this post was submitted on 12 Mar 2024
39 points (93.3% liked)

Cybersecurity

5677 readers
134 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

So I've been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don't want to mix my personal password manager with my work computer and I also don't want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I've been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there's a limit to how many entries in the Yubikey 5). You can also store a password in one of it's two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different "prefix" for each application? Example: On my banking site I type in "bank" then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don't know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that's backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 40 points 8 months ago* (last edited 8 months ago) (1 children)

I have responsibility. They require us to change our passwords every 3 months.

I mean, do your best, but honestly temper your understanding of your responsibility here.

You may feel responsible, but your employer DOES NOT.

How do I know? Because it's been the NIST guidelines for like a fucking decade already NOT to use such policies because they are EMPIRICALLY PROVEN to REDUCE security and INCREASE the likelihood of a system compromise.

The fact that you're here trying to "solve" a "problem" that was artificially generated by your employer is exactly the reason it's the case. While you personally are diligently considering how to best "solve" it, everyone else is doing something more hack-y and introducing new attack vectors.

So... Long story short, it's awesome you care. Your employer does not.

[–] [email protected] 7 points 8 months ago (1 children)

I'm sorry. My original post did not convey my intentions adequately. The fact that I have to change my password every 3 months is what sparked my curiosity and question for my original post. For work I just generate a password using a password manager and store it on a Yubikey that I use for work purposes when I need to update my password. The question in the post is for a personal Yubikey. I started using a generated password on that one and wondered if adding a prefix password to it, changing the prefix for different applications, would be considered secured.

[–] [email protected] 3 points 8 months ago

Lol no, they did reply correctly.

[–] [email protected] 12 points 8 months ago* (last edited 8 months ago) (1 children)

Algorithms like that never really work because password requirements are quite varied, especially stupid stuff like maximum lengths.

[–] [email protected] 2 points 8 months ago

You can tweak the algorithm to match the requirements in KeePassXC. That is for passwords for individual sites that have requirements. This "prefix" algorithm would be for applications that don't have those requirements. Applications can range from website logins to password protected encrypted volumes.

[–] [email protected] 12 points 8 months ago* (last edited 8 months ago)

I say go for it.

If you're working on something sensitive enough that a Yubikey isn't good enough security, then the team you're working with should be enforcing other protections like MFA, which mitigate the algorithm risks.

Obliviously, if you get a chain fraudulent MFA requests, change your password approach, though.

Otherwise, it beats what most people are doing by a long way. Casual attacks are going to go through Karen in accountings weak password, not reverse engineering your Yubikey.

Edit: Your prefix length matters here, though. You don't want it to be so short that it volunteers for more scrutiny in a breached data set.

Edit 2: Marcos makes a great point about putting yourself in a position where, when you change your password, it's necessarily extremely similar to previous passwords. That's not great.

[–] [email protected] 9 points 8 months ago (2 children)

My understanding is that it's debated whether password algorithms are a good idea, but personally, I wouldn't use them because if someone figures out one password, they can figure out the rest. Why not just use a new KeePass database on your work computer? If you don't want to memorize a string of random characters for the master password, why not use a passphrase of random space-separated words?

[–] [email protected] 8 points 8 months ago

if someone figures out one password, they can figure out the rest

This. And "figuring out one password" can mean stealing it from some 3rd party server with bad security practices. The password complexity and the other OP's practices aren't relevant.

You also can't change passwords easily, what again is a problem on those sites that have bad security practices.

It's possible to make an algorithmic derived password that doesn't have that first flaw (losing one doesn't lead to losing all), but the second one will always be around.

[–] [email protected] 2 points 8 months ago (1 children)

I may not have been clear in my original post. My work computer does have it's own KeePass database. This question is for my use of a Yubikey on multiple sites. For clarification I use a separate Yubikey to store my work computer credentials that I back up to my personal Keepass database (can't access the work database if I'm locked out). I do this because of the requirement to change passwords every three months and I don't want to reuse the limited passwords I remember so I use a password generator.

My question is with using a "prefix" with my personal Yubikey (the one I don't use for work). Specifically, even if the last 40 characters is from a generator configured to generate a high entropy excellent quality password if I use that password with a different "prefix" (different lengths too) for different sites then would it really be compromised if one site gets hacked? They are different passwords, different hashes, different entropy. It's just a large part is the same. I don't know much about security I just want to know if this is a risk. I'm trying to move my security from something that I memorize to something that I physically have and know.

[–] [email protected] 1 points 8 months ago

Why not use the Yubikey for the master password on a KeePass DB (or another password manager) and then use actual different passwords—not just prefixed ones—saved in said password manager for your logins?

