Password manager and physical security keys


#1

I want my kids, my wife and I to stop using passwords (especially common passwords shared across services). I’m worrying about password managers that can a) make me lose all passwords easily (i.e. no encrypted backups offsite) and b) services that may be compromised or abused by NSA & friends.

I’m now prepared to host all my personal data and media at home (personal NAS), and I plan to do encrypted backups offsite of all data to be safe. Locally, I’d like to integrate a password manager (service), so in theory passwords would only exist on our living room server.

My question:

Which combination of a password manager and a physical security key should we use that are all of:

  • convenient to use (e.g. easily integrated in all major web browsers and hardwares - phones, notebooks)
  • cross-platform (e.g. working on PureOS, Ubuntu, etc. - I don’t care much about macOS and Windows)
  • works when the service is offline (e.g. caches the database in a local app or so)
  • obviously integrates the password management service and the hardware security key (e.g. unlock master password with hardware key only)

I’m looking for an answer like: (seriously!)

“Take a YubiKey and LastPass, because that’s the best in terms of libre hardware and libre software, bla-bla-blah, endorsed by the FSF, bla-bla-blah, even Richard Stallman uses the same setup, and the Librem 5 will support …”

Thanks in advance for any hints and helpful thoughts!


#2

heh ! i would like to stop using passwords also but there aren’t many safe ways to do so unforunately.

what immediately springs to mind is the use of digital keys such as authenticators used in building access and enterprise use. such devices could also be usb thumb drives with harware buttons to protect by way of simple pin larger and more complex passwords that can be generated and inserted on the fly by the device without any need to remember or type anything by people.

storring passwords on anything fixed and internet connected is not a good secure way to go. cards and portable thumb drives are another story because they can be carried at all times just like keys. good old keys that is what we need not keys that can be stolen or copied through the internet.


#3

For normal usage, just use a strong enough password for your password manager, and write that password in a notebook. You can use a safe to store that notebook if you want. Backup the password manger file in your nas and cloud, and never use the password manager in unsafe computer. Now, how to get a strong password and easy to remember?

The solution is diceware, basically a xkcd style password.

The idea is pretty simple, but xkcd missed the most important point: randomness. You should not open a dictionary and find a word by your instinct. You should have a list of words, say 7776 of words, and randomly pick those word by real dice. Don’t use a computer to generate if you want real randomness. Find some detail information from the following site.
http://world.std.com/~reinhold/diceware.html

Why diceware is strong? Basically, if I am going to brute force a lower case alphabet only password, I would need to try at most 26^8 times for a password length of 8. Now if I am going to brute force a diceware password, I would need at most 7776^4 times for a 4 words password. Try calculate the numbers, even a 4 words weak diceware password has 4 more digits larger permutation than a 8 words lower case alphabet password.

Now, how much words do you need to secure a password manager? There are news that said 5 words diceware could break by GPU. Now I am not sure if it is true, but since password manager is your last defense, you should have at least 8 words. I go for 10 words anyway. If you have strong password, then you should not worry someone break your vault when you backup your keepass database in cloud.


#4

i was refering to a small portable offline device that is specialized in such complex generation and randomization. what use is a gpu brute force atack if i can generalte a complex and each time random password such as ?
a1@Q4uewiu&*$0oO&qwertyblablawhattheshitnobruteforcecrack!

yes it is only as secure as the key but it is still the most secure you can get and you can add an encripted pin on top of the physical device.

much like the home banking tools use the keyring tokens only without having to enter it first in the field online.

yes it doesn’t work for free email accounts but hey …


#5

What you are referring to is some smartcard device, like Yubikey. Google supports Yubikey and you can use Oauth to login most common web service, except ebanking maybe. You still need a password manager to use some site where Yubikey is not supported, but you can use Yubikey to encrypt your password manager database.

Yubikey starts as an open source hardware and software but decide to go propitiatory latter on. An alternative is Nitrokey.

If you use some device like this, then your last defense become the hardware key itself. Obviously, there are backup problem. If you backup the private key itself, then it does not make any difference then using a password manager with strong password and backup the database in cloud, apart from of course, usability.

Alternatively, you can buy multiple key and authenticate each key separately, i.e. don’t share private key between keys. Then you can put one key in a bank locker, put one key in your home safe and one you keep to yourself. However, no one knows the durability of a backup key, it is better to swipe using different key in a period of time, saying one month, to ensure each key working. Nothing worse than all your backup key doesn’t work and there are no locksmith for a Yubikey. Everything is lost if all keys are lost or malfunctioned.

