If your Yubikey dies, your 1Password vault is toast. This is a bad idea and doesn't really add much to your level of security.
Just use a long and random 1Password, and store it in the OSX Keychain (1Password supports this). Then back up your user keychain with the rest of your files and don't forget your login password. Alternately, Mavericks (which comes out in a week) will sync your Keychain items to iCloud for you.
This is all moot though because 1Password is a pain in the dick to use on iOS, and Apple's using their lack of plugin support for MobileSafari to hinder competition. In Mavericks' Safari, you can now save passwords for forms that specifically attempt to disable password storage, and sync those encrypted passwords to iCloud. This wouldn't matter much... but that sync now works with iOS7's MobileSafari, where 1Password can't load a browser extension to compete.
TL;DR: Cool story, but 1Password unfortunately becomes OS-bundled obsolete in a week.
I live "exclusively in Apple's ecosystem", but still find 1Password incredibly useful. You can store credit credit card/passport details (so useful when filling in forms and not having to dig around for them), store software licences, create secure notes, store bank account details and a bunch more things.
So it's more than just a secure password storage/generation program, it's a centralised system for all your important, easy to lose/forget details.
I don't know how much work Apple are going to put into Keychain, but it would have to be a lot for me to switch.
Yes, I've been a 1Password user for years, but you have to admit that using the database on iOS is hacky - you either have to log into 1Password and copy the username out, switch to Safari, paste it, switch back, copy the password, switch back, paste - or use the built in webview in 1Password to do your browsing, which is clunky but will autofill the forms.
On iOS7, it uses the iCloud keychain (written to by Safari from 10.9 Mavericks) to autocomplete forms. Also, all the iOS tabs are available on the desktop and vice versa.
Yes, I use 1Password to store other data, but its primary function is credentials for websites, and anything that does that inside of MobileSafari automatically blows 1Password out of the water.
I wonder how this will affect Chrome / Firefox share among Mac users. Reading the Mavericks details on Apple's website, they make some claims about Safari's performance that were surprising to me ... But believable if the nitro enhancements are vast.
Yeah - the downside would be if someone got access my 1Password, they'd have EVERYTHING...
Also, I always think that it's well and good having a super secure password/password manager, but that's not going to stop me accidentally typing it into a search box, someone looking over my shoulder, accidentally copying and pasting it into and email, or something equally stupid.
1P has some cool features to help prevent some user error (deletes the copy and paste history after a few seconds, auto locks the phone app, etc) but all it takes is some other dumb error on my part to circumnavigate all of their encryption.
The convenience outweighs the risk for me at the moment.
> If your Yubikey dies, your 1Password vault is toast. This is a bad idea and doesn't really add much to your level of security.
I can't speak for 1Password, but in general you can have more than one yubikey so that doesn't happen. I have a couple of backup keys in case something goes wrong myself.
Which is why I keep a single GPG encrypted text file with all the login stuff to things that matter. Only one password to remember and everything is backed up regularly.
I haven't used 1Password before, but I know LastPass offers multifactor authentication via your mobile app of choice[0], which comes to essentially the same thing.
Once you've set it up, you require two passwords to log in: one you memorise; the other you read off your mobile app, and is regenerated every 30 seconds.
You can also use other password safes (sometimes called vaults) that are multi-platform. A password safe is an encrypted database that allows you, and your team, to securely store and share passwords. Basically, it is a free piece of software that is cross platform (win, mac, linux), a common workflow would be to store it on a shared drive, and give your team access, they use a common password to access the safe, which holds the other passwords. Create multiple safes if you need segregation i.e. dev safe, sysadmin safe, network safe, etc. I have created a screencast about this @ http://sysadmincasts.com/episodes/7-why-you-should-use-a-pas...
Personally, I would not recommend any of the cloud based solutions, for the simple fact, that any slip up in their security and you are hosed. These are your crown jewels, do not outsource this!
"any slip up in their security"? We aren't talking about storing plaintext passwords in a database here. They should be storing and sending/receiving encrypted data only. It would most likely be necessary to compromise the client in order to gain access... in which case it makes no difference whether you're using a cloud-based service or not.
Yes, but 1Password is not support on Linux though there is a work-around so you can atleast access the passwords but not save new one. I think that's what he is referring to.
Hm, I've been using KeyPass/Dropbox for quite a while now. Not sure what advantages this method has over mine? Yes, I have to remember my KeyPass master password... but then you'd have to be logged into one of my machines to get access to it anyway... or on my mobile, which everyone seems to be using for 2 factor anyways, so it's moot if my mobile is compromised.
