI part is crap: remember I did it in vim on a 6” touchscreen while watching TV. But if you’re a fellow cyborg and wanna give it a spin, be my guest.