30

I'm looking at password manager solutions and came across LastPass. I see that they also support two-factor authentication using YubiKeys. How secure is this combination for password management? What are the "weak links" in this scheme that could be targeted by an attack?

Charles Stewart
  • 103
  • 6
jrdioko
  • 13,011
  • 7
  • 29
  • 38

4 Answers4

27

The answer everyone hates: it depends on your threat model and risk appetite.

  • What passwords are you protecting in Lastpass?
  • Are you storing the whole password in there or a unique value to which you add a passphrase?
  • Who are you concerned would want your passwords? Opportunistic attackers or targeted governments / organized crime?
  • How strong is your master password?

Software vulnerabilities can exist. Lastpass has had a XSS vulnerability and a suspected intrusion recently. So yes all software can have vulnerabilities.

Yubikey as @this.josh states could also be vulnerable. After all if RSA got hacked and the attackers were able to use this to get into military contractors then no two factor mechanism is invulnerable.

Refer a sample attack tree for defeating two factor: enter image description here

Here is a broader set [PDF]: http://www.redforcelabs.com/Documents/AnalyzingInternetSecurity.pdf

The question is are the risks acceptable to you?

Using a password manager is better than not using one and is a simple, cheap solution to improve the security of virtually any application/service you need a password for.

Using Yubikey and a strong master password greatly improves the security of whatever you store in Lastpass. The whole point of two factor is that even if one factor is compromised they still require the other. If you or the service discovers the compromise this gives you time at a minimum.

Do a quick threat model, understand your risk appetite. No system will be invulnerable but you may find the advantages to using Lastpass + Yubikey outweighs the risks for you.

guntbert
  • 1,825
  • 2
  • 18
  • 21
Rakkhi
  • 5,783
  • 1
  • 23
  • 47
  • 1
    Would someone be able to elaborate on one particular threat model? Suppose an attacker breaches the LastPass servers and steals my encrypted password database. If I haven't used YubiKey, they must brute-force my master password. This is hard but since the attacker can do this offline, it might be a feasible attack given enough resources. If I *do* use YubiKey, I would imagine nothing changes for this attack, correct? The encryption key for the password database is derived from my master password alone, and the YubiKey only provides additional protection for *online* attacks, right? – jbyler Aug 20 '14 at 21:46
  • 1
    https://en.wikipedia.org/wiki/LastPass#Security_breach notes three concerns - two past partial breaches, and the lack of a public security audit, and reasons to consider it secure, including many positive reviews and Steve Gibson's approval. It makes sense to consider risk appetite, and Rakkhi explains that well, but specifics like those I mention are key, whereas much of this answer is generic enough to make it applicable to dozens if not hundreds of questions on this site. – WHO's NoToOldRx4CovidIsMurder Sep 30 '14 at 20:53
  • "Get OTP from user" should also include "phishing" and/or "social engineering". That's a real world attack, which has been used against the Swedish pension system recently (as in, within the last year or so), though I can't seem to find the news article reporting on it. – user Jun 14 '16 at 08:55
17

My inital answer was misleading. My research of YubiKey for my original answer was shallow. I failed to find the documents on their website that provide more detailed information relevent to security analysis. Upon reviewing Security Evaluation and Key Lifecycle Management it appears that my original concerns were unfounded. Their overall process for delivering a secure product is sound. I apologize for problems caused by my first answer.

A quick overview (based on the documentation)

  • The AES 128-bit key is generated with a "high quality pseudo random value generator".
  • The computer system used in key generation is a stand-alone system with strong physical and logical access control.
  • The system operators are "specially authorized"
  • Key generation is performed in a "highly secure facility"
  • The key records are protected with OpenPGP and transfered onto SD media
  • The physical YubiKey devices are provisioned with their keys using an Initial Configuration System
  • The Initial Configuration Facility is "sensitive to both theft and manipulation" (I assume this means that they have theft deterents and monitor the integirty of security critical components)
  • The operators are "specially authorized and trained"
  • The Initial Configuration System computers are physically and logically protected.
  • The Initial Configuration System receives key records from the SD media
  • After provisining a physical YubiKey the key record is "securely deleted" from the computer and the SD media
  • Online validation is performed by Yubico's servers. (other service providers make requests to Yubico's servers, and they only recieve pass or fail responses).