I use the KeePass/Dropbox combo also at the moment, but I have some concerns about it and may switch away.
Dropbox keeps historical versions of your files. My concern is that, if an adversary can get multiple versions of my Keepass file which they know are a sequence with small changes between them, then they are much more likely to be able to devise an attack. I haven't looked into this any deeper yet.
His setup is basically the same as yours, doubly if you use keepass with a key file. His short password is a knowledge credential, and a yubikey is an ownership credential.
I've been working on my net security as well and I've had a hard time compromising security vs convenience and fault tolerance. My situation is made a little more complicated because I don't have a smartphone which rules out mobile based key vaults.
I want a minimal set of dependencies to access necessary accounts, like my gmail. No file I can lose, or password I might forget. I've decided to rely on an ok password and google's two factor auth.
Less important accounts are stored in keepass protected by a key file and password, but I'm worried about losing the key or vault file.
This is the solution I currently use. I have found KeyPass problematic on OSX but since that isn't one of my primary computing environments it works well.
I am putting a lot of faith in the security of KeyPass, as I don't put a lot of faith in DropBox to keep the file secret. If DropBox's sync system wasn't so simple/unobtrusive I'd use something else.
Then as a last step measure, there are backups of the keepass file in case a machine or dropbox have issues.
> If DropBox's sync system wasn't so simple/unobtrusive I'd use something else.
Perhaps consider using Bittorrent Sync[1] for synchronisation.
For practical purposes, it's similar to using DropBox, the key difference being that instead of syncing with DropBox in the cloud, you are syncing folders across hardware you control. The hardware could be different computers, phones, tablets etc.
As an extra safeguard for KeePass, I use a key file in addition to the password. The key file I also keep in cloud storage (in case any of my machines die in a fire), but on a different cloud storage provider. That way I can always reconstruct my password environment, but it would require compromising two cloud stores and keylogging my password to open the safe. (Or access to one of my local machines and a keylogger, but in that case I'd be hosed anyway.)
This essentially turns "something you know" into "something you have", with no requirements that any of the remote websites change what they are doing.
It seems like this is an interesting counter to the recent budding trend of arguing that "something you know" (passwords) is broken and we should all throw it out and switch to "something you have". This shows that a user can unilaterally convert "something you know" into "something you have", and unlike the inevitable clusterfuck of trying to standardize on "something you know" with the inevitable gold rush of competing, fragmented standards, resulting in users having to have an unbounded number of "things" in their possesion [1], authentication consumers can continue to work with standardized password approaches.
It seems to me that rather than rewriting the Internet to not use passwords, we'd be better off making this approach even easier (although it's not all that hard right now, really).
[1]: Yes, I'm aware of things like RFC 4226. History's pretty clear though; if there was more value to capture in this space it would break into proprietary fragments in a heartbeat. All the proprietary fragments would probably be beaten down by RFC 4226 in the end, but there would be an unhappy few years in the middle.
>This essentially turns "something you know" into "something you have"
It really doesn't. This essence of "something you have" is that you really, truly must have it for authentication to work -- every time. In this case, if you capture the data on the Yubikey once you never need to have the Yubikey again (since he's using the static slot). Or to flip it around, if you just once leave your Yubikey in your pocket in coat check, or in a checked airline bag, or in your USB slot when you go to a meeting, etc., it is potentially 100% compromised without your ever knowing.
This is why true "something you have" systems like Google Authenticator, or the actual Yubikey system as it was designed, use constantly changing keys.
I think you missed the part where he's not combining something he has (the Yubikey, which stores part of his password) with something he knows (the other part of his password).
It really doesn't change it into something you have, it simply gives the user and anyone compromising them via keylogger, slipping yubikey into their own system and pressing button, etc a way to avoid typing.
Something you have exists in the form of things like smartcards. Crypto stick, https://www.crypto-stick.com/, being a great and user friendly example of.
I've been using PasswordMaker (http://www.passwordmaker.org/) for years to generate most of my site-specific passwords when needed. PasswordMaker uses a master password together with a site's domain name to hash a site-specific password. It has Chrome and Firefox extensions for filling in the password fields with one button.
Unfortunately, by default it uses MD5 and 8-character passwords. I always set this to SHA256 and at least 12 characters when first installing the extension on some device/browser.
Most sites play well with this, but there are exceptions: having to change a password is a bit ugly when the passwords are generated from a given master password and the site's domain name.
A more common problem is when a site refuses to accept certain characters in the hashed password or when a site requires some number of digits and uppercase letters, for instance. I currently just store these exceptions with Keepass.
I see 1Password being mentioned a lot but I started using PasswordMaker and Keepass well before I'd first heard of 1Password so I don't know how it might compare.
I only know my master password for Lastpass which is a kind of random 14-16 char long and complex. I type it once each morning and it goes fast to type. With that I access my other 334 random generated passwords. But I do know my password for email just in case.
At the very least you should have a way to recall your e-mail password. Almost every account that you have is linked to an e-mail for resetting. You need to have reliable e-mail access in order to reset your digital life.
My e-mail password was created randomly based on 12 uppercase/lowercase letters, numbers, and symbols. I memorized via muscle memory. My master-password-database password is the same, but 18 characters. I know more passwords, but these are the only two I need to retain.
You can also be pragmatic about your accounts. Do I care if my PontiacSunfireCarClub.com account is hacked? Or my NewYorkDailyNewsTime.com account? No, I don't. So the password is irrelevant.
"Stronger passwords are typically hard to remember. Since you will need to enter your 1Password master multiple times a day, this can be a problem."
This doesn't make too much sense. While stronger passwords are harder to remember, if you use them multiple times per day, you'll have stronger memory of that password. Its hard to forget a password you have to use a few times per day...no matter how long or short it is.
Additionally, stronger passwords are not always harder to remember. There are some great password and memory techniques that makes long complicated passwords easy to remember.
I'm pretty certain you're completely screwed if that happens. I don't think it's worth that level of risk to not know the password for your 1Password vault
If it were me I'd have the long yubikey password written out on paper in a safe in my house somewhere, or in a bank vault or something. If an adversary is motivated enough to gain access to that, your days are probably numbered anyway.
I'd keep a paper copy of the passwords stored in the 1password because it would be an interesting DOS vector to get him locked out of 1password, somehow. By gaining access and changing his 1password password, or deleting his 1password, or ... something. At least theoretically as long as the attacker didn't mess with the accounts stored in 1password he could still get into his bank or whatever account.
Hmm how is 1password synced... you could corrupt the file and trust it to be synced somehow?
"Forgot password" at every website you care about. (Getting your email back is the critical one, and I work around that by remembering that password myself. But most providers offer SMS verification, and if you self-host you can always pull the drive and edit /etc/shadow.)
I honestly don't see the fuss about writing the passwords down if you have reasonable physical security. A keylogger isn't going to be able to snoop inside your locked desk. A written down password is "something you have".
I've recently switched to this. While my passwords are now secure, I've found a number of situations where I can't login somewhere because the password list is only found on my home computer.
I think this is an interesting setup just because it makes it possible to have a very complicated 1Password master password without being too inconvenient. For my use of 1Password, it wouldn't work though since I use it on my phone frequently.
However as others have said, you need to have a way to get to the full password somehow, likely in the form of it written down and stored in a safe, at home or in a bank. Or in somebody else's password vault.
Actually, that's something I haven't seen much and that I have done myself manually only: the ability to secure this information by spreading the database with multiple trusted parties. Similar to what Snowden has done I understand: no-one can access the information by themselves, but you can piece together whatever information you need from multiple people. I know some stuff exists like this, I just haven't seen for password vaults specifically.
It is sniffable with a key logger. It's still very useful though. If you're only using the Yubikey for two-factor auth (slot one), then it will only get your one time password.
This thread shows that there's still some confusion around best practice with Yubikey.
{EDIT: Was the submission edited after being posted here? Because a bunch of people are saying that the password dies if the Yubikey dies, even though the submission says that the password is backed up independently of the Yubikey}
Yubikey is nearly brilliant. Not having a battery and a clock makes it a bit sub-optimal. But it's still a cool bit of tech. They don't help by having a terrible website. They need to split it into "info for developers", "why you want Yubikey" and "how to use Yubikey now you have one".
And it's kind of scary to see how many different password safes there are and how few of them have had any kind of auditing.
I use Lastpass with Google Authenticator two-factor authentication. Like most Lastpass users the only password I know is my master password, and of course it's the weakest.
Lastpass has worked well, but going forward there are two major concerns. Lack of a mobile browser plugin makes it difficult to use on mobile (Android). Second, is that all major browsers appear to be dropping plugin support out of security and performance concerns.
