|
The Fool posted:yeah, I currently use 1password for passwords and Microsoft Authenticator for totp keep rear end and microsoft authenticator for me drat good authenticator app imo
|
#
?
Aug 13, 2021 08:27
|
|
|
|
| # ? Apr 24, 2024 09:12 |
|
|
yea i use separate apps for the two as well, 1pw+authy. was just musing how appropriate, i guess, is of 1pw or bitwarden to promote in-manager totp to people
|
|
#
?
Aug 13, 2021 08:41
|
|
|
I started using authy when ms authenticator did not allow saving otp backups or sync after my google authenticator install corrupted its database(I know it’s not safe but I have too many otp to re enroll at every phone swap otherwise). I have moved the critical otp over to a yubikey to mitigate authy sync happy downside. Passwords are provided by keepass or KeePassium depending on platform. I keep otp and password separate cause there is not a decent native implementation for otp on keepass on my all my apps. SlowBloke fucked around with this message at 08:46 on Aug 13, 2021 |
|
#
?
Aug 13, 2021 08:42
|
|
|
i keep mine separate too (bitwarden + ms authenticator) but i've considered moving some totp into bitwarden because i have way too loving many. For now i pushed the frequent/important ones to the top of ms authenticator.
|
|
#
?
Aug 13, 2021 11:15
|
|
|
I use 1Password and Authy, but I kept forgetting my Authy backup password so I put it in 1Password and that sort of defeats the purpose.
|
|
#
?
Aug 13, 2021 12:02
|
|
|
OTP that’s generated by a shared seed is really just another (relatively long) password that’s stored reversibly encrypted in a seed database on both sides. So I wouldn’t overthink storing OTP seeds in a PWM. It’s Fine. If you’re really paranoid, change your PWM to only unlock with a yubikey and PIN. The gold standard is FIDO/U2F because your hardware key has a private key which never leaves it. When you enroll with an OTP service, your side stores their public key so that *your* side can compare to make sure you’re not getting MitM’d. The down side is if you lose that key all your OTP goes with it (just buy 2 yubikeys!).
|
|
#
?
Aug 13, 2021 12:09
|
|
|
ewiley posted:OTP that’s generated by a shared seed is really just another (relatively long) password that’s stored reversibly encrypted in a seed database on both sides. So I wouldn’t overthink storing OTP seeds in a PWM. It’s Fine. If you store the secret together with the password, it's very likely that both will be compromised at the same time, so it's not really adding much security (I guess even if they're stored together it's slightly better than no TOTP since the secret will still be safe if you just manually enter your password into a phishing page or something but not much and password managers usually help against that by checking the domain anyway). The fact that it has to be stored as plaintext on the server doesn't matter that much because you don't reuse TOTP secrets. That said, U2F is definitely better. Using a yubikey to unlock a password manager is probably not that meaningful either since it's normally at most being used as a passphrase or symmetric key for the entire password database (unless you're using pass with a gpg key stored on a yubikey neo/4). mystes fucked around with this message at 12:40 on Aug 13, 2021 |
|
#
?
Aug 13, 2021 12:23
|
|
|
the one use case 1Password's 2fa is really great for is work stuff. being able to have shared credentials in a team vault also have 2fa configured is so helpful.
|
|
#
?
Aug 13, 2021 14:44
|
|
|
MononcQc posted:I use 1Password and Authy, but I kept forgetting my Authy backup password so I put it in 1Password and that sort of defeats the purpose. if you turn off multi-device authy should be safe anyway, even if you get simjacked (or so i've been told)
|
|
#
?
Aug 13, 2021 15:39
|
|
|
mystes posted:Using a yubikey to unlock a password manager is probably not that meaningful either since it's normally at most being used as a passphrase or symmetric key for the entire password database (unless you're using pass with a gpg key stored on a yubikey neo/4). I don't quite understand the distinction here, or how it doesn't provide meaningful additional protection. I'd love it if you could go into more detail here!
|
|
#
?
Aug 13, 2021 16:31
|
|
Cat Army 
|
ewiley posted:(just buy 2 yubikeys!). Some sites sadly let you only register one single yubikey, hopefully this RFC will let you solve that issue https://www.yubico.com/blog/yubico-proposes-webauthn-protocol-extension-to-simplify-backup-security-keys/
|
|
#
?
