I tweeted the other day that I no longer know any of my passwords. People seemed to think it was a joke, so I decided I’ll go into a little more depth on exactly how I’m doing it.
Okay I think I’ve finally configured by internets for maximum security. I know none of my passwords. Not even my @1Password master.— Colby Aley (@aley) October 13, 2013
I’m using two different technologies that make this possible:
I’ve only recently started using 1Password, and regret not jumping on the bandwagon earlier. It’s a great tool for eliminating the need to remember passwords. Often, people use the same password for all of their services, because remembering a new password for each one is near impossible. This is terribly insecure, since if that password is ever compromised, so will be your whole online identity.
1Password lets you store your credentials for multiple services, making it much easier to use a different password for each one. They have native apps for most platforms that let you hide your encrypted set of passwords behind one master password. They recommend this master be strong, as it probably should be. Though there are two downsides to this technique:
- Stronger passwords are typically hard to remember. Since you will need to enter your 1Password master multiple times a day, this can be a problem.
- If this password were to be compromised, so would all of your other passwords. This is less likely with a stronger password, but then again — a stronger master can be a huge inconvenience.
So, how should we go about fixing this?
I recently received my Yubikey in the mail. I ordered one after reading an article on how Facebook uses them to authenticate employees internally, and thought it would be cool to check out.
For those who don’t know, the Yubikey is a simple USB dongle that acts as a keyboard when plugged in to your computer. It has a single button on it, which when pressed generates a one-time password that allows for secure two factor authentication. This is similar to the RSA SecurID and new apps like Authy with similar functionality.
Another feature of the Yubikey, one that I didn’t discover until setting up my key, is the ability to program a second slot on your key. Yubikey allows you to program a static password into the second slot. It allows you to program a static password, one that will never change (unless you do so yourself).
I decided this would be a great way to make my 1Password master password both a) more secure (longer, greater variation in character types), as well as b) easier to authenticate with. So I generated a fairly complex static password and programmed that to the second slot on my Yubikey.
Next, I set my 1Password master to a combination of two passwords. The first part is a moderately simple password that I can remember. The second part is the static password programmed into my Yubikey, which I couldn’t remember if I tried.
With this setup, I don’t technically know any of my passwords. I know part of my 1Password master, but not enough to authenticate without the Yubikey. On the other hand, if someone were to steal my Yubikey, they would also need my memorized portion to gain access.
As for mobile, I haven’t established any workflow yet. Though as far as I know, you are able to connect your Yubikey to your iOS device with Apple’s USB camera connector.
In the case that my Yubikey were to be broken or lost, I have physically printed my password and stored it in a secure location.
I’ve found this solution to be less of a hassle than I imagined, while at least marginally increasing security. All I need to do to log in to 1Password now is type my simple password, then press the button on my Yubikey.
If you have any questions or if I’m doing something blatantly wrong, please shoot me an email or ping me on Twitter.