Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

A Bad Solution

Let’s start with the simplest solution: using the same password everywhere.  Great, all you need to do is put this on a Post-it note, stuff it in an envelope, and let someone know where to find it. Unfortunately, using a single password for many services is a terrible idea. Password breaches happen, and if you’re using a single password across the internet, they can be disastrous.

Password breaches are usually the result of an attacker finding a vulnerability that allows reading password data from an application’s database. Odds are high that your information has been leaked in one of these breaches. You can check if your email is on a list of known breaches with Have I Been Pwned. Don’t feel bad if you’ve been pwned, my email shows up on six different breaches, and this service only indexes publicly known breaches!

Depending on the competency of the company that was breached, your password may have been stolen in a few different formats. In the worst case, the passwords were stored as-is (i.e., cleartext), and the breach contains your actual password. Nowadays, storing passwords in cleartext is never considered acceptable. A hash of the password is stored instead. Attackers need to use a tool like hashcat to try to recover the passwords via brute force hash cracking. This is slow for complex passwords, but is always getting faster as GPUs improve.

So we really need to use different passwords everywhere, or our Tumblr account from 2013 could give access to our bank account. Given the large number of services we use and our inability to remember passwords, we’re going to need to use a password manager.

You Want a Password Manager

A password manager is any tool that lets you securely store a large number of passwords. These will let you randomly generate a long, secure passphrase that you’d never want to remember. This lets use unique passwords for each service, and passwords that are sufficiently complex that they would be tough to crack.

We will also need to think about emergency access to these tools. How will someone be granted access to your password manager, and how can we protect that process? The goal is to create a backdoor to all your accounts, then ensure it is reasonably well protected.

There are a lot of password managers out there, and this isn’t intended to be a comparison of them. In fact, security experts disagree about what tools are best. To generalize, these tools fall into two categories: hosted and self-managed.

Hosted Password Managers

These are Software-as-a-Service (SaaS) tools that handle storing your passwords and provide access across devices. Most will have desktop, mobile, and web extension clients. Firefox and Chrome both have built in password managers that also fall into this camp. Other popular products include LastPass, 1Password, and Dashlane.

These tools tend to be the easiest to use, since all the data is managed for you. Downsides include subscription fees and the need to trust a third-party with your password data. While most management services are designed so that only you can decrypt the password database, you still need to trust the software they provide. In general, browser extensions for these services are considered less secure. For more on this, see Tavis Ormandy’s article on password managers.

When it comes to emergency access, many of these tools provide features to help. LassPass and Dashlane both allow for “emergency contacts” who can be request access to your account. If you don’t decline access within a time period, access is granted. 1Password uses a low-tech solution, providing a printable Emergency Kit document which contains everything needed to access your account.

Self-Managed Password Managers

The other password management option is to manage your own data using local software. KeePass (and KeePassXC) and pass are two popular open-source options. With these tools, it’s up to you keep your password database safe and synced between devices. It’s also up to you to figure out emergency access.

If you’re going to use these tools, it’s probably worth thinking about the person who will be getting access in an emergency. Will they be able to identify what software is required, install it, get access to the database file, and decrypt it? While the pass tool provides some interesting options via gpg, such as using a a hardware token for decryption, this additional complexity may make emergency access harder.

If using a self-managed solution, you’ll want to build your own version Emergency Kit for access. This should include everything needed to view the password data and instructions on accessing the encrypted password database.

Trust and Storage

It goes without saying that you’ll need to trust whomever you’re providing with emergency access. Some hosted services provide features to minimize this trust by requiring a timeout before access is granted. For services that allow an emergency contact, this means trusting you designated contacts. For solutions that require storage of an Emergency Kit, this means ensuring only trusted parties have physical access.

Another concern is knowing that emergency access has been used. If an attacker gains access to your password manager without your knowledge, they can potentially maintain access indefinitely. Hosted services will provide notifications about new logins from unknown devices. For self-managed services, this is up to you. Tamper evident envelopes and boxes are an option, but these are never perfect.

