Thread 107160337

i recently got one of these. the thought is i use keys on my keychain for my home and car so why not my computers and online accounts?.

so far i set it up to open everything (login,sudo...) on my old laptop i mostly use for experimentation, i think i can also set it up to open LUKS but i havent tried that yet. is there any good reason to not put this on all my computers instead of constantly entering passwords?

>>107160337 (OP)
How are these security keys 'secure'?
There's no fingerprint reader, it's just a capacitive pad.
If someone steals your laptop or your phone together with this key, you're super fucked.

>>107160337 (OP)
you need to get a spare
>>107160372
you can set a code each time you use it.

>>107160337 (OP)
When it breaks you'll be locked out of everything

>>107160404
that's why you get a spare

>>107160337 (OP)
It is easier for someone to steal a keychain that it is to extract a password out of your head.

What if a glowy seizes your keychain and laptop?

>>107160414
If you have multiple keys anyway, you might as well have a password manager, that supports passkeys, instead. So you can copy and backup its database.

I like KeepassXC passkeys, it is much better than TTOP, i don't have to copy and paste stuff around or autofill things.

>>107160372
usually you still need to enter a pin code so its basically as "secure" as your bank card

>>107160444
Most don't use a password or pin with it.
The whole point of it is passwordless authentication. It's like those RFID cards you hold onto a lock to enter a room. If you have to remember something, it is not passwordless.

>>107160372
the key has 2 slots where you can pot a long touch and a short touch action. one of the options is a 'static password' where it emulates a keyboard and types in a password (up to 38 characters) i think its designed for old/legacy shit or stuff that doesnt support any modern security standards.

but you could set up the LUKS so that you enter your password (say 10 character fairly standard pass) and then tap the yubikey and it enters the 38 remainint characters of your password. thats how i have it set up right now.

the challange-response is what i have on slot 1 where i tap the key to log in and to do sudo ... and that one doesnt exposes the actual cryptographic password which never leaves the yubikey itself it only uses it to encrypt ('sign') challanges from the computer.


im honestly not that worried about anyone snatching both my keys and pc. it would have to be a targeted attack/police raid or something and im just a normall ass user. what is more likely is i might lose the key, lose the laptop or have either stolen and this happened before (lost a laptop many years back) where the laptop had a 'normal' somewhat crackable password for the encryption. when i figure it out ill probably just set the LUKS/drive encryption to open like the regular challange-response authentication im using in the OS (fedora kde)

>>107160382
>>107160404
yea i know i got it just to experiment/see everything works. i only used it to lock the shit on a laptop with a drive/os install i dont care about.

but i ordered another one and ill wait for that one to arrive before i use the security key on anything im actually afraid of losing

>>107160485
Ok now this is the rare gold in the sea of shit I browse /g/ for.
Thanks bruv, I'm gonna set this up now.

>>107160337 (OP)
>so why not my computers and online accounts?
Cause keys suck. If you could open your car door or house with a password instead, you would.

>>107160337 (OP)
I don't trust the USB slot to survive so many plug-in-outs

>>107160518
Passwords suck too
>you have to remember specific passwords, if you reuse them then whoever pwns your car also can get into your house
>anyone could watch you enter your password
>if there's a blackout you can't get into your house
>entering long passwords over and over is tedious
>any unsavory gentleman could easily smash your keypad and make your life difficult, locks are a lot harder to damage
Not that locks are good enough security either, but I wouldn't want to switch to passwords

>>107160382
The spare thing is what is keeping me from getting it. Pretty expensive like that.

wtf is a security key? i feel like you just use a regular usb and encrypt it and achieve something better for only the price of the cheapest usb, like putting your keys and boot partition on it

>>107160597
is this real?

>>107160597
My work Yubikey is set up such that after like 5 wrong password entries, it locks up. For your regular USB, you need a password (or other auth factor) that has way more entropy than mine to get the same security.

Granted, there are rumors that it is possible to "clone" Yubikeys (onto Yubikeys) and get around the locking in that way, but you apparently need a lot of them.

>>107160372
>How are these security keys 'secure'?
"Trust me bro."
https://ninjalab.io/eucleak/

>>107160612
>For your regular USB, you need a password (or other auth factor) that has way more entropy than mine to get the same security.
False sense of security.
Hardware rate limits are a ruse. Especially on the subject of security keys (remember the Google security key that turned out to be cloneable via bluetooth? Or the Google security chip in Pixels that turned out to have an exploit providing access even when the phone is off?).
The only good rate limit is one inherit to the encryption (amount of time it takes to try a decryption).

