Password managers like KeePass, LastPass and 1Password are essential tools for storing the gazillion unique and long passwords we have to generate for each site. With only one master password standing between your database and a hacker, however, if you really want to secure your logins, a second layer of authentication will help. The Yubikey is an affordable and easy-to-use option.
You plug the USB device into your computer. When you touch the button, it can either generate a unique, one-time password or enter a static password you store on the second slot. You can authenticate the YubiKey with password managers KeePass and, as we noted before, LastPass, as well as a few others.
Colby Aley came up with a clever solution using 1Password and a Yubikey — so he doesn’t even know the extremely long master password for 1Password, but even if the Yubikey and his computer are stolen, a thief couldn’t get into the database:
I generated a fairly complex static password and programmed that to the second slot on my Yubikey.
Next, I set my 1Password master to a combination of two passwords. The first part is a moderately simple password that I can remember. The second part is the static password programmed into my Yubikey, which I couldn’t remember if I tried.
With this setup, I don’t technically know any of my passwords. I know part of my 1Password master, but not enough to authenticate without the Yubikey. On the other hand, if someone were to steal my Yubikey, they would also need my memorized portion to gain access.
In case the Yubikey gets stolen or lost, Colby has a printout of the password, stored in a secure location.
It’s an easy way to further lock down your passwords without too much hassle, and something you can replicate for your password manager of choice.
I know none of my passwords [Colby Aley]
Comments
3 responses to “Make Your Password Manager Even More Secure With A Yubikey”
Yes, completely secure. Until someone looks over your shoulder to see you enter your password, then “borrows” your Yubikey while you aren’t looking.
Password managers are great for ensuring you have a strong, unique password for every site you access. This means if a site you access is compromised, it isn’t likely to affect other sites you access.
However your security is only as strong as it’s weakest point, so the biggest security issue is still someone you know accessing your computer while you are logged in to a site. Yubikey does little to fix that.
They would still need access to your password database…
Problem with this solution (and any like it) is that it is still vulnerable to keyloggers.
Really, the passwords need to be stored on an external device, and a ‘header’ app can only access lists of them – possibly not even usernames. Then, when you want to autotype a password, the device displays a notification and has a ‘confirm’ button which then autotypes just that one password for that one site.
That way, no matter what data is harvested from the computer, password theft can only be done one at a time.