Gadgets

Gilmo wants to solve the password problem with a dedicated device

Passwords. If there’s one aspect of our modern techno-centric world that is guaranteed to send people into fits of exasperation, it’s passwords.

They are evil — a necessary evil, but evil nonetheless. That’s because the better (read: stronger) a password is, the harder it is to remember. Each one must be unique — you are using a unique password for every website, aren’t you?

Maybe there’s a better way. That’s the hope of Australian hardware startup GDMDS Pty, which has launched a new Kickstarter project for a device called the Gilmo. It’s a small, touchscreen gadget that lets you input the username and password credentials for up to 200 websites or apps and secures them with AES encryption with a single master password. The entry-level price for a backer to get a Gilmo is $200 AUD.

VentureBeat spoke to GDMDS General Manager Graham MacKellar to learn more about why he thinks people need a Gilmo.

“It was borne out of a frustration I’ve had in finding a secure way to hold and yet still have available all of the usernames and passwords that I need,” MacKellar says. “I have a little paranoia about putting this type of data on a connected device […] so the Gilmo was designed to provide people a low-cost and very convenient way to carry those details with them but in a form that couldn’t be remotely accessed.”

If you’re laughing and shaking your head right now at the whole idea of the Gilmo, I share your scorn. But MacKellar might have the last laugh.

According to a 2013 study, nearly 55 percent of us use the same password for all our online accounts. Which is why some security experts have taken the surprising position that it is now better and more secure to write your passwords down on paper (something we were all told not to do, right?) than to use the same password everywhere. Their simple rationale: You can’t hack paper.

According to MacKellar, you can’t hack the Gilmo either. Or at least, it would be no easy feat.

Why? The Gilmo can’t be remotely accessed because it contains no radios at all. No WiFi, no Bluetooth. It does have a micro-USB port, but this is only used for two purposes: Recharging the Gilmo, which gives about a week’s use, and connecting it to the included “Backup Buddy.”

gilmo-and-backup-buddy

The Backup Buddy is a holster-shaped slide-on accessory that takes a complete copy of the contents of your Gilmo and stores it with the same level of encryption. The only way to retrieve data from the Backup Buddy is to connect a new Gilmo (in the event your is lost, stolen, or damaged) and enter the same master credentials from your original Gilmo.

So the only way for data to get in or out of the Gilmo is via its tiny, 3.5” resistive touch screen, which the company suggests you operate with a stylus due to its small size.

Even enterprising hackers who may have stolen your Gilmo will have a tough go of getting to your data. Assuming they had the computing power to crack the AES encryption, simply getting to the data would prove tricky. The micro-USB port does not follow a standard wiring scheme, at least as far as data connectivity is concerned, and MacKellar says the Gilmo will not be recognized as an attached device by any computer.

MacKellar is doing his utmost to ensure that the Gilmo meets the highest level of security. In a follow-up email, he told VentureBeat, “I won’t release the Gilmo to production until it has passed independent security testing, and we would be aiming to get FIPS 140 L3 certification. Once acquired, these standards will be published on our website.”

When asked at exactly whom the Gilmo is targeted, MacKellar is broadly optimistic about its appeal. “We’ve identified that almost everybody in society is a person who could use this product,” he declares. “From elderly people who struggle to remember most of these things,” all the way up to the Australia’s prime minister (MacKellar is working an even more secure version of the Gilmo for government and military users).

One thing that has already struck the project’s commenters as odd is the Gilmo’s 200-credential limit. Although each record contains four fields (Title, Username, Password, and Description) and each field can contain 140 characters, it seems an arbitrary and small number. Perhaps, but there is method to MacKellar’s supposed madness.

“We wanted to make sure the device was very quick to respond. We found that when we used memory external to the processor, the unit became slower to respond to searches and retrieving information. So we have the operating system that we’ve developed and all of the records stored in the processor. It means we have to squeeze everything into a smaller amount of memory. We found most people have between 10 and 100 passwords.”

So the Gilmo sounds as though it will do exactly what it promises. It will be a nearly unhackable device that will store up to 200 records for your website credentials in a secure form. But several questions remain.

Will people really be willing to keep a second device with them at all times just so they can have some extra peace of mind? McKellar believes that when they eventually come to the realization that this data is worth securing, they’ll be willing to make the trade-off.

Why do they need to buy a $200 AUD Gilmo when an old BlackBerry Curve, which can found on eBay or Craigslist for under $100, could be used with its radios turned off and offer just as much security with greater record-keeping capacity? “That would be a better solution than the way many people do hold passwords,” MacKellar agrees. “But the Gilmo is specifically designed to do the job and is smaller and more convenient and easier to carry around compared to what is essentially another phone.”

So far, whether it’s because crowdfunders don’t see the value in the Gilmo or because they simply haven’t been made aware of it, support for the product has been poor. The project, which launched August 13, has only 15 backers and $2,477 of its $200,000 goal, with 38 days to go.

That doesn’t bode well for the Gilmo, but then again, maybe the crowdfuning community — with its penchant for bleeding-edge tech — isn’t the right audience for the Gilmo.

It may not matter. MacKellar has much bigger plans for the Gilmo.

“We think the mainstream for the products we sell will be the general public. Our long-term intention is that this device will be available everywhere. You’ll be able to find it at Walmart, technology-type chains. … You’ll be able to buy it at a petrol station.”

Hmm. Fill-er up, and why don’t you throw in one of them Gilmos, would ya?

Stranger things have happened.


Mobile developer or publisher? VentureBeat is studying mobile app analytics. Fill out our 5-minute survey, and we'll share the data with you.
8 comments
David Siorpaes
David Siorpaes

Which problems are you referring to ? Couldn't find any so far

Brian Gaudenti
Brian Gaudenti

KeePass and the like are hardly perfect. There are several problems with password apps. This is a problem that needs solved.

Hitoshi Anatomi
Hitoshi Anatomi

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket.  It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked.  It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important.


Incidentally, the concept of authentication by possession of something leads me to imagine an ATM that will dispense all my money to whoever holds my bank card.



Erik Godin
Erik Godin

KeePass + smartphone + Google Authenticator, FTW

David Siorpaes
David Siorpaes

Meh.. KeePass is perfect (and free). Why should I buy this thingie?

Marcin Masti Mastalerz
Marcin Masti Mastalerz

This must be invented by 70-year old guy not coming out for 20 years :D Nowadays, when we are authorized or soon be authorized by fingerprint, voice, face, the WILL itself - he comes to save us with that PeepBoy 2000... :D

Adam Sculthorpe
Adam Sculthorpe

The reality is most people don't care that much and at $200 it's going nowhere. Google Authenticator is good enough.