6

So, recently, after going through some infosec training (FutureLearn's Introduction to Cyber Security, which I heavily recommend as well-explained newbie material), I decided to take the plunge and finally up the security of my authentication in password-protected computer systems. My goals were to...

  • Use unique passwords for every password-protected service which I have access to
  • Make them as resilient to guessing, brute force, and dictionary attacks as practically feasible
  • Use two-factor authentification based on something I have whenever feasible
  • Avoid relying too much on the availability of a specific computer (e.g. cellphone), object or service (e.g. network coverage), basically stuff that can easily be broken and stolen
  • Automate any kind of data synchronization that is required

I came up with a scheme which I am pretty satisfied with, but I would like to check with someone more experienced that I fully understand its strengths and weaknesses. And this is where I need your expert help, if you have some time to help me with that. Of course, feel free to reuse that procedure for yourself too, there's no copyright on it.

So here goes :

  1. In the general case where I have access to a trusted computer with an Internet connection and a USB port, I use LastPass to generate, manage and sync random per-service passwords, with a strong master password and a Yubikey as a second factor of authentication. 2FA is enabled for services that support it in a sane way.
  2. For cases where trusted computers or network connections are not available, I have also configured Lastpass to accept offline logins on my cellphone, using only the master password. Two-factor authentication is maintained by configuring Lastpass to only accept online logins from this cellphone's UUID.
  3. Finally, for logging into computer sessions, including my cellphone, I chose to assume the availability of no software tool, and use passphrases. These passphrases are generated in my head based on service identification and stuff that is ridiculous enough that I will remember it. Fake examples of such could be "HeyAmigo!IDonQuichoteDemandAccessToThisMac" or "OMG!Raptors!ToTheUNIXSystem!".

Now, no system is perfectly secure, of course, which is why I wanted to be sure that I understand where the weak points of this authentication scheme lie :

  • As with any password manager, I need to pick a very good master password for LastPass, as the incentive for cracking it is high.
  • I need to trust the LastPass client to be secure on any platform, in sense of working as advertised (e.g. generating truly random passwords) and leaking no sensitive data.
  • I need to trust my YubiKey's write-only access scheme to be effective, and the Yubico servers not to leak my AES key, for YubiKey authentication to remain secure.
  • My trusted computers, including my cellphone, need to be devoid of keyloggers and other kinds of malware which would be able to intercept LastPass' master and service passwords.
  • LastPass' cellphone UUID mechanism, for which I have found no technical documentation, must be secure : IDs need to be actually unique, and forging them needs to be infeasible.
  • My login passphrase mechanism is probably less secure than the randomly generated passwords which I use elsewhere. With long passphrases (10 words or more, including uncommon ones), I trust it to be invulnerable to brute force and dictionary attacks, but it may be vulnerable to guessing from someone who knows me. So it may be hardened enough for local login, where I also have a second factor of authentication (physical access to the machine), but for remote access I might want something stronger.

Do you think I got it right, or see another weak point in my authentication scheme that I might want to be wary about and try to harden in the future ?

Hadrien G.
  • 61
  • 2

2 Answers2

4

The UUID of your cellphone isn't a meaningful second factor as it can be spoofed.

On the long passwords, it is reasonably secure to use long, sentence based passwords, but the amount of security provided drops DRASTICALLY if it has anything to do with what you are connecting to. It may still seem hard to guess, but establishing a relationship rather than pure entropy means that there is a far FAR smaller pool of possible passwords to choose from. This is bad for password security. Even if it only reduces it to a few million possibilities, that is still easily brute force-able.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • As for UUIDs, I've been wondering about that, thinking that it might depend on LastPass' implementation. If, as an example, UUIDs were agreed upon between server and cellphone using some variant of Diffie-Hellman, and then only exchanged between both via an encrypted link (or, better yet, verified via a challenge-response mechanism), would they still be a liability ? – Hadrien G. Nov 06 '14 at 15:12
  • @HadrienG. ah, I think I misunderstood what you meant by the UUID of the phone. On Android smartphones, there is a UUID used to identify the phone. If this is a UUID that is generated by lastpass and stored on the phone, that's a bit more secure, though at that point, using an asymmetric key pair would be a far better practice as the OS would also much better protect the private key. Note, it is also somewhat limited usefulness in terms of "what you have" if the "what you have" is directly tied to your client since it doesn't help protect against a compromised client... – AJ Henderson Nov 06 '14 at 15:16
  • though, of course, there isn't much alternative in the case of a phone. – AJ Henderson Nov 06 '14 at 15:19
  • Well, as I said, I didn't find documentation on what LastPass calls UUIDs, so I do not know how secure that mechanism is. Here is a screen of the administration interface for it : http://i60.tinypic.com/25ovuid.png . From this, I know that they are supposed to be random, can be changed (how ?), and can be checked by the LastPass servers (how ?). – Hadrien G. Nov 06 '14 at 15:23
  • I wish LastPass for Blackberry 10 (which is actually a port of the Android version) would support my YubiKey in NFC mode instead. Since they already support it on Android, and NFC support is coming to the Android runtime in the next BB10 version, it might not be too difficult to implement for them. Maybe I will send them a support request for that. – Hadrien G. Nov 06 '14 at 15:26
  • @HadrienG. - ok, that looks like the ID of the phone itself. Note that you can deactivate, delete or change the label, you can't actually change the UUID. I wouldn't count on that for any security as it is shared by the device like candy if it is the number I think it is. – AJ Henderson Nov 06 '14 at 15:30
  • I see... Well, I asked for NFC YubiKey support in LastPass for Blackberry 10, that's probably the best option ultimately. Thanks for the help ! :) – Hadrien G. Nov 06 '14 at 15:41
2

I do very similar, and the way I see it there are two major potential points of failure and I don't really have a good solution for one of them.

First major risk is that LastPass itself is hacked and it's data dumped. While data is encrypted locally, my password used to encrypt that data is not very strong. LastPass has recognized that entering in a strong password every. single. time. to access your vault can be a PITA, so they now have that optional PIN code for accessing an open session.

The PIN is not used for encryption, just to access your session. So my weak lastpass master password is a personal problem that I just haven't gotten around to fixing yet. I also use multifactor with select trusted computers, which doesn't fully work on my windows 8 laptop which is annoying.

You can tune the stretcher in your vault settings, increase repetitions, and possibly change the alg though thats a bit fuzzy.

Anyways the first major risk isn't really relevant to you but to those like me with weak master passwords. Those need to be updated to strong master passwords and enable to pin code.

The other major risk isn't to your data but to your ability to access your data. If you lose your yubikey and phone at the same time at the beach or something, and don't have a trusted laptop back at the hotel, you're in for some bad times.

For me my phone is also my authenticator, so all I have to do is lose my phone and I'm SOL, hope I'm not on holiday.

For this, there are very limited options that I can think of. My solution is to have my windows laptop also as a trusted device with both lastpass and google-auth on it.

If both devices are lost, the big problem becomes accessing my email account which protects lastpass, which is also protected by my authenticator.

Google supports one-time-use passwords for printing, which I have some at home, but that doesn't help me at the beach.

I've considered getting a burner life-line phone to keep in rental vehicles/hotel rooms at all times, but when it comes to recovering from all trusted devices being lost or stolen abroad, I don't have a foolproof solution. It boils down to being able to access your information from a non-trusted device without any of your multi-factor tools, which is exactly what they are designed to prevent.

Andrew Hoffman
  • 1,987
  • 14
  • 17