NEVER trust a firmware blob.

>>107160485
>Yubico Authenticator
>doesn't work on OpenBSD
dropped

If i would run a company, i would give my office thots a yubikey, because it is better than having them use "password[number of month]" or writing their password on a sticker underneath the keyboard.
Then you can also have an IT department managing them, with other keys that have access to everything, that can lock keys out or create new. It is easier for the office thots and easier for the IT dudes to manage. A win-win, nobody loses.

But for my private stuff? LMAO, no.
The scenarios you have to consider privately are:
>things getting stolen
>malware
>glowfag sizing stuff because something you said 5 years ago became wrongthink now
In the first case a password will do.
In the second case the key doesn't provide any benefit (the malware just grabs the browser cookies or plays MitM).
In the third case the key makes me less secure (glowfag would capture the key as well).

And what especially brings the point home are the anons here talking about their additional measures to make the insecure thing secure ("i set a password as well in my PASSWORDLESS authentication method").

>>107160518
you could set it up to do that but no one does because its a hassle, an item you carry is more than secure enough for 99% of people
>>107160524
it only uses the 4 big main USB pins of a USBA which is incredibly reliable and robust. also your computer has multiple of them and if one of your USBA-female slots gets worn out its the easiest fix ever you just open up the computer and bend it a bit so it's not as loose and grips a usb-male that is inserted.
>>107160506
np
at first i was just looking into getting a fingerprint reader for my desktop so i could stop entering passwords every time i wanna SSH or sudo. i tried one i had and it didnt have drivers in the kernel, couldnt find any good readers with linux support and then i saw the yubikey with a fingerprint reader that is supported by basically everything and thought why not go for security keys instead of biometics

>>107160539
i actually think passwords are a great solution with a password manager so the passwords you actually give each site/account are long and never reused. security keys are kinda similar in that they serve a similar purpose but the authentication for them is you carry them on you instead of having to remember a password manager's password.
>>107160597
are you talking like a live usb with encrypted persistent storage? yea you can do that with tailsOS/others i have a USB with it. it serves a different purpose tho and you need to remember a password for it

>>107160645
I don't use it privately, my employer trusts it. Big difference.

Other than that, it is all tradeoffs. My employer has decided that they hate unlocked workstations (which is reasonable in an office, but not when doing remote work on said workstations, which is also a hard requirement they dreamt up) and therefore my remote desktop screenlocks rather quickly. I prefer to have reasonable PW requirements and a Yubikey over 20+ char PW, that will amount to

> qwertyuiop1234567890!$%

for most people.

>>107160705
A very common misconception on /g/ is that something must be godlike, just because a company uses it.
Those keys make lots of sense for wageslaves. While for private stuff it quickly becomes "meh".

>>107160697
ease of use is a massive factor for personal use as well. there's a reason probably nobody ITT has a 20 character password and probably a lot of people reuse passwords.

you're right that the main benefit is in a corpo setting where i have never ever seen an office without stickers with passwords printed on them and/or centralized spreadsheets with passwords of various computers/networks/services.

for your first two scenarios keys cover you as well as any password would and for the third thats the only real scenario where your security needs are so high you need to sacrifice convenience for remembering a longass password (and even then you could use a key as a second factor), but thats not where most people's security needs are.

>>107160337 (OP)
>the thought is i use keys on my keychain for my home and car so why not my computers and online accounts?

anyone under 40 uses an iPhone app for all 3 lmao

>>107160771
I only care about the glowfag scenario.
If Ahmed steals my stuff, a four digit pin will do. Ahmed doesn't care about what is on the device, he is in it for the hardware.

Meanwhile glowfags seizing your shit is not that rare. Them raiding your house is unlikely. But them simply taking your stuff at an airport or train station and not giving it back, is much more common than people think.
Especially because they don't need to justify it.

>>107160771
>probably nobody ITT has a 20 character password
I do I came up with a good method for passwords, just make with a 12 letter password of random numbers/letters/symbols and type it twice so you get a 24 letter password. You memorize it pretty quick

>>107160518
>If you could open your car door or house with a password instead, you would.

You can do that with various home automation tools. My garage doors open as I drive in because of license plate + vehicle recognition. I could just as easily require swiping an alert on my phone if it detects my license plate

why not this for home and car?

