Most active commenters

    ←back to thread

    TOTP tokens on my wrist with the smartest dumb watch

    (blog.singleton.io)
    274 points alexmolas | 15 comments | 26 Jul 24 19:20 UTC | HN request time: 1.028s | source | bottom
    1. guenthert ◴[27 Jul 24 07:31 UTC] No.41085020[source]
    > To add the secret to the watchface code, you need to convert it to hexadecimal bytes. This cryptii.com page will allow you to do that conversion. Note you’ll have to enter your TOTP secret in uppercase.

    I wouldn't be comfortable entering my TOTP secret into a random web page. In Linux (Ubuntu here, probably other distributions as well) you might have the `base32` and `od` tools already installed (package 'coreutils').

    Otherwise the project is awesome (just the watch is fugly :))

    replies(4): >>41085069 #>>41085463 #>>41087879 #>>41088189 #
    2. matheusmoreira ◴[27 Jul 24 07:44 UTC] No.41085069[source]
    The board is also compatible with the A158W and A171W, they look much better.
    replies(1): >>41087031 #
    3. johnisgood ◴[27 Jul 24 09:38 UTC] No.41085463[source]
    Yeah, why would anyone rely on a third-party, and a website one at that for something as simple as base-32 decoding... or generating TOTP. :P
    replies(1): >>41089075 #
    4. fortran77 ◴[27 Jul 24 15:07 UTC] No.41087059{3}[source]
    @dang, please remove this ageist comment.
    5. alright2565 ◴[27 Jul 24 17:02 UTC] No.41087879[source]
    This is why I keep uMatrix around still

    https://i.imgur.com/9MYqLvj.png

    I can quickly disable XHR to confirm websites don't do anything server-side when I don't expect them to.

    replies(1): >>41088028 #
    6. BHSPitMonkey ◴[27 Jul 24 17:27 UTC] No.41088028[source]
    You'd really need to block fetch(), websockets, WebRTC, all external images/stylesheets/scripts added to the DOM later, and service workers (to prevent the upload from just being deferred). It's not easy to make sure a web page can't phone home.
    replies(2): >>41089617 #>>41090755 #
    7. pimlottc ◴[27 Jul 24 17:47 UTC] No.41088189[source]
    If you must use a web app, you can at least use CyberChef, which runs entirely in the client and is widely used in security testing.

    https://gchq.github.io/CyberChef/

    replies(1): >>41089434 #
    8. matheusmoreira ◴[27 Jul 24 18:05 UTC] No.41088289{3}[source]
    Now I'm wondering what a fashionable young man's watch is supposed to look like. I think the synthwave aesthetic is really cool but maybe it's just me.
    replies(1): >>41089981 #
    9. dps ◴[27 Jul 24 20:22 UTC] No.41089075[source]
    Author of the post here… Cool to see this back on HN! I was trying to provide instructions that anyone could use regardless of platform, hence the choice of web tools (both those linked process the data locally). If you know of a base32 decoder that’s easily available on Windows, Mac and Linux I’d be delighted to update the post.
    replies(2): >>41092132 #>>41093469 #
    10. gchq-7703 ◴[27 Jul 24 21:22 UTC] No.41089434[source]
    Example recipe to do it for you:

        https://gchq.github.io/CyberChef/#recipe=To_Upper_case('All')To_Base32('A-Z2-7%3D')
    It looks like 'cryptii' also appears to do all processing client-side.
    11. KTibow ◴[27 Jul 24 21:58 UTC] No.41089617{3}[source]
    Throttling inside of Devtools should do all of those.
    12. filoleg ◴[27 Jul 24 23:03 UTC] No.41089981{4}[source]
    F91W from the article is unironically cool now (and has been since forever afaik). Especially in streertwear circles. I’ve legitimately seen plenty of people from early 20s to mid 30s wear F91WF, with Balenciaga tier of the outfit to match. From the streets to night clubs to literally anywhere, both men and women. Definitely not the “socks and sandals and polo shirts crowd.”

    Hell, there are photos of Obama wearing it well during his early days[0].

    0. https://www.reddit.com/r/casio/s/sUKUFoyq2s

    13. tyingq ◴[28 Jul 24 02:07 UTC] No.41090755{3}[source]
    Well, and writing cookies which would upload at a later visit. And probably a dozen other paths.
    14. johnisgood ◴[28 Jul 24 09:23 UTC] No.41092132{3}[source]
    OpenSSL, base32, basez, C program, Python or Lua script? I have a Lua script that generates TOTP (with base32 decoding), for example. What are your requirements, would either of these suffice?
    15. fragmede ◴[28 Jul 24 14:40 UTC] No.41093469{3}[source]
    WSl means Unix command line tools are available on windows as well these days.