More than 16 Passwords/login possible


#1

I think I’ve read, that NK Storage or NK Pro have a limit of 16 passwords that they can store for standard Web Login. Is that limit set in the firmware (change possible) or a hardware limitation (no change possible ).
I have a lot of more “normal” logins, where I have no other supported login possibilities.


#2

Sorry for late reply. This is a hardware limitation unfortunately.


#3

Thanks for clarification ! May I ask for a deeper drill down ?: Is it the pgp card or the micro controller ? Where are these 16 keys stored ?


#4

Sure! Here is how it is implemented currently.
The PWS is stored on a limited internal flash memory, encrypted with a key originating from a PGP card. There is a page (1kB) of memory destined for it.
Relevant code from firmware: HighLevelFunctions/password_safe.h:83

{
u8 SlotActiv_u8;                // Shows the state of the slot 1 byte // 1
u8 SlotName_au8[PWS_SLOTNAME_LENGTH];   // Contains the name of the slot 11 byte // 12
u8 SlotPassword_au8[PWS_PASSWORD_LENGTH];   // Contains the password of the slot 20 byte // 32
u8 SlotLoginName_au8[PWS_LOGINNAME_LENGTH]; // Contains the loginname of the slot 32 byte // 64
} 

16 slots * 64 bytes = 1024.


#5

Ah, thanks. Interesting ! So you use slots with a fixed length. My last name is a double name. together with an email domain I could easy run in the trouble that PWS_LOGIN_NAME_LENGTH is not enough. Also some Passwords might be shorter than 20 bytes.

Maybe I will try the following:
{
u8 SlotStatusAndNextSlot_u8; // AND 0x11000000 ==> Status AND 0x0011 1111 ==> start of next slot
u8 SlotNameLength_u8; // No of bytes used after this byte for slot name
u8 SlotNameStartPtr_u8; // Placeholder : Pointer to the first byte of the slot name
u8 SlotPasswordLength_u8; // No of bytes used for password length
u8 SlotPasswordStartPtr_u8; //Placeholder : Pointer to the first byte of the password of that slot
u8 SlotLoginNameLength_u8: // No of Bytes used for User/Login Name
u8 SlotLoginNameStartPtr_u8; // Placeholder : Pointer to the first
}

of course this is not the complete structure , but maybe give you an idea how I would structure the slots to squeeze the maximum out of the men space - maybe the read & write routines are a bit more complex. The 1st byte would not even need the start of the next slot coded as this would again limit the slot spaces down from 256 to 64 like your slots today ( but with a more flexible internal structure within the 64 bytes).

With 28 chrs for Slot name , password and login name + overhead of 4 bytes you would get 32 slots. I am sure there are different password requirements ( e.g. for a forum vs an bank account ) that would benefit from such a flexible slot handling.


#6

Indeed making this a dynamic structure would increase the slot count. Could you register that on Github?


#7

Done !

(Hey, why need the post at least be 20 chars long ??? - I would understand this as a limit for a new thread, but for an answer posting … )


#8

Thank you!
Probably a protection from a multiple Thank you! spam :slight_smile: (that is posts which are not adding any value to discussion). Looks like a standard rule nowadays.


#9

I know I come very late on this question, but I just ordered my first Nitrokey two days ago*.
My question is, if one gets a Nitrokey storage model, I presume that for those ordinary log/pass on classical websites (like this very support site for instance), one could set a Keypass database onto the key storage volume, which would allow for a zillion ordinary passwords, and be quite safe as one will have it encrypted (and additionally also locked by the key OTP for instance if need be)?

Hervé
(*)and I see the German post office didn’t even wake up yet :wink:


#10

Yes, one workaround could be to use a sepearet database on a NK Storage. But when started the discussion, I also wanted to know if it is not possible to increase the amount of passwords also on the NKPro by using a different software rule. It clearly looked and was confirmed, that the limit of 16 is done as hard coded “drawers”. So you could increase the amount by using flexible sizeing also on the NKPro.
While I like the storage from a principle, I still not sure if the firmware is stable enough to already put files on the SD card. Especially when you use a macOS as host system :smiley: