Slashdot Mirror

You mean Yubikey?

Something similar to a Yubikey then? There are a few guys around here who use one, but not myself currently.

Our secure tokens are Yubikeys. We use RFID for physical access and the challenge response protocol for authentication.

We didn't like the thought of having to trust a 3rd party with our keys, so we run our own authentication services and use our own "seeds". This way we have one less attack/exploit surface (the MFG) to worry about -- Looks like it paid off for us this time!

Key Lifecycle Management

Re-configuration of YubiKeys by customers

For high security environments, customers may select not to share the
AES key information for their YubiKeys outside of their organization.
Customers may also for other reasons want to be in control of all AES
keys programmed into the Yubikey devices. Yubico therefore supports the
use of a personalization tool to reconfigure the YubiKeys with new AES
keys and meta data.

If RSA has your keys... are they really secure?!?!!

There are ways... You can for example get a Yubi Key: http://www.yubico.com/yubikey, then get your own Drupal based OpenID provider: http://drupal.org/project/openid_provider and use http://drupal.org/project/yubikey module. Result? You host your own OpenID provider and everytime you want to use it, you need to have the Yubi Key - no one can steal your identity unless he steals your USB Key and your OTP

The grid has a certain level of being 'interesting', but I recommend the Yubikey + Lastpass bundle instead.

I like the fact that your passwords stored on the client are also encrypted with the hash of your Yubikeys, when using this. So even if your master password is compromised, they cannot be decrypted.

I just wish Lastpass would give me the option to turn off the ability to recover from a lost Yubikey, as long as I register enough Yubikeys on my account, and keep a couple in secure secondary locations (as in bank safety deposit box), where they are not easily lost.

"You know those key-fob things that stay in sync"

Oh, are they suposed to stay in sync? I thought the regular drift was a 'security feature'

(Meh - we use Yubikeys: http://www.yubico.com/yubikey)

A product like the UbiKey, along with a password, would be a good solution.
Something you know combined with something you have.

The problem with (most of) today's online services is that they only rely on the "something you know" part.

Two gifts, first I give you LastPass, and second Yubico and their YubiKey product. LastPass coincidentally supports the Yubikey (if you pay the $12/year for the premium service).

I use foxmarks (or Xmarks, as they call themselves now) for all the web passwords that I'm willing to let Firefox remember. AES encrypted, available everywhere Firefox is. Nice. Simple. Easy and Works.

The passwords that I put in there are variations of a few basic passwords. The passwords are simple plain english words, 3 to 8 characters long, and each letter maps to a random 2 letter assignment. This map is generated by going to GRC's password generator page and taking the first two letters in the ascii printable list and assigning it to "a", the next two to "b" and so on. I then follow with the numbers. The is also a lower/alpha/number list which I do the same thing in case I run across a site that can't take special characters.

For example, when I went to the page for this post. I got the following string: "=f^9]pnLE70:uS6XYhev/ExPy%)Ax}" In this case a := "=f" b := "^9", etc. For the password base I would choose something like sea, which would then get translated into: DeE7=f I would then add a simple (ie: 2-3 char plain text easy to remember), prefix or postfix to the password for the site.

At work I keep the alphabet list printed out and taped to the bottom of the center drawer of my desk. This is secure because people would have to get past the armed guards and two locked doors to get to it. Even if this wasn't the case, they would have to know what the base password is.

For non web based passwords I use KeePassSafe. Even I don't really know what the password is for keepass, as I use both a keyfile, and a statically generated 32 character password (I use a Yubikey in static mode for this. I'm not concerned about losing the file, but if something happened to the key, I admit I'd be screwed. Mostly I use it for the geek factor. Before I got the yubikey, I used the above method with an 8 character base (and the keyfile)

John, one of the ways I got people to use "good" passwords is by getting them a Yubikey and setting it to static mode. It then always generates the same password instead of an OTP, but it's a very long one and as it pretends to be a keyboard it types it in itself. The challenge is always to make it long enough to be safe, but short enough to actually fit in the entry field.

It is a simple way to both SET a decent password and to preserve that setting in other than a file..

Just a tip, and no, I don't work for Yubico. I just got one to play with any I like it (must go and buy some)..