Are there weaknesses?

There might be. If the key records are encrypted but do not include digital signatures, then an attacker could intercept the SD Media between the Key Generation facility and the Initial Configuration facility and substitute SD Media with keys known to the attacker and encrypted with the public key of the Initial Configuration facility. The documentation says protected and not 'encrypted and digitally signed', so they might only be encrypted.

The documents don't describe how equipment and hardware is verified prior to use. Or what measure are put in place to prevent operators from intentionally degrading the security of the system. My analysis is based on the provided documents. I think the overall security appears appropriate to protect resources of a non-trivial value.

this.josh
  • 8,843
  • 2
  • 29
  • 51
11

YubiKey has a office in California. LastPass has one in Washington. That means that both companies are legally required to give the NSA your data should the NSA give them a National Security Letter.

I see no real reason to use a closed source system like LastPass where you have to trust an US company over an open source solution like KeePass.

Christian
  • 1,876
  • 1
  • 14
  • 23
2

well 2FA and password managers together is pure chaos.

there are some things that one needs to know:

1) One-type password (yubico OTP)/signature (U2F) based 2FA usually cannot be used for encryption. therefore they can only prevent getting the safe file, but this wont help if an attacker already has access to the safe file.

2) Lastpass can send you a link via email to disable 2FA, so securing your email account is one of the most important things you can do. Also When you connect on a new device and/or with a new IP which certainly helps as well, also you can block logins from TOR and also restrict the login only to countries you go or plan to.

3) specifically because of 1 you cannot use a throwaway password, unlike with other services where authentication is everything needed where a second factor tremendously strengthens that and you do not need a super-strong password, but rather one you can remember easily (as 2FA=something you know+something you have)

so putting all of this in mind, having a second factor is not bad, but you shouldnt rely on it, but what is most important to have is a secure password (still try using something you can remember, like a wordlist-based password, more below) and a secure email account, so definitely use 2FA on that. if you have a yubikey and use GMail, U2F is a good way to do it, it's simple to use and secure (although there are some restrictions)

regarding Wordlist based passwords, I personally like using the wordlist from 1password (just download the mac version, and extract it)

(just open the .pkg with 7 zip and traverse like this: 1Password-6.8.3.pkg\1Password.pkg\Payload\Payload~\.\1Password 6.app\Contents\Frameworks\AgileLibrary.framework\Versions\A\Resources\ and grab the file AgileWords.txt)

they have no problem when someone has some fun with it:

https://discussions.agilebits.com/discussion/comment/335185/#Comment_335185

and it's a pretty good list, as of writing this answer we have 18328 words, giving each word about 14 bits of entropy. using 5 random words you get about 70 bits (at the assumption the attacker knows that you use this list and 5 words from it, but obviously not which words), which is comparable to about 11 random characters of the 94 printable Ascii characters, but the memorability is way higher.

I recommend getting a good randomness generator, and let it generate passwords with as many words as you think you need until you have a password you think you can remember and use that.

surely you can also generate a truly random password of 11 characters but while they are shorter they have their own problems:

1) a pain to remember

2) a pain to input all the special characters, even worse on a different keyboard layout or your phone, words are generally easier to type

3) the entropy assumption is always based on the worst possible case (aka the attacker knows how you made your password but not the password itself) meaning unless the attacker actually knows you are using a wordlist, they will probabaly set the bruteforce cracker to just bruteforce everything when when we say that each word is on average 5 characters long and add a minus or whatever in between you would have 5*5+4=29 characters, which would put a dumb bruteforcing software to about 190 bits, giving it even more protection against your average bruteforce.

But there is one last important thing. even the most secure password can fall to things like phishing so be sure to always login on the right lastpass site or using the lastpass application. also if the government of the USA (the country where lastpass is in) they can force lastpass to phish you, and your second factor wouldnt be anything to those so use online wallets with caution if you think you might be a target for those.

My1
  • 394
  • 2
  • 12