It doesn't matter if your base password is a 255 character high-entropy annoying-to-type-manually-on-a-phone-keyboard or a 16 character string of alphanumeric characters if you reuse it in a slightly predictable manner. For it to be somewhat secure, the prefix would have to be completely random, which kinda defeats the idea of you being able to remember them. A "base password" is, to be frank, only one small step up from using the same password everywhere.

And as someone else pointed out, it makes it very difficult to change passwords, which also should be a huge red flag.

Take a look at the leaks on Have I Been Pwned and see how many of them include either clear text passwords or extremely weakly hashed (perhaps even unsalted) passwords. If you show up in just one or two of those, then you're in a significantly worse position than you would be had you just used different passwords.

[–] [email protected] 8 points 8 months ago (1 children)

Yubikey is proprietary and not updateable. If there is a security flaw, you literally need to buy a new one to be sure.

[–] [email protected] 7 points 8 months ago

Yes, but telling you how I do it would be bad opsec.

[–] [email protected] 4 points 8 months ago* (last edited 8 months ago) (1 children)

Why not get a separate password manager for work stuff and use the Yubikey to login to that? That way you get a unique password for each site and don't need to remember a long password for the password manager. So one password slot for work and one for personal password manager, and the rest comes from the password manager.

The main risk is if your password gets compromised, someone could figure out your "algorithm" and get access to the rest. Whether that's likely depends on what you use those passwords for.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

I do just that. This Yubikey is not just for websites though. I use it for apps too. Things such as my password manager, login credentials, encryption apps, etc. The idea of using it on websites got me thinking about using a base password and a seed for each app.

Edit: I also want to use it for multiple computers that I have. I use those for things like NAS, Jellyfin, Pi-hole, etc. Mostly those are Raspberry Pis. Using a password manager I'd have to copy-paste or remember each password. Not all have a web interface.

[–] [email protected] 2 points 8 months ago

Using a password manager I’d have to copy-paste or remember each password. Not all have a web interface.

Then pick one that has a web interface or a CLI, Bitwarden has both and is free. KeePass databases can be hosted on your NAS and accessed to CLI tools. There are plenty of options. Or use passphrases (which are just as good as—or better than—complex passwords) and just type them? I use Bitwarden for literally each and every password/lock code/PIN that I have, and I have plenty of Pis and other things that don't let me easily log into Bitwarden, but finding "Excentric4-Waxing-Adopted-Giraffe" on one device, and typing it in another really isn't much of a hassle. (Also, why not just SSH into your Pis? Then you only need to worry about accessing a password manager on the machine you're opening the SSH connection from.)

From the comments on this post it seems that you're mostly looking for validation of the idea you originally had rather than actual feedback on how secure that idea is. You're obviously free to manage your passwords exactly as you want, but this idea of a "base password" is objectively less secure than the alternative put forward by many people in these comments, namely to use the Yubikey to log into a good password manager that then handles all the different (completely unique) passwords.

There are always instances where doing things the best and most secure way is more cumbersome, and it's up to you to decide if you want all of your passwords to be poor (and difficult to change, in this case) just because you occasionally need to log into something that doesn't neatly integrate with a password manager.

[–] [email protected] 3 points 8 months ago (1 children)

Using a prefix with a 40 char password is not really a good option because if this was compromised because it was let’s say intercepted then the attackers would easily be able to guess that if there is bank_suffix then facebook_suffix might be a good guess.

[–] [email protected] 3 points 8 months ago (1 children)

Really? The example "bank+[40 character password]" was just an example. Obviously I wouldn't use bank for my banking credentials. I was also under the impression that many websites and applications wouldn't store or transmit plaintext passwords (I wouldn't use http for transmitting credentials). I do concede that there is a news story every month about a corporation getting hacked and the user's passwords were stolen and in plaintext so they could compromise me that way. But I don't think hackers are really going after me because I'm broke. The government maybe. This is really just so I can have a convenient way to have a complex password. I can't remember 5 different 15-20 character complex passwords.

[–] [email protected] 4 points 8 months ago (1 children)

I think you have the right idea. You are using "bank" as a salt so the hash should be acceptably secure.

[–] [email protected] 3 points 8 months ago

Yes. And every application has a different salt. I really just hope these websites don't store plaintext passwords.

[–] [email protected] 3 points 8 months ago

Look into OnlyKey. Its a hardware password vault with a lot of nice features. USB only, though

[–] [email protected] 2 points 8 months ago

The "base password" concept isn't completely crazy, I've got a friend who claims to have a system like this, to keep all his passwords in memory.

The key, though, is that the modification to the base is NOT just "usbank" or "facebook" or whatever. If your system for modifying the base is too simple, then if one of the sites you do this for is breached, and its passwords exposed, you can bet that attackers that get ahold of those are smart enough to search for "usbank" and "facebook" and other variations, to figure out what your base password is, and take that and apply it on as many other sites as they can, and may well breach your other accounts.

[–] [email protected] 1 points 8 months ago