Password manager and physical security keys


#1

I want my kids, my wife and I to stop using passwords (especially common passwords shared across services). I’m worrying about password managers that can a) make me lose all passwords easily (i.e. no encrypted backups offsite) and b) services that may be compromised or abused by NSA & friends.

I’m now prepared to host all my personal data and media at home (personal NAS), and I plan to do encrypted backups offsite of all data to be safe. Locally, I’d like to integrate a password manager (service), so in theory passwords would only exist on our living room server.

My question:

Which combination of a password manager and a physical security key should we use that are all of:

  • convenient to use (e.g. easily integrated in all major web browsers and hardwares - phones, notebooks)
  • cross-platform (e.g. working on PureOS, Ubuntu, etc. - I don’t care much about macOS and Windows)
  • works when the service is offline (e.g. caches the database in a local app or so)
  • obviously integrates the password management service and the hardware security key (e.g. unlock master password with hardware key only)

I’m looking for an answer like: (seriously!)

“Take a YubiKey and LastPass, because that’s the best in terms of libre hardware and libre software, bla-bla-blah, endorsed by the FSF, bla-bla-blah, even Richard Stallman uses the same setup, and the Librem 5 will support …”

Thanks in advance for any hints and helpful thoughts!


#2

heh ! i would like to stop using passwords also but there aren’t many safe ways to do so unforunately.

what immediately springs to mind is the use of digital keys such as authenticators used in building access and enterprise use. such devices could also be usb thumb drives with harware buttons to protect by way of simple pin larger and more complex passwords that can be generated and inserted on the fly by the device without any need to remember or type anything by people.

storring passwords on anything fixed and internet connected is not a good secure way to go. cards and portable thumb drives are another story because they can be carried at all times just like keys. good old keys that is what we need not keys that can be stolen or copied through the internet.


#3

For normal usage, just use a strong enough password for your password manager, and write that password in a notebook. You can use a safe to store that notebook if you want. Backup the password manger file in your nas and cloud, and never use the password manager in unsafe computer. Now, how to get a strong password and easy to remember?

The solution is diceware, basically a xkcd style password.

The idea is pretty simple, but xkcd missed the most important point: randomness. You should not open a dictionary and find a word by your instinct. You should have a list of words, say 7776 of words, and randomly pick those word by real dice. Don’t use a computer to generate if you want real randomness. Find some detail information from the following site.
http://world.std.com/~reinhold/diceware.html

Why diceware is strong? Basically, if I am going to brute force a lower case alphabet only password, I would need to try at most 26^8 times for a password length of 8. Now if I am going to brute force a diceware password, I would need at most 7776^4 times for a 4 words password. Try calculate the numbers, even a 4 words weak diceware password has 4 more digits larger permutation than a 8 words lower case alphabet password.

Now, how much words do you need to secure a password manager? There are news that said 5 words diceware could break by GPU. Now I am not sure if it is true, but since password manager is your last defense, you should have at least 8 words. I go for 10 words anyway. If you have strong password, then you should not worry someone break your vault when you backup your keepass database in cloud.


#4

i was refering to a small portable offline device that is specialized in such complex generation and randomization. what use is a gpu brute force atack if i can generalte a complex and each time random password such as ?
a1@Q4uewiu&*$0oO&qwertyblablawhattheshitnobruteforcecrack!

yes it is only as secure as the key but it is still the most secure you can get and you can add an encripted pin on top of the physical device.

much like the home banking tools use the keyring tokens only without having to enter it first in the field online.

yes it doesn’t work for free email accounts but hey …


#5

What you are referring to is some smartcard device, like Yubikey. Google supports Yubikey and you can use Oauth to login most common web service, except ebanking maybe. You still need a password manager to use some site where Yubikey is not supported, but you can use Yubikey to encrypt your password manager database.

Yubikey starts as an open source hardware and software but decide to go propitiatory latter on. An alternative is Nitrokey.

If you use some device like this, then your last defense become the hardware key itself. Obviously, there are backup problem. If you backup the private key itself, then it does not make any difference then using a password manager with strong password and backup the database in cloud, apart from of course, usability.

Alternatively, you can buy multiple key and authenticate each key separately, i.e. don’t share private key between keys. Then you can put one key in a bank locker, put one key in your home safe and one you keep to yourself. However, no one knows the durability of a backup key, it is better to swipe using different key in a period of time, saying one month, to ensure each key working. Nothing worse than all your backup key doesn’t work and there are no locksmith for a Yubikey. Everything is lost if all keys are lost or malfunctioned.

I would say the password manager with strong password approach would be safe enough, and you don’t have a backup problem, which required much more care then remembering a strong password.


#6

I can’t answer in detail for the physical key part as i’m not using it, but i was in search for a password manager lately and decided on bitwarden as it is opensource and free.
They finance them-self by providing free and premium cloud storage and on this family and corporate sharing of the vaults. But as it is open source there are option to self host the server and set it up in the apps. Bitwardenruby is the one i found.

Apps and browser add-ons are available.

This article was what made me choosing bitwarden i think.

For hardware keys here the bitwarden website shows different 2FA option, some only for premium users.

Hope this helps.