Don’t Forget 2FA

You have two-factor authentication (2FA) enabled on your accounts, right? If not, go turn it on, we’ll wait here. If so, have you ever lost access to your authentication codes?

Some services will allow resetting 2FA via email. This isn’t great from a security prospective, but means that losing your 2FA codes is a minor inconvenience. Other services make this process much more difficult. For example, losing all access to 2FA for Google requires going through a manual support process that can take days. It’s worth thinking about how someone would get access to your 2FA backup codes, at least for critical accounts.

No Perfect Solution

Providing emergency access will always make your password management less secure, and that’s okay. In this case, we’re compromising security for a specific, important reason. There’s no perfect solution here, but the goal is to balance security and usability. This delicate balance is unfortunately unavoidable when designing secure systems.

At some point in your electrical pursuits, you’ll need to make a connector. Maybe you’re designing something that will connect to another device, or maybe the spaghetti mess of wires coming out of your Raspberry Pi has become a pain to deal with. Whatever the reason, a proper connector can solve a lot of headaches in electronics projects.

Your first thought might be to run to your favorite component distributor and order the connectors, terminals, and crimping tool. Unfortunately, those tools can cost thousands of dollars. Maybe you’ll just solder the connectors instead? Don’t! It makes for easily damaged connections.

Fortunately, [Matt Millman] has a great guide on wire-to-board connectors. This guide will explain why you should never solder crimp terminals and then get into working with some of the most common wire-to-board connector families.

For example, the Mini-PV series (which often get called “Dupont”) are one of the most ubiquitous connectors in hobbyist electronics. They’re the connector on those rainbow colored jumper wire sets, and connect perfectly to 0.1″ pin headers. The connectors and terminals are cheap, but the official HT-0095 crimp tool costs over $1500. Most crimp tools make a mess of these terminals since they require a cylindrical jaw to crimp correctly. By using a combination of two unofficial tools, you can crimp these connectors properly for under $60.

If you want to learn more about the art of wiring, the NASA Workmanship Standards are an interesting read.

[Thanks to MarkMLl for the tip!]

Everyone loves NeoPixels. Individually addressable RGB LEDs at a low price. Just attach an Arduino, load the demo code, and enjoy your blinking lights.

But it turns out that demo code isn’t very efficient. [Ben Heck] practically did a spit take when he discovered that the ESP32 sample code for NeoPixels used a uint32 to store each bit of data. This meant 96 bytes of RAM were required for each LED. With 4k of RAM, you can control 42 LEDs. That’s the same amount of RAM that the Apollo Guidance Computer needed to get to the moon!

His adventure is based on the thought that you should be able to generate these signals with hardware SPI. First, he takes a look at Adafruit’s DMA-Driven NeoPixel example. While this is far more efficient than the ESP32 demo code, it still requires 3 SPI bits per bit of NeoPixel data. [Ben] eventually provides us with an efficient solution for SPI contro using a couple of 7400 series chips:

[Ben]’s solution uses some external hardware to reduce software requirements. The 74HC123 dual multi-vibrator is used to generate the two pulse lengths needed for the NeoPixels. The timing for each multi-vibrator is set by an external resistor and capacitor, which are chosen to meet the NeoPixel timing specifications.

The 74HC123s are clocked by the SPI clock signal, and the SPI data is fed into an AND gate with the long pulse. (In NeoPixel terms, a long pulse is a logical 1.) When the SPI data is 1, the long pulse is passed through to the NeoPixels. Otherwise, only the short pulse is passed through.

This solution only requires a 74HC123, an AND gate, and an OR gate. The total cost is well under a dollar. Anyone looking to drive NeoPixels with a resource-constrained microcontroller might want to give this design a try. It also serves as a reminder that some problems are better solved in hardware instead of software.

