Friday, August 30, 2013

LastPass, YubiKey Neo and 2 Step Authentication

For a long time, I have used Google's 2 Step Authentication as a means to secure my Google based accounts, and it generally works great. But what about the other 99% of sites that don't use Google as a login service? Banks down to one off registrations on random websites that you will likely never visit again (except to turn off the email spam!) all need the same protection. Some guys (Twitter, LinkedIn, Facebook) have moved over to include support for this, but the majority of sites simply rely on the old adage - "keep your password secure".



PASSWORD OBSCURITY

Keeping your password secure is easier said than done. Outside of simply guessing a password, a large amount of account hacks / compromises occurs by somebody stealing a table of passwords from the site and brute force cracking them (such as the ever popular rainbow hash cracking technique). It was actually LinkedIn last year that really brought it home how stupidly simple and quick this had become - 6.5 Million passwords cracked in a day! Cracking techniques and simple raw compute power (especially GPGPU based solutions) are getting so advanced, you can't trust the most complicated of passwords anymore even with the addition of a salt to the hashing algorithm.

Two step authentication prevents a hack such as the LinkedIn affair by adding a second challenge to the user when logging into the site. The second step can send a text message, call you home phone number, ask you to use an entry from a printed off list of secondary one-shot passwords or pull of a code from an app stored on your cell phone. If a hacker doesn't have access to this intensely private authentication sources, the account remain secure. However the password is now an open secret! I wonder how many other sites you have used the same password?



ONE PASSWORD TO RULE THEM ALL

For over a year now I have been using LastPass to both create, curate and retrieve any user / password combo for all the sites that I use. Before switching over to this, I had been salting my own passwords for each site, using a fixed 8 characters, the name of the site and then my common password. i.e.  "q1w2e3r4  FACEBOOK  fbpassword". This was great, but I never wrote down the name of the site and sometimes, forgot what it was (i.e. for websites where I had multiple login's)...

Whilst I didn't find my password in list of compromised LinkedIn accounts (mainly because of my self imposed password policy), it still worried my that if this password was compromised and someone looked at my individual account, they would figure out the pattern and break into other accounts that I had in other sites.

LastPass comes in multiple forms including a website, a smartphone app and a browser plugin. It supports a few features that I use all the time (as well as a bunch I never touch):

- auto fill in password fields in a website (renders key logging ineffective as the password never hits the keyboard)
- generate random "secure" passwords
- stores the passwords themselves on your phone or laptop in an encrypted file which itself needs a password to open it.

Assuming you keep your LastPass account password safe, even if someone steals your phone the full password list still remains secure. But have you not just made things easier for people to steal all your website credentials? Maybe some dude in a coffee shop watched you type it in...?



TWO STEP LASTPASS

Enter YubiKey to the rescue. LastPass supports using a hardware token for the second step of authentication to access your passwords, effectively disabling access to your local password cache without both your password and the physical token being present (in the most secure of configurations).

YubiKey costs 25$ for a USB version (it emulates a keyboard USB device and so works with nearly 100% of PCs / MACs and other boxes) and 50$ for one that also contains NFC (so you can use it on Android devices for example). I have the latter and apart from an unreliable NFC connection on my Nexus 4, it works great. Of course, YubiKey and LastPass is still not 100% fool proof and could do with improving still - however, its as secure as I want for the time being.

Oh, and LastPass supports Google 2 step authentication as well if you'd rather use this. Its free!



ABOUT THAT GOOGLE 2 STEP THING

Whilst I am on the topic, I may as well lay into the issues with the 2 step program from Google as well. Its the Google Authenticator App for Android that really grinds my gears.

Everytime you change (or simply wipe) your Android device (including installing a new ROM etc...), you have to re-initialize the Google Authenticator application. When this happens, all you application specific passwords also get reset. Why this is an issue is because all of the trusted devices or applications that you allowed to access your Google account that didn't support using the full Google login services (i.e. xbox 360 or third party chat applications like pidgeon) suddenly stop working until you create new passwords and update all the devices.

For this very reason, I don't use the Android app and instead rely on Google sending me a text message with an authentication code in it. If you're travelling in Asia at a customer site with poor cellular access, this text message can often turn up several hours later which is extremely impractical and hard to rely on.

I can see the logic in resetting these passwords if you register a new authenticator application, but really there should be a way to re-enable the original passwords if you are happy that the devices have not been compromised, to save a massive amount of pain each time it happens.

This is why I prefer the YubiKey over the Google vision (for now).



LAST MILE

As the security of your LastPass account is protected by your security of your email address, I can use Google 2 step as a secondary protection for this, in case someone attempts to disable the YubiKey on my LastPass account (using my login / password). Double secure win.

Oh, and of course my laptop and phone all require pins or passwords to access them, should somebody steal one of these. Android is also set up with the ever useful Android Device Manager which I recommended everybody enable.

No comments:

Post a Comment