>>107160771
> there's a reason probably nobody ITT has a 20 character password
I default to 32 digit random passwords with my manager. It's fucking astonishing how many websites cap you at 16 or even 8 digits. Government stuff frequently locks you to 8-12.

For passwords I don't use the manager for I use mnemonic based phrases. Sort of related to the horsebatterystaple thing that xkcd popularized. Mostly based on inside memes from small friend groups from years ago. Niche enough that even a schizo isn't going to come up with the associations necessary to connect the dots. I taught my wife this trick and that's what she uses for everything because she doesn't like managers for whatever reason.

>>107160989
repeating is low-entropy that password cracker can go for those first. the actual way to do it is something like
https://www.useapassphrase.com/
its not as much entropy as random characters but a good balance between memorization and security. the drawback is taking a long ass time to type in which you do not want to do often.
>>107160983
in your scenario which is not the scenario most people care about unless they live under authoritarian oppressive regimes or are political/activist/journalist types your solution is probably a pixel phone with graphene for anything sensitive / actual communication and only use any other device for shit you dont mind people seeing like vidya/media, the main feature you want is
https://grapheneos.org/features#duress
put your phone into encrypted mode every time you expect a risk or seizure (restart it when entering an airport for example) and even if they take it from you they got basically nothing to do with it since they cant ask you for a password knowing you can wipe it with the duress pass. and for regular use buy an HDMI dock so you can use your phone with keyboard mouse and a screen.

>>107161112
there's something very sketchy about sites having password length caps (other than say 64,128... but like less than 20). i feel like if we did a global audit of all sites\services that store user passwords we'd be shocked at how many dont implement something like argon2 or dont store passwords along with salt.
>>107161067
is that reliable in rain/low visability or when there's sun reflections?
i would have thought some bluetooth tag on your car + phone authentication would be a better idea

>>107160337 (OP)
completely pointless

You don't need any of that tech crap. Just use a passage from the Bible like the Lord intended. He hasn't let me down yet and He never will. Amen!

>>107160645
>remember the Google security key that turned out to be cloneable via bluetooth?
is it picrel
>>107161187

>>107161165
>repeating is low-entropy that password cracker can go for those first. the actual way to do it is something like
how would a password cracker know that i use 12 random letters/numbers/symbols that i repeat to make it a 24 character password? they wouldnt know a single thing about my password not the length or contents.

>>107160337 (OP)
your pic shows that security key next to a macbook. macbooks already have touchid which obsoletes security keys.

>>107160337 (OP)
NFC almost never worked for me, had to use USB
internet full of reports that some feature, some version, some firmware is broken
useless shit

>>107161165
>which is not the scenario most people care about
Every normie cares about this. At least to the extent that they want the government to hide it better. They want an illusion of free will.
The average normie hates the government for what Snowden revealed and would avoid it if possible. The normie is uncomfortable when airport security snoops or they get stopped by cops.
When Apple denied a request by a local cop to decrypt an iPhone, Apple advertised with it loudly and normies applauded.
>unless they live under authoritarian oppressive regimes
Which is apparently the whole world, because i can't think of a single country where they can't take your stuff for no (or an easily made-up) reason at an airport.
> a pixel phone with graphene
Stores your keys on a chip under google binary blob, you can drop it for this one reason alone.
>they cant ask you for a password knowing you can wipe it..
In that specific case, there are two scenarios:
>A) you have the right to remain silent
>B) you do not have this right
If A is the case, you just don't tell them the password.
If B is the case - which happens when they check you and justify it with a fear of terrorism - then remaining silent or telling them a duress password results in the same thing: You get charged for terrorism.
They don't bother decrypting your phone or bruteforcing your password, they don't need access to your stuff to fuck you over, they just fuck you if you don't give them access.
And that is a scenario an ordinary normie can be in. Maybe someone made a prank call and they decided to check 20% of people and the dice rolled on you.

With a passwordless Yubikey, they never have to ask for a password.

>>107160518
My house has an electronic lock with pin and it fucking sucks. I've had to break in twice because the batteries died and it gives no warning.
I hate the fobs for cars too, physical keys only! My car only has a keyhole on the driver's door and you can't use it to lock the car, it sucks!

>>107161266
no, it's pic related

>>107160771
My computer, gpg, ssh, and email passwords are all random 20 characters. You just memorize how to type it over a few days and then you're good. Everything else is in a password manager.

