I've been a Virtual Post Mail (https://www.virtualpostmail.com/) customer for 10 years so far and they've been great. Reliable and very quick to respond to support emails on the rare occasion it was needed.
Thanks a ton! Lots of great features planned in updates: user whitelisting in Safari, better default blockers, native iPad support, OSX extension. Will continue to be free
Conversely, check out Yoyogi park on the Monday after a hanami weekend. The ground is covered in garbage, broken bottles, cans, etc. Or check out the square at Shinbashi station after the salarymen finish their impromptu outdoor happy hour. All flat surfaces are littered with convenience store wrappers, empty beer cans and cigarette butts.
I like those, but I really really want something which can do bt 4.0le with an existing pairing (stronger than just bluetooth 4.0 le security, though) between my host (ideally, mac/win/linux desktop/laptops, also phones) and the device, with some level of on-device logging, access control, etc.
A type 2 pinpad + openpgp smartcard might be the best practical thing right now -- a PIN on the card, plus a passphrase from the host (I think you can require both?). Type 3 showing a hash of what you sign, or a serial number of number of signs, would be even better.
The GPF cryptostick (usb) is also nice -- I think you could also take the Werner smartcard and cut it down to a smaller size for a USB stick sized reader. Sadly GPF stick 1.2 is out of stock everywhere.
Yeah, I guess I just don't trust smartcards all that much from a hardware security perspective, vs. modules with battery inside a metal envelope. I'm sad Maxim/DS killed the Crypto iButton line -- it was a great compromise between smartcard cost ($20-30) and HSM physical security. The software was never great, though.
keys (https://github.com/wg/keys) is the password manager I've always wanted. It's a client/server application with a command line UI, and the server can run on a mobile device so your credentials are available wherever needed.
keys is open source (GPLv3) and includes a basic Android app that runs the server. The code should run on iOS as well, but the lack of background networking is an issue.
keys provides strong protection for credentials. For details please read SECURITY, but to summarize everything is encrypted with AES in GCM mode using a randomly generated key, which in turn is encrypted with with a key derived from a password via the scrypt KDF. Network communication occurs over mutually authenticated TLS 1.2 connections.
