I mentioned the Yubikey as the ultimate solution stolen passwords on the excellent Yahoo Marx Train forum, and another member asked me to elaborate on it. Rather than take up a lot of space with some off-topic discussion, I decided it would be better to write about it here.
The Yubikey is the best solution I’ve seen yet for the problem of remembering passwords. I am a computer security professional by trade, but I will try to avoid as much techno-jargon as I can, and explain what I do use.
The problem is that any password that a human can remember is easy for computers to guess. The whole idea behind the standard 8-character password was that it would take a year for someone sitting at a keyboard to guess it, and nobody would, so 8 characters was safe. Today computers are fast and software is smart, so the only way to get equivalent strength today is to use passwords like bR&4*kP-pnVe!pA8. You won’t remember that.
And the software will only get smarter. Every time someone’s password database gets stolen, someone decrypts it, and the bad guys run statistical analysis on it so they can guess passwords even faster. A password strength filter will say that John3:16 is an outstanding password because it has a special character, several numbers and a mix of upper and lowercase letters, but all of the password guessers guess the most popular Bible verses very early in the game, because now we know so many people use them.
The holy grail is two-factor authentication. I apologize for the jargon, but your ATM card is an everyday example. You swipe the card, enter a PIN, and the machine gives you money, or the store takes its payment. You can’t use someone else’s card and your PIN, and if someone else gets your card, they can’t get money because they don’t know your PIN. It’s easier and more secure than carrying cash.
The Yubikey is an affordable ($25) implementation of two-factor authentication. You plug it in to a USB port on your computer, and when a site that supports Yubikey asks for a password, you push a button on the Yubikey, then enter a PIN. That’s it. Behind the scenes, Yubikey and the site negotiate a password that is very long and nonsensical and only good once. The next time, it uses another one. So even if a bad guy intercepts the password along the way, it’s no help because the password will be different next time.
The other problem
This would be great, except not a lot of sites support it. The best workaround is to use a service like Last Pass, set all of your passwords to the longest random password each site allows, then tie it to the Yubikey. Then you don’t have to remember the obnoxious random password–Last Pass will enter them for you after you press the button on the Yubikey and enter your PIN. This isn’t ideal, but the reality is that people aren’t going to guess your 24-character gibberish password when there are so many other people using John3:16. Or, worse yet, popcorn. The bad guys will never get to yours. Using long 24-character passwords is like being the only locked car in a parking lot full of unlocked cars, some with the windows down. The bad guys will rob one of the unlocked cars and not bother with yours.
But I expect more sites will start supporting Yubikey, because password guessing is only going to become more prevalent. Sites like Amazon and Ebay won’t be able to afford not to.
Is it safe to buy from someone other than the manufacturer?
One forum member who is in the UK asked if it’s safe to buy a Yubikey off Ebay rather than from the manufacturer. I’m very glad he asked the question. I wouldn’t buy one off Ebay. I don’t know that it’s possible to hide malicious software in one, but it’s possible with almost anything else that has a USB connector on it, so the only safe thing to do is to assume that it is possible.
To be safe, buy one direct from the manufacturer or from an authorized distributor. Outside of the United States it’s likely to take a few more days and cost a little bit more, but it would be irresponsible of me to recommend otherwise.