On a well known security forum the question was asked what to do when you are in a shady Internet cafe. The consensus was of course that you shouldn’t be anywhere near such a cafe or at least you shouldn’t use their suspicious computers. Some suggestions were given to just use a special USB drive with Linux installed or bring your own device. YubiKeys were also mentioned a lot.
A YubiKey is a small USB electronic device without any battery or power source, that can be used to store a static password or generate one time passwords. One time passwords are passwords that you can use only once like the codes you get by SMS on your mobile in two factor authentication. One time passwords can be also delivered by postal mail on paper. The passwords should appear random to a human being. In reality true randomness is hard to achieve with computers, so most of the time, so called pseudo randomness is enough, meaning that the generated sequence repeats eventually in a sort of predictable manner, but in such a way that it for all intents and purposes is random. Like a coin that is not completely fair, but favors heads a billionth of a percent more than tail.
Apparently YubiKeys are manufactured in Sweden under strict control. You can get them in different colors and they could also be linked to a LastPass account. It seems that you can buy them in the Netherlands too. The cheapest ones cost 25 euro if I am not mistaken.
YubiKeys have two slots. One slot for one time passwords generation. Another slot to store a static password. I found a WordPress YubiKey plugin. Since the YubiKey acts as a USB keyboard there were some interesting posts about setting up the Mac OS X password to be entered with a YubiKey. The device is about the size of an average coin and is very light, so you can carry it around on a key chain.
A YubiKey is a type of a security token as far as I understand. Smart cards fall in the same category. And dongles, although mentioning dongles since the Dongle Gate is not done. Smart cards tend to be cheap, so that’s a big advantage.
LastPass is a security solution that claims to store your passwords in a local vault, similar to the way web browsers store passwords. Further they claim to use much stronger encryption than web browsers. I am pretty sure that LastPass does win when it comes to the length of the master password. It allows for a much longer master password. Unless you are truly paranoid the length of the master password shouldn’t really matter. Mac users can encrypt their hard drive with FileVault, which reduces performance, but should take care of the web browser’s password database. I think.
I have a free LastPass account for unimportant passwords. For multiple factor authentication with mobile devices and YubiKeys you need to pay. Security is not cheap. It’s not cheap or easy. And you don’t get much help it seems. Did you know that Macs have their firewall turned off when they arrive from the store? Or maybe even from the factory. Not that Windows computers are much better. If you have a Windows computer you have to automatically give away some percentage of the performance to anti virus programs. Sure you can have Trojans on Macs too these days, but you still can get away with not having an anti virus program. This is not recommended of course.
Design a cheap hardware device, that is easy to use and is cheap or free. Okay, I am prepared to pay a couple of cents. Or find a way to log into all the websites in the world with one single password.
Disclaimer: I am not recommending any of the products mentioned. And I am not in any way affiliated with them. The research for this post was again minimal.
Stories for April 15, 2013