Aug 13, 2021 16:42
|
|
|
The Iron Rose posted:I don't quite understand the distinction here, or how it doesn't provide meaningful additional protection. I'd love it if you could go into more detail here! It's not as good as doing something where you need the device to decrypt each password individually in which case only the passwords you actually decrypt could be stolen. I think back in the day lastpass for example just used the static part of yubikey codes for encryption which is pretty halfassed but you can also configure a yubikey to do a longer static password, but neither of these things maintains the property where you actually need to steal the token because just intercepting the code isn't enough. As I mentioned it's possible to use the fancier yubikeys with gpg keys but I think that pass is probably the only password manager that can actually do this. I think there's also a mode for older yubikeys where they do symmetric encryption on the device without sending the key to the host and that might be more secure if each password was encrypted individually, but I don't think anything uses it. It may also be possible to do something like this with one of the extensions to U2F that yubikey 4s support (I think there's something for encryption) but normal U2F/FIDO2 keys can't be used for encryption at all. Edit: TL;DR: Anything where you just use the yubikey once to "unlock" the password manager and then you can view all of the passwords, which is the way I think most password managers are designed, is inherently going to have the problem that just intercepting whatever the yubikey sends or dumping memory is going to be enough to steal the whole password database. mystes fucked around with this message at 17:39 on Aug 13, 2021 |
|
#
?
Aug 13, 2021 16:57
|
|
|
mystes posted:I mean it's the same as entering a passphrase by the keyboard so it's not terrible and will provide protection if someone steals your computer while it's off, but if your computer is compromised there's no reason they can't just steal the key or passphrase when you use your yubikey and that allows them to decrypt the entire password database. Current yubikey stance is either challenge response or hotp https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass both require plugins so if you want to use your yubikey on mobile apps you might be stuffed depending on the app.
|
|
#
?
Aug 13, 2021 20:49
|
|
|
SlowBloke posted:Current yubikey stance is either challenge response or hotp Challenge-response "just works" with keypassxc, in my experience. I've also used Strongbox on iOS, where it's a paid feature, but it works, and "Keepass2Android Password Safe" works on Android, both will open a keepassxc DB.
|
|
#
?
Aug 13, 2021 20:59
|
|
|
SlowBloke posted:Current yubikey stance is either challenge response or hotp If you're logging into a password manager web app you absofuckinglutely should use some sort of 2FA to protect your password manager in general and yubikey HOTP and Challenge/Response or normal TOTP are all fine for that. Once the password database is being stored on your computer in an extension or something, which is how most people use it, or once someone it's impossible for a yubikey to actually protect it in any real way so if someone steals the passwords they're also going to immediately have your TOTP secrets which sort of defeats the purpose of using TOTP in the first place. Similarly, if someone manages to get into your password manager web app once, they're going to be able to get both the passwords and TOTP codes all at once. mystes fucked around with this message at 21:29 on Aug 13, 2021 |
|
#
?
Aug 13, 2021 21:21
|
|
|
mystes posted:I think this conversion got mixed up and maybe I misunderstood what someone was saying but I was trying to say that it's not great to store TOTP secrets in your password manager and using a yubikey to authenticate to the password manager doesn't really fix that. Oh, sorry if I was out of scope, I just wanted to clear any confusion on the official option for current yubikeys. There is no U2F/Fido plug-in in the keepass repo so, if you don’t want to add an extra overlay of cryptography over the keepass file with the openpgp strata or the virtual smart card as the unlock key, those two are your current supported picks. While I understand the security implication of “if the device containing the keepass file is compromised and rooted, anything is unsafe”, there is a usability-security compromise to implement. If using the password safe takes more time than engaging a lost password flow, there is not much use of hardening keepass so much when you are never going to use it. Also anything older than 5series is EoL so don’t suggest to get any of those old parts to anyone that might want to purchase a yubikey 
SlowBloke fucked around with this message at 22:00 on Aug 13, 2021 |
|
#
?
Aug 13, 2021 21:55
|
|
|
mystes posted:I think this conversion got mixed up and maybe I misunderstood what someone was saying but I was trying to say that it's not great to store TOTP secrets in your password manager and using a yubikey to authenticate to the password manager doesn't really fix that. The primary threat TOTP is designed to counter is stealing a credential over the wire for replay or reuse, not protecting the secret at rest. It’s actually *worse* for at-rest theft than using a password since the a password is only stored on a server as a hash. I guess if you use a really weakly encrypted PWM it might matter, but IMO the usability gains of having everything in one place to be backed-up and available all the time outweighs the minor benefit of storing them in 2 devices (unless you’re using Microsoft Authenticator which backs-up the seeds to your MS account anyway). If you’re using very sensitive services you shouldn’t use seed-based TOTP in the first place. The point of the authentication with a yubikey is to encrypt the PWM DB with something that is extremely difficult to brute force. Typically the PWM DB is just encrypted with the password you set on it.
|
|
#
?
Aug 14, 2021 02:47
|
|
|
ewiley posted:The point of the authentication with a yubikey is to encrypt the PWM DB with something that is extremely difficult to brute force. Typically the PWM DB is just encrypted with the password you set on it.
|
|
#
?
