Last Pass with Yubikey

Basics

There are several main factors in maintaining password security. When you store your passwords in an encrypted data store, also called a blob, whether it is online or not, there are two factors which need satisfied for a hacker to get your passwords. First, the hacker must gain access to your password data. Second, they must decrypt your passwords before you change them all.

Yubikey and a good trust policy helps prevent the hackers from getting access to your password data. When Last Pass is configured to use Yubikey, it will not allow you to access the website if you do not have two factors of authentication. First you need your master password which is also used to encrypt your data. Second, you must use the Yubikey to enter a 44 character string into a second box which you are automatically prompted for.

When the Yubikey is plugged into your laptop, computer, or tablet, it is recognized as a USB keyboard. This makes it usable on virtually everything, including Linux Desktops/Laptops in my case. There is a single button on top of the key, and when pressed, it will type out the 44 characters necessary for authentication in Last Pass. Yubikey can also be used for other software and services

Using Yubikey prevents anonymous access to the website, but if you work from a phone, a tablet and a laptop daily, it can be more convenient to trust devices. Each of the mobile devices can be trusted based on a UUID, while each browser can be trusted based on a generated cookie. When a device is trusted, you do not need to use the Yubikey, so you can leave it at home. This works great if you trust the device you are working from, but if you do not trust the devices, you can require that the Yubikey is always necessary. This is good in situations such as work computers where you may not trust the help desk people.

Now remember the Yubikey and a good policy only prevent access to the password data. You still need to encrypt your data with a good master password. Both password length and quality are important to prevent a hacker from decrypting your password data before you change your passwords.

Remember, if you are using a trusted device, you need to revoke access if it is ever lost or stolen. Also, since browsers cache your password data, if the device stolen or lost is a computer, you may want to change your critical passwords. If your master password is strong enough, it may take a hacker years to crack your password data, but it is essentially compromised. Disk level encryption can add another layer of security in this situation. I use disk level encryption, if you are a professional you probably should too, though this can be difficult with slow devices such as a netbook.

 

Architecture

This is a basic guideline, which covers most of the basics. I noticed that there is no guide such as this on either the Last Pass or the Yubico website.

  • (2) Yubikeys: package deal. Approximately $50 one time cost.
  • Last Pass Premium Account: Approximately $12 a year at the time of this writing.
  • Trusted Computers: lastpass.com -> Settings -> Trusted Computers
  • Restricted Mobile Devices: lastpass.com -> Settings -> Mobile Devices
  • Policy 1: Change master password at regular interval, even once a year
  • Policy 2: Evaluate Trusted Devices and Mobile Devices at regular interval, like once a quarter.

 

This architecture is not perfect because perfect security is impossible, but it will provide enough layers and enough checks to catch a hacker if they steal your password blob from Last Pass. This will provide you with time to change your passwords before they crack your encrypted blob. Although this is inconvenient, it is an operational contingency plan.

Finally, I am not impressed with the logging features provided by lastpass.com. They should and need to have better options such as:

  • Log/Alert: When Yubikey is added/removed.
  • Log/Alert: When Trusted Computer is added/removed.
  • Log/Alert: When Mobile Devices is added/removed.

This would mitigate some of the final risks that I see as an issue. Please leave comments, criticisms, or feedback in the comments section; Especially anyone who works for Yubico or Last Pass..

One Response to “Last Pass with Yubikey”

  1. Lars R. Noldan September 15, 2012 at 2:10 am #

    I’ve been a LastPass + YubiKey user for several years now. The combination is great. It’s also worth noting LastPass provides a mechanism to test the overall security of your online accounts.

    This is locate under the browser plugin –> tools –> Security check.

    This check will help highlight sites with sub-par password strength, as well as sites that use the same passwords as other sites.

    I scored 98.7% on the LastPass Security Challenge ranking 408th overall.
    123 sites scanned, zero shared passwords, average password length of 27.8 characters.

Leave a Reply