I am just starting to investigate for myself, but wondered if anyone (@denzuko ?) had any experience with:
Hard to tell what’s just a gimmick these days…
1 Like
Better not lose it 
Definitely one of my overall concerns: Should one risk 1) forgetting one’s passwords? 2) having them hacked from a cloud storage service? or 3) depending on something physical (dongle) and then losing that!
A little while ago I worked on a project for healthcare HIPAA compliance where a USB key similar to this one was required for dual authentication. (Passwords were the first). In order for a provider, doctor, RN, or PA) to prescribe a controlled substance they had to use the dual authentication. In order to acquire the USB key they had to submit to a DEA background check and provide all kinds of personal information such as credit cards, address and local addresses. Then the USB was sent to their home where the provider had to sign for it.
They were sworn to be the only people using the key and to never lose it. Unfortunately, almost immediately upon acquiring it they gave it to their MA for safekeeping. Then they would instruct their MA to prescribe the drugs. (Both a serious violation) Lastly, more than a few of them misplaced the key in the hospital, their car or their office. Only to have to go through the whole rigmarole again to acquire another.
Until they require you to use Biometrics for authentication everywhere you won’t be able to solve the lending/giving it away/losing it conundrum.
Yeah, I have a bunch of passwords to remember just like everyone else and I still don’t have an ideal solution.
1 Like
I do not like biometrics because if that information ever gets hacked and sold, I cannot get another one.
6 Likes
I use lastpass and have failure, death, or loss fall backs setup with other family members. It isn’t perfect, but it is better than probably 99% of people.
Bill makes a point I was going to …
This could be somewhat mitigated with reliable “live {biometric entity} detection”, but that challenge has eluded even $5000 fingerprint scanners. To be fair, the effort to defeat these is not trivial, but then again the effort to alter your fingerprint/back of your hand/retina/iris/whatnot in the event of it being “stolen” is far far greater.
There was a time when the mantra for ideal security was a combination of something you know, something you have, and something you are or a password, a token, and a biometric. But the reality is that all of these things are fragments of a single password; the latter two can be obtained, spoofed, or guessed just like a password.
You are absolutely right about hacking of passwords and biometrics in particular. Unfortunately, that is where it is all going. The level of complexity afforded by biometrics makes them very desirable by security vendors. Look at your iPhone, laptop computer or other devices for proof.
Soon you will only have to put your fingerprint or allow a retina scan to purchase stuff. After all it is a small step from ApplePay to using your thumbprint to call up your credit card info.
FWIW I’m not a big fan of biometrics either. But have no fear your passwords and other security information has probably already been hacked. I attended a security conference where a keynote demonstrated via a browser on the dark web that over 65% of all health care records are already available on the dark web. Scary as that might be. All you need is about $3.50 for a healthy chart and $40 for a chronic one.
Oh I use the fingerprint scanner on my phone for convenience. But I don’t use it for any more than phone unlocking and have avoided the temptations of NFC payment schemes as well. It’s my understanding that the prints remain solely on the device in a specific encrypted data store.
Perhaps someone will bother to lift a print off my phone itself and use that to unlock it before it times out / reverts to passcode for too many fails and gain some access to my various accounts, but that seems a bit unlikely as I doubt I’m of such interest that level of effort is worthwhile.
I’m fairly certain this is all available today and has been for a few years. I’m not even sure you need to power up quite a few smartphones to use NFC contactless payment.
Well, sure, some of it has. I was effected by the Gawker Media breach, likely by the Equifax, Home Depot, and Epsilon breaches. Only the Home Depot breach really effected me in the sense that I was issued a new credit card shortly afterwards. I’ve probably been effected by other lesser breaches on old accounts that have gone stale and point to nothing such as throwaway email addresses, messageboards I no longer frequent, etc. I have occasionally reused passwords for these low-importance accounts, but otherwise don’t reuse passwords.
I’m leery of password managers. Yes, they allow for max-length utterly un-guess-able, un-brute-force-able passwords. Yes, unlike most websites they use real encryption to protect the passwords at rest in the database. Yes the few times they’ve been hacked the perps got nothing but thoroughly hashed account information of almost no use. But someone always gets lucky when it comes to breaking security, and it’s added complexity logging in and accessing services with software and plugins to run.
SMS 2FA used to be reasonably secure. But as we new know the SMS system isn’t as secure as it used to be to the point that you don’t need to be somebody for it to be worth intercepting SMS.
They’re actually really great devices. Personally I’ve used YubiKeys for two factor authentication (2fa) in the past along with lastpass and securing my bitcoin wallet. Though one of the best features I was able to test was the intergration with the linux login system called LibPAM to secure ssh, sudo, and anything else that requests a login or privilage elevation.
There’s even been a few that used it for harddrive disk encryption.
Best thing one can do is to buy two and have a back up key locked away somewhere’s secure. A safety deposit box at any bank, post office, or ups is about $45/year and is tax deductible.
3 Likes
Awesome info. Thanks for your explanation. Amazing stuff.
3 Likes
For those onlooking, the terms hashing and encryption are often conflated with regards to credential security. Anyone serious about security doesn’t encrypt passwords, they hash them.
As for password managers, as the person who has to deal with breaches and attack orgs password reuse and compromise is the biggest threat. Password managers are great at fixing this provided two details (assuming a well made system like KeePass or LastPass):
- user does not leave it logged in when not in use
- user uses at least one strong, master password.
As for the yubikeys I use them a lot, and tons of the orgs I work with use them. I get sent some extras as well and they can all be tagged to the account, or a quick phone call can get a spare activated. The same keys can work for hundreds of services pretty seamlessly (using standards such as U2F and cert based auth)
As for biometrics it’s silly how easy a lot of them can be broke; depending on the sensors in use master prints can be made once a dataset has been obtained. I already know my fingerprints have been stolen at least once.
They make great usernames, but terrible password replacements.
-Jim
3 Likes
Well that’s damn clever. I would’ve never thought about biometrics being used for usernames.
1 Like
yeah there’s a time I used my gpg fingerprint as my username, made it super easy to know whom I was and able to legally say that account was my property no matter what
1 Like
Sorry to revive an old topic, but this seemed relevant and important enough. Troy Hunt is a highly respectable InfoSec researcher. I’ve been using his tool a bit over a year now, and I recommend you do the same. https://haveibeenpwned.com
One possible alternative to Troy’s site is CreditKarma. They offer, for free, a similar tool which will partially reveal your password to you to help you know what not to use.
Don’t know about you but I’d rather run my own monitors, not only is it a great way to build wordlists for my own rainbow tables but there’s no trusting what goes on behind the scenes with other sites. Not that Troy Hunt is don’t anything wrong with his data sets, he’s actually a really great guy. Its just that data is power and with power comes great responsibility.
If one’s looking to run their own then check out:
This will get the bulk of the more lamer dumps but with extra digging through deepweb/darkweb and select online forums one can get a near 89% coverage.