FAQ

But passwords suck! Why would we need something else to create more passwords when we’re trying to get away from passwords?

Passwords are 1 of 5 factors of authentication (what you know, what you have, who you are, when you are, where you are). The truth is we will never be free of passwords in our lifetimes, so this product makes passwords easier for people and harder for attackers.

Does this replace multifactor authentication?

No – multifactor remains a critical element of security. After entering your password, you should be prompted on your phone or other device for confirmation (see above, what you have is part of multifactor authentication, which we still need).

So you’re saying I need to carry a device to create a password and then another device for multifactor which I already have, so this is just another device to carry around?

The short answer is yes, but you either carry an enormous password in your brain (and fat-finger it sometimes) or you carry a device to type it in for you. This device is a little bigger than a pad of Post-It Notes and is arguably more capable – it makes dealing with passwords easier while making your password much, much stronger.

What about my password manager? It generates passwords too.

It’s hard to find a good password to your password manager. Besides, you have to be logged in to use it – password managers require an operating system. Full drive encryption is pre-boot, and logging in to your computer post-boot requires that you look up your password and then type it in, which for complex passwords can be really frustrating. Password Managers are good for websites, not for accessing your Master Password list. Besides, if your master password is your dog’s name + anniversary date, or the password manager product is compromised (which happens all the time), you’re in trouble.

So what’s with the multifactor to generate a password?

This device uses something easy to remember (a PIN) and something you have (an RFID tag). Typing in a 4-6 digit number and swiping an RFID tag is way easier than remembering a 12-14 character complex password, especially if you have to change it regularly, and it’s infinitely easier than typing a 43 character complex password for drive encryption.

This seems like overkill, my password is “MyPass123!” and it works just fine.

It works just fine now, but people only have to have their bank records or identity stolen once to never make that mistake again, so you’re essentially gambling. People need strong passwords, and once they have a strong password they still need to be able to easily change it again. Something to create and type out strong passwords for you yet is easy for people to deal with – that’s what this product does.

Speaking of overkill, who needs a 23 or even 43 character password??

Individuals don’t have the same infrastructure as corporations, who use Single Sign On which is a great deal tougher than what we use at home, raising their security by orders of magnitude over the homes of the people who work for them. This device provides powerful security for those without corporate infrastructure and yet is just as easy to use. Full drive encryption and setting a password to use at the office are now as strong and easy for the individual as they are for the corporation.

Google, Facebook, Microsoft and others offer Single Sign On, why does anybody need an overpowered password generator?

When corporations offer Single Sign On for something like Facebook or GMail, they are in control of your credentials, and when Google for example gets their SSO infrastructure compromised (which has happened), all users lose control of their data. SSO for Big Business is not the same as SSO for Facebook when you’re at home. Still, you have to enter a password for their solution anyway! It may as well be easy to change, trivial to remember and tough as nails.

This small device can’t possibly have a True Random Generator on board, it’s not really secure.

The Cipherpod is deterministic, generating the same password as long as you enter the same PIN and provide the same RFID key. As such it uses no public/private keys and has no on-board encryption, TPM or other key vault… that’s not what this device is for, so it doesn’t need a PRNG and the password it generates is based on a a 512 bit hash. It doesn’t generate its own entropy: it has an on board key generated by a machine with solid PRNG generation. Combined with your Cipherpod RFID fob, this device is undeniably the most powerful password generator tool available.

There’s a problem with devices that send passwords, such as Yubikey and others – they’re too fast. When using RDP or services over a VPN, you get characters dropped. Is this device too fast?

Is the Cipherpod compatible with my Yubikey?

Fast but not too fast, it’s tested and guaranteed working over VPN, Remote Desktop / RDP and other remote applications where latency is present.

Yes, but not in the way it’s traditionally used. Every Yubikey has its own RFID serial number and this is what the Cipherpod keys on. You can use your Yubikey for every advertised purpose and with Cipherpod out of the box.

Because it keys on the serial number, a random hotel room key is weaker than a Yubikey, but the Cipherpod-provided RFID keys are stronger (NSA-grade) because only the Yubikey serial number is used whereas our RFID keys are encoded with an additional 256+ bits of entropy.

In the end however, the resulting password is absolutely, incredibly secure.