What's best for password management without using browser plugins? Chrome clear text password storage is troublesome. Bitlocker and mobile encryption may help. Are more OS implementations one the way?
if you pay for lastpass premium, you can use the android app with an android keyboard plugin. The keyboard is secured with your lastpass password and/or mobile PIN, and will fill forms on websites or login boxes on apps. It's pretty bad at detecting the site or app you're using, so I end up browsing for passwords more often than not, but's pretty usable. It's better than copy/paste because the interaction happens entirely inside the keyboard pane.
This is my only problem with lastpass. I use both iOS and Android and for some of my apps I have to manually type in the information. I know lastpass has a browser, but I rather use the basic Safari/Chrome/Firefox (depending on the need).
A lot of people are concerned about the Yubikey dying, but that is only one of 3 passwords you should have memorized.
You also need to know your app store password. If your computer crashes, you will want to be able to reinstall 1password.
Additionally, you probably want to use dropbox to sync your passwords and act as a psuedo remote backup. If that is the case, then you also want to know your dropbox password.
All in all, I think you should have 3 passwords memorized:
1) 1password master password
2) app store
3) dropbox
If you have this knowledge, you can gain access to all your credentials from a freshly installed OS.
You can get around this by having more than one device. Hence, if I have a fresh install, I can lookup my DropBox account on an existing install, then install 1Password and it auto syncs when it detects the password vault in DropBox. Hene, I only really need to remember 1Password.
Steve Gibson (of "Security Now!" fame) recently proposed a novel way to manage account access called SQRL. Basically, you use a SQRL app on your smart phone to read login QR codes. Some behind-the-scenes magic happens and then you're logged in.
It has a large number of benefits over the traditional account/password paradigm.
I have a thing called paper which i hide. On it i write stuff about events in my life that has to do with the password in question. That way i can easily memorise a shitload of passwords and if i forget one i just look at my papper. And easily figure out what the password was.
If the password is for a realy dumb service that i dont care about i just write it in a text file located on my server /home/user/shitty_passwords.txt
I use SuperGenPass, a JavaScript bookmarklet that hashes a master password with the website's domain name to generate a unique password for every site. The only problem is websites that have unusual password requirements that don't like SuperGenPass' passwords.
I've used Dashlane for over a year and like it quite a bit. I think it started off as an automated checkout app but the password part has overtaken that feature (though payment and form filling still works great).
Dashlane does encrypted cloud storage with local decryption - but I'm just wondering if there are good reasons to switch to 1Password or LastPass.
He misstates the 1Password premise. It is actually that even if you have a complicated single password, repeating it throughout the day makes it easy to remember.
The rest of his argument is based on convenience alone and rather weak. A YubiKey, nice as it is, doesn't help with mobile devices, where transactions are increasingly taking place.
Instead of memorizing all of my passwords, I memorized an algorithm that I use to generate passwords. So all of my passwords are unique with fairly good entropy, and I can recover any of them, but I don't necessarily have them memorized. The ones that I use often are saved in muscle memory.
I have wanted to take this approach, but it's hard to reconcile with the password requirements for service providers. Sometimes these go so far as to be mutually exclusive--for instance, some providers will not accept a password unless it has at least one non-alphanumeric character; others will not accept a password that has one. I found that it was difficult to remember what mutations I'd done to my password to make it acceptable to the service provider.
That was a problem when I first started a few years ago, so I used a very simple algorithm that didn't have non-alphanumeric letters. About 3 years ago I came up with a better algorithm, and now I use both. The simpler one on throwaway sites, which tend to be the same sites with insecure password requirements, and the more complex one for everything else.
The only problem I still occasionally run in to is when a site requires a password change for whatever reason. I have a couple of minor permutations on the algorithm that I use in those cases, but sometimes that does trip me up.
I use book quotes for passwords (include spaces and sometimes change letters for numbers (if the stupid website requires it)), I don't forget those since they're meaningful.
You might not forget the book quote, but how do you remember which one you used spaces on, which one you used numbers for letters, and which website uses which quote?
Just use a long and random 1Password, and store it in the OSX Keychain (1Password supports this). Then back up your user keychain with the rest of your files and don't forget your login password. Alternately, Mavericks (which comes out in a week) will sync your Keychain items to iCloud for you.
This is all moot though because 1Password is a pain in the dick to use on iOS, and Apple's using their lack of plugin support for MobileSafari to hinder competition. In Mavericks' Safari, you can now save passwords for forms that specifically attempt to disable password storage, and sync those encrypted passwords to iCloud. This wouldn't matter much... but that sync now works with iOS7's MobileSafari, where 1Password can't load a browser extension to compete.
TL;DR: Cool story, but 1Password unfortunately becomes OS-bundled obsolete in a week.