Wednesday, November 26, 2014

Password paranoia

Why password paranoia? It turns out rhere may have been some attempts by people other than me to reset my banking passwords… While my passwords were securely held and completely unique to the bank (i.e. not variants of stuff used anywhere else), they were not all that long / strong. Hence the search for something a little more robust…

I have used a local secure database for all my passwords for quite some time and that works pretty well. But I have always had a bit of a “niggle” about banking passwords, and the difficulty of remembering really strong passwords. (weirdly spelled phrases are all very well, but when you are forced to change passwords it’s easy to lose track). And using password vaults on mobiles is not easy, as the master passwords for them have to be really secure themselves – therefore difficult to enter.

So… I’ve adopted LastPass, which is cloud based, for use for everything but financial transaction related sites. (Banks, Paypal, sites with my credit card like Amazon). Its own security architecture is pretty tight, and having the encrypted vault on the web means you can use if from all your computers / mobile and it contains completely up to date data.
This first leaves the masterpassword problem. You could tell LastPass that your desk or laptop are “trusted”; bad idea – particularly for laptops. Or, use an OTP (one time password) key with a Yubico NEO Key. Your still have your LastPass master password; but once you have enrolled the key, you stick it in a USB port and tap it with a finger when your browser (with LastPass installed) loads. The OTP handshake then decrypts the password vault. The zinger is, that it also works with your Android phone as it can also perform the same function over NFC… And the LastPass app handles it all seamlessly. (It is likely to work with iPhones from version 6 onwards, now they have enabled NFC functionality; although the SDK's for it have yet to be released... It does not work for Windows Phones yet, because of its nonstandard NFC implementation)

It also leaves the internet financials problem. The NEO solves this too. You use a manageably memorable "strongish" password – that is then extended with a very much longer (32 character or more) static random string that no-one could possibly remember… You can deliver this string by entering your memorised password, and then with the NEO in a USB port, holding your finger on it for a couple of seconds. It then emits the second, very long, part of the password. So you need both the memorised and USB part. Of course, someone can extract this second password extender from the NEO pretty easily, but they still won’t know the base password that you were using for that site. You can keep this password extender in clear form in your local secure master database in case you lose the NEO. I keep the – longish – key for the local secure master password database in the safe, along with instructions on how to unlock all the hierarchy of secure passwords.

This can all still be compromised – but now it is much harder. Access to the physical key still does not give a third party access to your financial sites. A key and a laptop on which you have already installed LastPass could get them into non-financial sites; but they could not use the key on another machine (in which they installed LastPass), because the LP masterkey is needed to do the initial setup. LastPass of course gives you the ability to generate strong passwords for all your sites, as you don’t have to be able to remember them. And for your financial sites, without the NEO, no one else could access them, as you could not possibly remember the extender to tell them. 

The transcript of this long key should of course have beed put in your local encrypted password vault - which is vulnerable if your master password is leaked… (Keylogger...) Even that could be secured, using 2 NEO’s (one in the safe so you can still get in if you lose the first!).  Something like KeePass 2 (an encrypted local password and certificate vault) can be set up to require both a password and the NEO, with the latter operating in OATH mode, so it is impossible to extract anything from it with keyloggers or anything else. I’m not sure I am sufficiently paranoid to go down that route just yet!

In closing, and as a bonus, the NEO key is also capable of acting as a smartcard, to manage locking or drive encryption on your computers and as a FIDO / U2F (universal second factor) authenticator for the growing range of internet sites and services providers that are adopting this standard. Google, Microsoft, Mastercard, Paypal, Alibaba and many more are behind it so (Apple aside) I expect it to be widely adopted.

No comments:

Post a Comment