I would say the password manager with strong password approach would be safe enough, and you don’t have a backup problem, which required much more care then remembering a strong password.


#6

I can’t answer in detail for the physical key part as i’m not using it, but i was in search for a password manager lately and decided on bitwarden as it is opensource and free.
They finance them-self by providing free and premium cloud storage and on this family and corporate sharing of the vaults. But as it is open source there are option to self host the server and set it up in the apps. Bitwardenruby is the one i found.

Apps and browser add-ons are available.

This article was what made me choosing bitwarden i think.

For hardware keys here the bitwarden website shows different 2FA option, some only for premium users.

Hope this helps.


#7

Great minds think alike! And so do I think about a small physical device, something on my physical key chain that allows me to

  1. unlock physical devices (notebooks, phones, etc.)
  2. access applications + data on them and in the cloud (obsoleting TOTP apps such as Google’s Authenticator)
  3. stores my secrets (SSH keys, GPG keys, certificates, personal password db)

All of that with the “convenience” (i.e. seamless integration of, say, phone features, the web browser, etc.) Todd Weaver stresses in some of his interviews. I don’t think that the Yubikey can do much of that, can it?

I really want all devices inaccessible without both the physical key and a password (that may be the master password to the password database stored on that key). I want all accounts in the cloud inaccessible without both a password (that may come from the password database on the key attached to the device I’m using) and an OTP generated by that key. If you lose the key … you have a problem! That’s how it must be.

And for my SSH and GPG keys, I don’t have to worry anymore about what to do before I reinstall one of the notebooks I use. The most valuable things I use (my secrets) – I carry them along with me on my key chain. No worries.

Is there any thought from Purism that goes into that direction? Any physical device or USB-stick solution that may come close?


#8

I’m not sure if this is relevant or already mentioned:
Purism is currently partnering with Nitrokey to make an OpenPGP smart token specifically for Purism laptops.

More info:
https://puri.sm/posts/purism-and-nitrokey-partner-to-build-purekey-for-purisms-librem-laptops/


#9

I’m not sure how Yubikey/Nitrokey work, but I think the best thing would be a “Physical Key + Password” method, where you need both to access the machine. The physical key should be required before you can even get to the password field.

The only other ways I know of are all biometric login methods which I hate all of really. What makes me afraid of fingerprint scanners and face readers and so forth is that I fear my fingerprint or face scans or whatever else could be stolen from it. Apple has that “Secure Enclave” but I’m just not that quick to trust anything.

I used to think using DNA samples to unlock devices was a cool SciFi idea as a kid. As an adult I can tell you I’d stay the heck away from any machine that works that way.

Lastly - it’s not even more secure than a good password really. Stealing your fingerprints or spoofing your face is, in most ways, far more trivial than trying to get a strong password out of you.

I think people have the wrong idea thinking that passwords aren’t secure enough. The problem isn’t that passwords aren’t strong enough - it’s that people are dumb and keep choosing easy passwords.


As a side-note, please for the love of God keep backups of your password database. I use a few throwaway USBs that I dedicated as backups. Inside is the database and everything needed to open it.

Not a great idea if you’re like, some secret agent or something, but that just isn’t my situation. These backups have saved my ass before when my hard drive failed.

Also, I wouldn’t use managers that use cloud backups or connect to the internet in any way honestly. I know I know, they’re encrypted backups - but if I trusted a company’s word so easily, I wouldn’t be on Purism.


#10

If you don’t trust the secure enclave and don’t trust a company’s word, why would you trust a physical security key?


#11

I trust open-source at least, which is what Purism is and Apple isn’t.

Otherwise, trusting Purism about anything would make no sense either. If you trust literally nobody then technology becomes unusable.

But I can at least be picky about audited open-source.

And be picky about what companies to trust (most put profits before all else), and not using biometrics.


#12

That’s exactly the thing I’m looking for, and want my family members to use. Convenient to use and “just safe”, e.g.

  1. Unlocking your notebook needs the physical device - and your password (a “master” password tied to the device may be fine)
  2. Logging in to any service or accessing (sensitive) data needs the physical device - and your password again

No physical device, no access. No password (e.g. physical device lost or stolen), no access. Just like a debit card to withdraw money from an ATM.