Password management and 2FA

Anyone have any thoughts or experience on LastPass (premium) in conjunction with the YubiKey NEO? I am dealing primarily with a Windows 7 desktop, an Android tablet with NFC, and various machines running Linux Mint.

This was something I’ve been thinking about for a while, but it was also prompted by a mention of password security issues in another thread and overhearing family members explain password best practices to each other over the holidays. I’m kind of stuck with ridiculous passwords at work that change every 60 days, but there’s no reason I can’t have sanity at home.

Not much to you, I’m afraid; but I’ve been using LastPass (Premium) with a ‘standard’ Yubikey for about 3 years or so now. It works great. (Mac OSX with any of Safari, Chrome and Firefox.)

I can’t use the Yubikey with either my iPad or Android phone, so I’m reliant on my stupidly long passphrase to keep them safe.

The NEO looks interesting, especially if you can tie it into the new FIDO scheme that’s being pushed.

That is helpful, actually. I have not used any of these products nor anything even similar, so any experience is helpful. Especially about the longevity; that’s good to know. The whole idea of password managers makes me distinctly nervous, but I eventually came around and have been saving passwords in Chrome, synced to a Google account. I have two-factor authentication enabled for that, but I don’t really like having my phone be the second factor. Also, Google already owns a disturbing portion of my online life; I’d like to diversify a little so losing the Google account would not be such a catastrophe.

So really:

  • Any experience with hardware dongles for this purpose
  • Any experience with password management services, good or bad

@Lee_Ars, where is Ars on this? Don’t you know somebody? =)

I’ve been using KeePass as a password repository for several years now. Not two factor, but a great place to keep any and all IDs and passwords.

  • It’s an encrypted file on its own.
  • Each entry has lots of fields you can use or ignore as you see fit. User ID, password, notes, URL, a selectable icon, a tab to let you create your own fields, colors for that entry (whoo hoo?), attachments, and an audit trail. I use the notes field to jot down the security Q&A from sites that use it, because I do not ever answer using actual values. (For example: On what street was your first house? Answer: Grapefruit)
  • There is a built-in password generator, with selectable options for length/ caps/ smalls/ numbers/ special characters/ hyphen/ underscore/ brackets. It also gauges the strength of the passwords.
  • There are plug-ins, ( but I never started using them and so know little about them. The list is much more extensive than when I started… maybe I’ll take another look.

I keep a copy on Dropbox. That way either my wife or I can access it, from Android, iPad, Nexus tablet, or PC.

One of the nice things about the YubiKey product is the ability to use it to store PGP keys, SSH keys, and log in to appropriately set up desktops. I’ve seen enough documentation and support forum posts to be reasonably sure that these are things people actually do, not just a theoretical capability of the device.

Having all of that power in one device is somewhat terrifying. A spare in the safe deposit box might be appropriate.

I ordered one. We shall see.

I’ve seen a few sites that don’t even describe their requirements for a password, until after the first password doesn’t fit the requirements. I back away from those fast.

I use LastPass (premium), and have for some time. In my case, since I already use the Google Authenticator for many services I’ve been using it with LastPass too. As it uses the standard mechanism (TOTP?) for such services, you can use any number of authenticator apps.

I don’t currently use the FIDO devices, but I’m considering it for the better half as she’ll find it easier than the app on her phone.

Listing password requirements will just confuse people and make them count on their fingers to see if @firstchildname123! will work or not.

1 Like

One of the reasons I want to move off my phone being the second factor: my phone is a few years old and no longer runs the current OS with the current patches. I am leery about trusting it with my online keys.

Hah, well, I can’t speak for everyone, but most folks I know use TOTP (usually with Google Authenticator, since it’s lightweight and easy) on their phones for two-factor wherever possible. The idea of carrying around a dedicated two-factor auth device like the old-school RSA dongles is pretty much dead.

I should get more serious about passwords. Any pointers for someone who doesn’t want to jump into the total rabbit hole, like can I just pick up TOTP and run with it?

Don’t tell that to Broadcom. When I was laid off in 2013 they still had a ton of those in use. Although everyone who could usually downloaded the RSA app on their phone and gave the hard token back to us. I wasn’t cool enough for a company phone, so I couldn’t do that.

Even if I had a more modern phone and could commit to always having such, I am kind of leery about having the point of access (my phone) be the same object as my second factor.

I’m falling in love with Duo Security for 2FA. The Ars tech team rolled it out for staff logins and I’ve been using it for a week or so now; it’s slick as hell. You go to your web app, enter your credentials, and then you can supply a TOTP code or get an authentication prompt pushed to your phone, turning your phone into a single-click login device. I’ve signed up for Duo’s free tier and I’m using it now for’s webmail and, with PAM integration, on all the bigdino Linux servers. It’s slick as hell.

Doesn’t resolve @sig’s concern about using the login device as the security device, since it’s definitely mobile-dependent, but at least in my case I don’t log into anything with my phone.

Anyone recommend a password security for dummies article? Is there one on Ars?

Everything I keep running into uses acronyms that I don’t know. Like TOTP. And I know I can look those up too, but I’m looking for something I can also have my wife and daughter read.

Password security for dummies:

  1. Use a password manager & generate strong max-length passwords everywhere. 1Password, Keepass, and Dashlane are all great.
  2. There is no #2.

Unfortunately the main problem is behavioral, not technical. It’s less convenient to use a pw manager; even though they’re all super-slick, they don’t always record the right combo for the site you’re at (you might provide username, email, and PW to register, but login only with email & pw, while 1Password wants to use username & pw, so you have to edit the login for that page). Casuals end up just saying “screw it” and reverting to using their dog’s name. In the words of a friend, “I don’t really care and its not like anyone is going to go after me anyway lol.”

TOTP = time-based one-time-password. Think like those old RSA keyfobs with the continually-changing number. Same deal.

TOTP is all well and good, but we managed to find a scenario where it was useless.

Imagine a fleet of Unix servers. All the passwords are centrally managed via LDAP or similar. Now SSH into the first host and use your TOTP. Now login to a second machine. Ooops. Token doesn’t work, so you have to wait a minute for it to refresh. Now login to the third / fourth / fifth / twentieth machine.

I imagine you could integrate RSA (what we were trialing) with Kerberos (one authentication scheme we used) but the RSA guys setting it all up for us weren’t willing to try.

Bingo. So the technical end needs to be designed around how users actually interact.

I deferred getting a password manager for years because I really didn’t like the idea, but once I stopped to think about it and do some actual risk assessment, I’m much more likely to have problems because of password reuse. I have to assume that somewhere that I login uses crappy hashing on their password files and it’s just a matter of time.

I haven’t fully implemented things with the Ubikey yet; right now, it’s required to finish authenticating to my Lastpass account, and then that covers my online password needs. I no longer have username and passwords saved to my Google account. If nothing else, cracking my Google account will no longer result in complete pwnage of my life.

There are still websites that do this. I nearly lost one account, when someone using the credentials from a different website tried to lock the account and delete it. Unfortunately for them, they only had one of my throwaway email addresses, not the one I had used to sign up for the threatened account.

You and Lars have good points, as welln as everyone else in the conversation. The issue of password reuse is a good one. If Mr. X had access to the password I use on one site, he could get into other sites. The idea of having a different password for all these sites, according to each site’s restrictions and requirements, is not just daunting - I have to wonder if it’s even possible. There are accounts that I have signed up for, that I don’t even remember. I got an alert today from one, and I am trying hard to remember why I signed up for it.

And there are a few sites I have to log into where the password does not get saved. For some reason, Firefox doesn’t recognize their username and password fields at all. Can a password keeper do better?