>>107161335
wtf is that? if its a fingerprint reader those are not new tech and do not 'obsolete' security keys for obvious reasons
>>107161287
honestly idk how these password crackeds are configured but id imagine they try stuff like repeated strings before they try totally random character type passwords.

that being said, for drive encryption on a modern system even a 12 character regular pass is surprisingly strong. i just ran
sudo cryptsetup luksDump /dev/nvme2n1p3 on my system and the way its set up (stock fedora) is with a 10-iteration 1GB memory Argon2 hashing step on the LUKS password you enter and then 2 AES256 decryption steps. for comparison most websites use Argon2 with 20MB memory required and 2 iterations. this means cracking LUKS2 by brute force is insanely hard
>>107161344
works for me, you could always get the USBC version/USBA to USBC adapter

>>107161421
>When Apple denied a request by a local cop to decrypt an iPhone, Apple advertised with it loudly and normies applauded.
the big problem here is that they even had that capability
>>107161421
>You get charged for terrorism.
lmao
>>107161421
>With a passwordless Yubikey, they never have to ask for a password.
if you're worried about a targeted attack where someones snatches both your security key and laptop just keep normal LUKS (with password) and use security keys as a second factor (https://github.com/cornelinux/yubikey-luks) or only for authentication when you're already decrypted (sudo,ssh...)

for most users the main threat is stolen/lost pc and remote hacks from password reuse from retarded ass sites storing plaintext/weak hash passwords.
>>107161472
might work for you, most people dont wanna remember multiple long ass passwords much less type them in on every ssh,email login...

>>107161596
>>You get charged for terrorism.
>lmao
The patriot act can strip you of your right to remain silent and they can then lock you in forever without a trial. And the UK has equivalent laws, so in case one gets cucked because its their own citizen, they can outsource it to the other.
You must have missed the whole Snowden drama if you don't know that.
A duress password would fuck you legally even harder, because you destroyed evidence, independent of whether or not you actually did something wrong. Ever thought about what happens at a traffic stop when a cop asks you to do an alcohol test and you refuse?
>targeted attack
Airport security taking your stuff doesn't have to be targeted.
>just use a password with your key
well, yes

>>107161805
>A duress password would fuck you legally
it wont
>because you destroyed evidence
nope, either way in a legal system they'd have to prove that there was 'evidence', and then prove that anything was 'destroyed'.

if you live in a place without rule of law none of this shit matters to you anyway you're fucked either way but in terms of data security graphene would have served it's purpose.
>>107161805
>>Airport security taking your stuff doesn't have to be targeted.
never happened to me, never happened to anyone i know ever. the most ive seen taken at the airport is a friend of mine's sketchy li-ion cell packs (like ones used by fpv drones)

>>107160443
I wish we had an official KepPassXC mobile client. Needing to trust thirdparties is a pain in the ass.
In the end I need 2 databases, expecting the mobile to be leaked someday.

>>107161067
So anyone that steals your car can enter your garage?

>>107161442
Fucking why? Unless you have an airBnB that makes zero sense to invest on this.

>>107160518
>If you could open your car door or house with a password instead, you would
That tech existed before you were even born. There's a reason you don't see it in the wild that often and it's because it's fucking retarded.

>>107160337 (OP)
ive been thinking of getting one of these and linking it to my bitwarden account, that way if i ever get ransomware or really just any sort of virus on a computer that has my account on it i can just pull it out and they wouldnt be able to get anything off it. theyre just kind of overpriced for their gimmicky use

>>107160989
> type it twice
that's just plus 1 bit of entropy
you will be more secure with 13 char password

>>107160337 (OP)
buy another one for redundancy you fucking idiot

>>107163648
redundency is for homos
real men live ont he edge

we need to go cheaper
https://www.token2.com/shop/category/fido2-keys

>>107160372
The major benefit is combining it with a password. But passkeys is going to eliminate the need for a yubi.

Something you know and something you have.

I use one just to avoid the shitty government app (ID Austria).
They force the austrian population to use their system more and more just to fill out a government form.

The app errors out in 9/10 cases while a fido2 key is pretty reliable in comparison (digitalization my ass)

>>107163834
looked it up
don't tell me people actually use the face/eye biometrics to sign government documents

what will you do when they inevitably disable other means of authentication save for biometrics?

Keys suck. Why would you want more of them? If you could open shit like your car or house easily with a password, you'd never carry a key again.