#7

Great minds think alike! And so do I think about a small physical device, something on my physical key chain that allows me to

  1. unlock physical devices (notebooks, phones, etc.)
  2. access applications + data on them and in the cloud (obsoleting TOTP apps such as Google’s Authenticator)
  3. stores my secrets (SSH keys, GPG keys, certificates, personal password db)

All of that with the “convenience” (i.e. seamless integration of, say, phone features, the web browser, etc.) Todd Weaver stresses in some of his interviews. I don’t think that the Yubikey can do much of that, can it?

I really want all devices inaccessible without both the physical key and a password (that may be the master password to the password database stored on that key). I want all accounts in the cloud inaccessible without both a password (that may come from the password database on the key attached to the device I’m using) and an OTP generated by that key. If you lose the key … you have a problem! That’s how it must be.

And for my SSH and GPG keys, I don’t have to worry anymore about what to do before I reinstall one of the notebooks I use. The most valuable things I use (my secrets) – I carry them along with me on my key chain. No worries.

Is there any thought from Purism that goes into that direction? Any physical device or USB-stick solution that may come close?


#8

I’m not sure if this is relevant or already mentioned:
Purism is currently partnering with Nitrokey to make an OpenPGP smart token specifically for Purism laptops.

More info:
https://puri.sm/posts/purism-and-nitrokey-partner-to-build-purekey-for-purisms-librem-laptops/


#9

I’m not sure how Yubikey/Nitrokey work, but I think the best thing would be a “Physical Key + Password” method, where you need both to access the machine. The physical key should be required before you can even get to the password field.

The only other ways I know of are all biometric login methods which I hate all of really. What makes me afraid of fingerprint scanners and face readers and so forth is that I fear my fingerprint or face scans or whatever else could be stolen from it. Apple has that “Secure Enclave” but I’m just not that quick to trust anything.

I used to think using DNA samples to unlock devices was a cool SciFi idea as a kid. As an adult I can tell you I’d stay the heck away from any machine that works that way.

Lastly - it’s not even more secure than a good password really. Stealing your fingerprints or spoofing your face is, in most ways, far more trivial than trying to get a strong password out of you.

I think people have the wrong idea thinking that passwords aren’t secure enough. The problem isn’t that passwords aren’t strong enough - it’s that people are dumb and keep choosing easy passwords.


As a side-note, please for the love of God keep backups of your password database. I use a few throwaway USBs that I dedicated as backups. Inside is the database and everything needed to open it.

Not a great idea if you’re like, some secret agent or something, but that just isn’t my situation. These backups have saved my ass before when my hard drive failed.

Also, I wouldn’t use managers that use cloud backups or connect to the internet in any way honestly. I know I know, they’re encrypted backups - but if I trusted a company’s word so easily, I wouldn’t be on Purism.


#10

If you don’t trust the secure enclave and don’t trust a company’s word, why would you trust a physical security key?


#11

I trust open-source at least, which is what Purism is and Apple isn’t.

Otherwise, trusting Purism about anything would make no sense either. If you trust literally nobody then technology becomes unusable.

But I can at least be picky about audited open-source.

And be picky about what companies to trust (most put profits before all else), and not using biometrics.


#12

That’s exactly the thing I’m looking for, and want my family members to use. Convenient to use and “just safe”, e.g.

  1. Unlocking your notebook needs the physical device - and your password (a “master” password tied to the device may be fine)
  2. Logging in to any service or accessing (sensitive) data needs the physical device - and your password again

No physical device, no access. No password (e.g. physical device lost or stolen), no access. Just like a debit card to withdraw money from an ATM.


#13

Write it out by hand and keep it close to your computer, phone. Don’t store it on a computer or anything else on line.
Write it in a way that is familiar to yourself only, so that if someone finds that list they won’t know what it is for. Then make a copy for home use and a copy for travel. Try to remember the most used ones and when you have to remind yourself, be careful when opening the list on the road.
Let others who are trust worthy, to understand what you wrote to help you when you get old and forgetful or incapacitated.
You do not know who in the cloud would be looking at your passwords, however much they package their PR to get you to trust them with your data.


#14

I use a hardware password manager smart-card device called “Mooltipass mini.” Not sure how others feel about this. It’s pretty nice, I like it so far, and it has some other functions like the ability to store private keys / files / etc. Also easy to clone your smartcard to store an offsite backup. Not to mention you can export an encrypted backup onto your computer.

https://www.themooltipass.com/


#15

Is the password manager inside Firefox safe?


#16

It’s probably reasonably safe (more so if you set a master password), and assuming nobody discovered a vulnerability to access the unlocked store.
Without master password set, it is basically stored (almost) in plain text.

Personally, I use without master password, but never for important passwords.
Next security level for me is outside the browser (kwallet on KDE).
And then… some are only in my brain :slight_smile:


#17

let’s take mega.nz for example. they offer the code for public scrutiny. what i am worried is not the actual cloud itself but the middle man - yes the isp and other untrustworthy “hops” along the internet pipe.


#18

Yes I meant using Firefox password manager with a master password.


#19

Using firefox with a master password is likely no better than saving in plaintext as the system is fundamentaly insecure.

See these articles for more info:
https://palant.de/2018/03/10/master-password-in-firefox-or-thunderbird-do-not-bother


And see this report on the mozilla bug tracker:


#20

It pays to always stay somewhat suspicious, like not putting the really important ones in the store :slight_smile:
On the other hand, the attack vector here is that you have physical access to the file. So on a default PureOS install with full disk encryption you need at least one password.