So make the second password a security token! Make a really, long and unguessable password and put it onto a USB stick (or 2 or 3 so you don't lose your account if one breaks), something like this

Be proactive on port 22 as well. At the advice of another comment I saw on /. a year or so ago I'm running a honeypot, with three static ports (one of them 22) and 4 roving ports. Establishing a TCP connection to any of them causes your IP to be instantly added to an iptables blacklist. It's worked pretty well; I've got about 2-3 unique addresses trying per day, and about 294 have been blocked since mid-December 2008. It takes care of both port scanners and bots deliberately connecting in order to try and get root on my server.

Of course, the only way to get root on the server anyway is through a Yubikey OTP or the 64-character randomly generated password I have on an encrypted partition somewhere in case my Yubikey is ever fried/stolen/lost.

The idea is dumb, it does put your eggs all in one basket because once someone has your login credentials they have your whole online identity.

If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.

That's what is so damaging about it. Not only does it give a black hat login access to your personal information all over the internet, but it also allows you to create new information under the guise of someone else potentially ruining a person's life.

The above shows off OpenID's biggest weakness. Which is not the "all your eggs in one basket" as the poster alludes to, but rather the phenomenally poor marketing of OpenID. OpenID's web page pretty much sucks in explaining the technologies strengths. The biggest strength is that you don't have to have a static username/password. All the following are valid ways to authenticate with OpenID

• RSA Tokens
• Yubi Keys"
• SMS Texting (The authentication server generates a random string and sends it to a phone via sms. It has the added benefit that you know when someone is trying to access your account.
• A system that uses Perfect paper passwords
• A system that takes an image from your digital photo collection and asks who took it
• A system that asks you to solve a word problem
• Whatever else you can come up with

In addition, the system can be set up so that you can have a list of "high security" sites (ie: a bank) where you have to answer a different set of questions/use a different authenticator then your normal everyday blog site.

Q. There are several types of OTP tokens out there. Which is the YubiKey?
A. Many OTP solutions today depend on time-synchronized tokens and verification service. Since each OTP is valid for only a limited time, this solution adds higher protection against phishing. Unfortunately the synchronization process is difficult to administer and out-of-synch tokens add frustration for users.

Other OTP solutions depend on a incremental internal sequence counter as the basis for the OTP generation. In this case an OTP does not expire, and thus the risks are higher, but at the same time it is generally an easier system to administer than time-based tokens.

YubiKeys combine the best of these two approaches. There is no need for the YubiKey tokens to be synchronized to a common server time. Each token has an internal sequence counter that is partly driven by its internal clock. YubiKey's unique design ensures that this counter is part of the generated OTP, so the system in effect lets the service check synchronization at the OTP validation time.

This might give you the answer to this question;

Also explained here is:

Another feature to prevent OTP harvesting and Phishing is to use the timestamp field to calculate the delta between two generated OTPs. In a scenario where a bigger stake is at risk, the server would typically ask for one OTP when the user logs on and a second when "checking out". The server knows the exact time delta between the OTPs but the Phisher doesn't.

Not all OTP's are prone to MITM attacks; the Yubikey for example has a (8hz) timer built in, initialized to a random value on connection. Next time a OTP gets generated the timestamp moves up too with a maximal difference of 10%. This timer prevents MITM attacks; without the use of a battery. Read more on their website.

I'm currently writing an authentication platform working with Yubico's demo and reprogrammed Yubikeys.
I'm not affiliated with Yubico, just a user of their product ; although I can tell this key has it done right!

They also seem to have a nice mindset allowing a large suite of usages with their product by focussing on the hardware only, leaving the software with 3rd party developers.
Oh, and did I mention it was open source?

Like this one which supports almost everything directly out of the box; easy to implement and safe as freak!

RSA and other OTPs require returning a number (more hassle), being expensive and large while this one is small and cheap and acts like a keyboard.
They are acting like a HUD, just like a usb-keyboard, in any country or characterset by using MODHEX.

The price is nice too! I've just ordered 5 to test and got 10 other waiting to arrive..
Disclaimer: I don't work for the company, I just work with their tool;