>>107165229
simple,quick and easy to use

>>107160443
you need the have the browser add-on to use it though, right? I wish it could be done through the app itself only.

I use yubikeys as 2FA proving I was physically there at the login. Nothing is perfect, but I'm much more comfortable with this setup than all the corps pushing passkeys.

>>107161165
>I feel like if we did a global audit of all sites\services that store user passwords we'd be shocked at how many dont implement something like argon2 or dont store passwords along with salt
Welcome to half the government websites out there. As I said, it's astonishing how frequent it is. I own property in multiple zip codes and dealing with different small town websites is beyond frustrating. I don't even bother for a few of them and just prepay taxes by a few weeks in person in advance when I happen to be going that way because they can't seem to figure out that I don't receive mail at a place I rent out.

It's often not that small orgs or small governments don't care, it's that they don't know enough to care in the first place. It's the whole known vs unknown problems thing. You can't tangibly touch a lot of tech stuff so understanding eludes people who don't work with it regularly.

>is that reliable in rain/low visability or when there's sun reflections?
I have it setup to look at the vehicle color and shape, so it'll get confused if I parked outside for hours and have enough snow melted and refrozen in place, but as long as the license plate is clear it's not really a problem besides that. Heavy snow and torrential downpours can obstruct stuff enough to cause some issues. Worst case scenario I just push the garage door opener or unlock it with my phone.

>>107166103

>>107161165
I have very powerful high CRI lights above my driveway with motion detection so my kids can play in the dark, so low light conditions aren't a problem. Side note on the lights. We're rural enough to have foxes and bears around, and there's a den that the foxes breed in a few hundred yards off the edge of the property. Every year we get a couple of clips of kits getting scared shitless when they get flashbanged by the lights turning on. It's amusing watching how some of them learn not to care while others will skirt around the edge of the driveway.

>i would have thought some bluetooth tag on your car + phone authentication would be a better idea
It possibly could be, but one advantage that this has is that we get to control it without requiring hardware in all the vehicles. My wife has a lot of family members in the area, and they're all good people unlike my side of things, so we've added many of their vehicles. Makes housesitting when we're out of town for a few days less of a hassle.

If we were going for maximum security we'd do things quite differently, but not having to care about that is the advantage to being well off white in hoity toity parts of New England.

>>107161287
not that anon, but a common attack system when brute forcing passwords is to cycle through iterations with repetitions first. There's a lot of categories of probability distributions you can apply to weigh certain styles of permutations more heavily than others. Dictionary type attacks are probably the most well known, but substitutions (5 instead of S, # instead of lb, etc), repeated phrases, palindromes, and the like can call be applied so that you're not just counting from 00000 to zzzzz in order.

TL;DR: You're more secure than not repeating your phrase, but you're less secure than having two distinct ones.

>>107160372
They are as secure as password protected keys are, which is as secure as your phone or debit / credit card are.
>>107160404
Which is why you have at least two. One of them is in my safe.
>>107160415
Who is stealing your keychain irl? You still need to use a password on top of a hardware key.
>>107160452
You need to use a pin if you use FIDO2 which is needed for them ain use case of the key...
>>107160518
If I had a choice (I don't right now) I would open my house with my phone. My house is one of the few things I don't have some kind of smart lock for.
>>107160597
OP posted a Yubikey 5 NFC, which is the de facto standard for a security key and has been for a while (one of mine is like 4 years old). Hardware keys basically pass the challenge/OTP to the host for authentication so the actual password is never provided to the host. Think TOTP but smarter.

>>107163196
>that's just plus 1 bit of entropy
complete nonsense buzzword. the attacker would have to know exactly how my password is created and the length of it for you to be right which is literally impossible unless he can read my password in plain text. a 12 character random password typed twice would need to be bruteforced for all 24 characters. idk where this entropy password nonsense came from but you all parrot it without thinking about it for 5 seconds.

>>107166155
>>107166377
is bruteforce cracking still a thing even since argon2?
feels like you'd have to rend half the AWS global compute power to crack even the least secure stuff

>>107160337 (OP)
>Security Keys
They're called dongles, they're not new.

>is there any good reason to not put this on all my computers instead of constantly entering passwords?
Because you can lose them, but then again you can forget your password, and the result is the same anyway. Except for someone stealing your keys and now they have access to everything.

>>107166898
these keys are usually for 2fa.

>>107166917
I thought the whole point of this thread was not having to enter any passwords?