Passwords & Yubikey

By combining a short unique code with the output from the static password feature of the Yubikey, you can have a different long & very strong password for each site or service you use.


Yubikey

Yubikey

The Yubikey is a hardware authentication token for secure login with two-factor authentication. The device inserts into a free USB port and when you touch the button it emits a very long secure password. The Yubikey comes with personalisation software which allows you to configure how the device operates.

Depending on how long you touch the button determines what type of password is emitted. If you touch and let go quickly then a one time password is generated, which is useful to use with sites that support this feature. If you touch and hold the button for a couple of seconds and then release, the key emits a static password.

It’s this static password feature that I find useful for generating passwords for each site I use.

Passwords

The current best practices for choosing passwords are:-

The Yubikey satisfies points one and two by emitting long passwords with a mixture of characters. The key can produce a password something like:

a,&gJ_R^8w|jK(\EJvU#xW%2R?3a}rQz

To satisfy the last point of not reusing a password, we just need to pick a short easy to remember code for each site we use. For example, my Facebook password could start with:-

#fB6

This easy to remember code, while it does use each type of character, would be cracked within a coupe of hours if used on its own. However, when combined with the Yubikey output becomes significantly harder to crack. I would type this short code into the password field and then touch the Yubikey to append the long string of characters before hitting the login button. This would give me a Facebook password like:-

#fB6a,&gJ_R^8w|jK(\EJvU#xW%2R?3a}rQz

As Steve Gibson highlights in his password padding research, the length of the password really matters. Using Steve’s brute force password “search space” calculator, my example Facebook password would take several centuries to brute force crack. I’m happy with that as I’ll probably be not around in 30 years time.

You could make the password even longer by appending a year that means something special to you. It could be the year you got married, the year your first child was born, you choose. This would increase the password length by a further 4 characters and make it even harder to crack. You would enter your easy to remember four character code, then press the Yubikey to enter all the randomness and finally enter your chosen year before hitting the login button.

I’ve used a Yubikey for a couple of years and have had no problems with it. I’d rate the product 5/5, if you’re convinced then grab one from Amazon for around £20 ✶✶✶✶✶

There is a great video on YouTube about password security best practices which also mentions the Yubikey.

Picking passwords for databases

There will times when you need to define passwords which don’t change. For example when setting up database accounts for either MySQL or PostgreSQL. Whatever you do, don’t try and make up your own password, it won’t be random enough, humans are very bad at creating random passwords.

Use a service like perfect passwords, which generates a series of unique passwords for you. I’d use the password which has 63 random printable ASCII characters.

If you use Linux, the command line shown below will give you a unique password with a high level of entropy every time it’s run:

tr -dc [:graph:] < /dev/urandom | head -c 60 | xargs -0

Which when run will output a sixty character password such as:

hdp[cd)>5@Y|q;#.a~R[LP5u.E.vEk:$^%f!'7+%D7}rSd`)NpM+:Zc;rDK%

The command line takes output from urandom the kernel’s random number generator, which gathers environmental noise from device drivers and other sources into an entropy pool. You can see the raw output of urandom by using the following command:

cat < /dev/urandom

The terminal screen will display lots of random output, to exit press CTRL+C.

The output generated from urandom contains both printable and non-printable characters - of which the non-printable characters would be unsuitable for a password. This is why I feed the output into the translation command tr using the [:graph:] option which filters out all the printable characters except for the space character, as most password systems don’t allow spaces.

Finally we pass the output through the head command to pull out the first sixty characters. If you want to make longer and thus stronger passwords, substitute the number sixty for a larger value.