[Thanks to Baldpower for the tip!]

While WiFi controlled lights are readily available, replacing your lighting fixtures or switches isn’t always an option. [Thomas] ran into this issue with his office lights. For the developers in the office, these lights always seemed to run a little too bright. The solution? A 3D printed, WiFi controlled finger to poke the dimmer switch.

This little hack consists of a servo, a 3D printed arm and finger assembly, and a Wemos D1 Mini development board. The Wemos is a low cost, Arduino compatible development board based on the ESP8266. We’ve seen it used for a wide variety of hacks here on Hackaday.

For this device, the Wemos is used to listen for UDP packets on the company’s WiFi network. When it receives a packet, it tells the servo to push the dimming button for a specified amount of time. [Thomas] wrote a Slack bot to automatically send these packets. Now, when the lights are too bright, a simple message to the bot allows anyone to dim the lights without ever leaving the comfort of their desk. Sure, it’s not the most secure or reliable method of controlling lights, but if something goes wrong, the user can always get up and flip the switch the old fashioned way.

PostmarketOS began work on a real Linux distribution for Android phones just over 600 days ago. They recently blogged about the state of the project and ensured us that the project is definitely not dead.

PostmarketOS’ overarching goal remains a 10 year life-cycle for smartphones. We previously covered the project on Hackaday to give an introduction. Today, we’ll concern ourselves with the progress the PostmarketOS team has made.

The team admits that they’re stuck in the proof-of-concept phase, and need to break out of it. This has required foundational changes to the operating system to enable development across a wide variety of devices and processor architectures. There’s now a binary package repository powered by builds.sr.ht which will allow users to install packages for their specific device.

Other updates include fixing support for the Nexus 5 and Raspberry Pi Zero, creating support for open source hardware devices including the Pine A64-LTS and Purism Librem 5. PostmarketOS now boots on a total of 112 different devices.

We’re excited to see the PostmarketOS project making progress. With the widespread move to mobile devices, users lose control over their computing devices. PostmarketOS gives us the ability to run code that we can read and modify on these devices. It’s no small feat though. Supporting the wide variety of custom hardware in mobile devices requires a lot of effort.

While it may be a while before PostmarketOS is your daily driver, the project is well suited to building task-specific devices that require connectivity, a touch screen, and a battery. We bet a lot of Hackaday readers have a junk drawer phone that could become a project with the help of PostmarketOS.

Watchdog timers are an often overlooked feature of microcontrollers. They function as failsafes to reset the device in case of a software failure. If your code somehow ends up in an infinite loop, the watchdog will trigger. This is a necessity for safety critical devices. If the firmware in a pacemaker or a aircraft’s avionics system gets stuck, it isn’t going to end well.

In this oldie-but-goodie, [Jack Ganssle] provides us with a great write up on watchdog timers. This tells the story of a failed Clementine spacecraft mission that could have been saved by a watchdog, and elaborates on the design and implementation of watchdog techniques.

If you’re designing a device that needs to be able to handle unexpected failures, this article is definitely worth a read. [Jack] explains a lot of traps of using these devices, including why internal watchdogs can’t always be trusted and what features make for a great watchdog.

Thanks to [Jan] for the tip!

With so many WiFi home automation devices on the market, you might want to take advantage of these low cost products without having to send your data to third-party servers. This can be accomplished by running your own home automation hub on your home network.

If you don’t want to use a full computer for this purpose, [Albert] has you covered. He recently wrote a guide on running Domoticz on the $20 GL-MT300Nv2 pocket router.

The setup is rather simple: just perform a firmware update on your router using the provided image and a full home automation stack is installed. Domoticz provides a web interface for configuring your devices, setting up rules, and viewing sensor data.

The pocket router is also supported by OpenWrt and provides a USB host port, making it a low-cost option for any WiFi hack you might have in mind. We’ve seen quite a few OpenWrt based hacks over the years.