Aug 14, 2021 03:17
|
|
|
You're possibly referring to different things: local password manager where "login" means decrypting the vault on disk (and the yubikey just stores some strong master password); and cloud password manager where "login" is a protocol you run with the server (and the yubikey is for auth)
|
|
#
?
Aug 14, 2021 03:24
|
|
|
mystes posted:The first sentence here doesn't make sense to me. I don't see how authentication with a yubikey is useful to encrypt anything. In the normal mode of operation where it acts as an HID device and types HOTP codes, it is literally useless for encryption. Sorry I’m being imprecise, I’m referring to the key used to encrypt a PWM. The encryption of a PWM database is derived from the mechanism used to open it/authenticate to it, it’s symmetrically encrypted. You can’t encrypt/decrypt something with a key you don’t have. If you use a password to encrypt it, the password is the key to decrypting it. There are a number of ways to use yubikeys in various modes to add them as a factor to databases https://keepass.info/help/kb/yubikey.html https://strongbox.reamaze.com/kb/yubikey/how-do-i-add-yubikey-as-a-factor-to-an-existing-database
|
|
#
?
Aug 14, 2021 12:53
|
|
|
Yeah if you use a yubikey to input a static passphrase that's used to derive the encryption key it will at least protect your passwords if someone steals your computer when it's off. It's the same as typing a passphrase manually but I guess it's less effort to use a longer passphrase if the yubikey is doing the typing for you. I'm surprised people are trying to use challenge/response mode for encryption because that's absolutely not what it's intended for but I guess it may theoretically protect against the following things beyond a static passphrase: - if someone steals the response one time they will only be able to decrypt the version of the database saved at that time, so if they came back and stole your computer while it's off again later they wouldn't be able to decrypt the newer version of the password database (but obviously if anyone actually steals your yubikey they'll be able to decrypt any version and if they compromise the computer you use your yubikey on you're screwed anyway). - if someone temporarily steals your yubikey without already having the challenge for any existing version of the password database, they won't be able to obtain the response for any version of the database and then return the yubikey without you noticing However, If you're worried about this scenario you should probably be using a yubikey in smartcard/gpg mode or something anyway (or maybe just using bitlocker in TPM+PIN mode) rather than something janky like this. Personally I think that in 2021 having your computer compromised while it's running is a MUCH bigger threat in general, and I'm not sure that encrypting your password database really does anything against that though. (Except for laptops left in insecure locations which should probably be using full disk encryption anyway.) mystes fucked around with this message at 13:51 on Aug 14, 2021 |
|
#
?
Aug 14, 2021 13:42
|
|
|
folks itt forgetting what threat modeling isewiley posted:The primary threat TOTP is designed to counter is stealing a credential over the wire for replay or reuse, not protecting the secret at rest. It’s actually *worse* for at-rest theft than using a password since the a password is only stored on a server as a hash. this one gets it. totp is just "something you have". it's not designed to be secure, only that the resultant time-boxed code can be calculated based on the seed value and can only be used once there's no real reason to keep totp and credential separate because if your password manager as a whole is compromised you have much bigger problems
|
|
#
?
Aug 14, 2021 15:19
|
|
|
if offered the choice, i'd rather have passphrase-protected keyfiles using key derivation function with length determined by decryption-time-iteration (similar to how geli works on freebsd, where the faster the cpu at key creation time, the longer the key is), rather than just passwords or passphrases alone
|
|
#
?
Aug 14, 2021 15:43
|
|
|
Blinkz0rz posted:folks itt forgetting what threat modeling is The entire definition of 2FA is that it's separate, so if you store it together with your passwords, that's not 2FA. You could say "yeah but TOTP is better even if it's not 2FA" but you're basically just reinventing the ancient challenge/response authentication modes that various protocols used to have that were deprecated thanks to SSL/TLS. If you just want something to replace passwords since passwords are dumb then use FIDO2 or client side certificates or something. mystes fucked around with this message at 17:29 on Aug 14, 2021 |
|
#
?
Aug 14, 2021 17:25
|
|
|
mystes posted:OK, since you're bringing up threat modelling, exactly what threat are you protecting against by having a TOTP secret stored in your password manager together with the password? If you're using a password manager you're already presumably using long, unique passwords, and the password manager should already protect against phishing to some degree since it will check the domain. Protecting the password over the wire is not usually an issue now either. you're not protecting against any threat by having totp stored next to your password but again, if your password manager is compromised you have bigger problems
|
|
#
?
Aug 14, 2021 17:31
|
|
|
i've never seen a working definition of totp be: a thing that's stored in my password manager
|
|
#
?
Aug 14, 2021 18:25
|
|
|
there's a convenience vs security matter at play where threat modeling matters. is it more secure to put your 2fa stuff in a second app on your phone that's protected by a different password/biometrics? sure is! is it less secure to keep it in your password manager. yup! does that really matter if your password manager is compromised? probably not so much. there are tons of sites that folks have to use (banks, insurance, state govt, etc) that don't offer totp as 2fa or don't support 2fa at all and attackers can and will go after as much low hanging fruit as possible. you get to decide your risk profile here
|
|
#
?
