this post was submitted on 07 Sep 2023
979 points (99.0% liked)

Technology

59377 readers
3970 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

you are viewing a single comment's thread
view the rest of the comments
[–] charles@lemmy.world 3 points 1 year ago (2 children)

Is there a recovery process if your yubikey breaks?

[–] Rootiest@lemm.ee 2 points 1 year ago* (last edited 1 year ago) (1 children)

Having a recovery process for the YubiKey would really just be a potential security hole.

Ideally you have a backup clone of the key in case yours is lost/broken.

Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.

A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.

Also worth noting that the way KeePassXC handles the HMAC challenge-response is different from how KeeChallenge does it.

In KeeChallenge the HMAC secret is used to encrypt the database, which requires storing the encrypted secret in a separate file.

In KeePassXC the database's seed is used as the challenge and the response is used to encrypt the database.

The benefit to the KeePassXC method is two-fold:

  • It's less vulnerable as the HMAC secret never leaves the YubiKey or get stored in a file.

  • It increases security because the challenge-response changes every time you save the database (changing its seed)

Thank you for your detailed responses - I'm going to look into KeePass and maybe a Yubikey after reading your description of how it works. I hadn't considered a Yubikey before mostly because I'm prone to lose things, but also because my encrypted file password is >12 characters and a fairly random mix of lower and uppercase letters, numbers and special characters.

[–] PlexSheep@feddit.de 2 points 1 year ago (1 children)

There is no recovery if you have a single hardware token in use only. But that's a structional issue with your concept.

Instead, it is recommended to have two (or more) identical Hardware Tokens to replace one that dies.

It is also smart to keep the seeds for things like 2fa in some secure backup with schizophrenic paranoia proof Security measures.

[–] Rootiest@lemm.ee 1 points 1 year ago

Yeah this.

Having a backup/recovery for the YubiKey is really just another potential security hole.

Ideally you have a backup clone of the key in case yours is lost/broken.

Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key rather than a static password/key file.

A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.