Aug 14, 2021 18:37
|
|
|
i login to my bank website with a six number code. no 2fa, but they scramble the buttons each time!
|
|
#
?
Aug 14, 2021 19:43
|
|
|
does hsbc still do the “enter the 7th and 11th numbers on your debit card and also the 2nd and 4th letters of your password” to log in?
|
|
#
?
Aug 14, 2021 20:01
|
|
|
secfuck in ham land! https://old.reddit.com/r/amateurradio/comments/p41mx4/amateurradiodigital_guy_banned_me_from_dmr/ * guy runs a site that makes 'contact lists' for a particular type of ham radio. you load the contact list up in your rig and peoples' call signs pop on the screen when theyre talking. * no https, no input sanitizing, php * ham signs up for it, notices his pwd is emailed to him in plaintext. logs in. password is listed on his account page. * asks admin to deactivate account as he's not comfortable with how the site is being run, and explains why to the admin * admin responds with a passive aggressive email and not only shuts down dudes account and bans him, but changes his callsign to "BANNED" in the database. so that's what'll pop up on everybody's radio every time this guy keys up. people are rightfully dragging him
|
|
#
?
Aug 14, 2021 21:27
|
|
|
Wild EEPROM posted:does hsbc still do the “enter the 7th and 11th numbers on your debit card and also the 2nd and 4th letters of your password” to log in? every bank i've dealt with in the uk has a "memorable information" type thing separate from your passphrase that you have to enter 3 random letter/numbers from every log in. 
|
|
#
?
Aug 15, 2021 01:04
|
|
|
at least they'll never ask you to enter your FULL memorable information, thank god
|
|
#
?
Aug 15, 2021 01:19
|
|
|
Crust First posted:every bank i've dealt with in the uk has a "memorable information" type thing separate from your passphrase that you have to enter 3 random letter/numbers from every log in.
|
|
#
?
Aug 15, 2021 01:23
|
|
|
remember it's not a password, it's "memorable information", which is why it's okay for us to store it in plaintext so that we can pick individual characters from it to ask about
|
|
#
?
Aug 15, 2021 01:27
|
|
|
I feel like calling it memorable information just gives them an excuse to make fun of customers who forget it.
|
|
#
?
Aug 15, 2021 01:28
|
|
|
mystes posted:I love the dos game copy protection energy here. put on your 3d red-blue glasses and read hte 9th word on your june bank statement oh poo poo did i accidentally invent a sensible otp for id verification on utility and tax bills
|
|
#
?
Aug 15, 2021 01:49
|
|
|
 every january we mail you a new one with your bill i mean you could just print a number on teh bill itself but that depends on people recognizing the bill might be useful later and keeping it without needing to explicitly be told HEY THIS IS USEFUL HANG ONTO IT
|
|
#
?
Aug 15, 2021 01:53
|
|
|
Jabor posted:remember it's not a password, it's "memorable information", which is why it's okay for us to store it in plaintext so that we can pick individual characters from it to ask about just hash every permutation of three letters
|
|
#
?
Aug 15, 2021 02:28
|
|
|
got another one of those "we saw all your secrets pay us a bitcoin and we'll go away" scare spam letters but i think this one wins for wordingquote:U wank off like a machine gun) I wish there were ur sport at the Olympic Games) I’m confident you would be ranked first) I track u for years, u never cease to surprise me by ur fondness for intimate pleasure. The thing that astonishes me is that you are a mature person but u do such abhorrent things that do not come natural with adults. Ur hobby is comparable to dependency of drug users. There’s no doubt u have supernatural powers, an average human being will never survive such exertion) It's surprising that you haven’t rubbed your hand or ur tool yet) Fun is fun but let’s get to the point. Having accessed to ur device I recorded a vid with ur home habit. And now I am gonna post it on the web and share it with the contacts from your mail. When u practice such type of stuff, I recommend u to hide ur camera. Alternatively the case similar to yours can happen. When I receive my money, nobody will see your home hobby. I provide you with thirty six hours to fulfill my claims, in case u ignore me, in seventy-two hours I’ll distribute ur compromising information. The decision is urs, and do not try to communicate with me, I am gonna delete the email address to ensure my security. finally, someone who appreciates my artform
|
|
#
?
Aug 15, 2021 02:34
|
|
|
|
| # ? Apr 24, 2024 09:12 |
|
|
flakeloaf posted:
new QAnon craze "THE GOVERNMENT IS SENDING SECRET MESSAGES TO YOUR BRAIN CHIP VIA YOUR UTILITY BILL"
|
|
#
?
Aug 15, 2021 02:58
|
|
