Trying to improve security on my end and remove password managers as potential attack vectors by using an OnlyKey for managing web logins. Can I use just one for every site logged into? Is it a good idea to have a backup to clone to incase the first one dies?
Can you elaborate what attack vectors you’re considering?
(specifically, you already shouldn’t be able to get useful access to password manager data without a hardware token,… and yes you need a backup token - they’re easy to lose)
It’s software on the computer. Something like an onlykey blocks access to the hardware, unless I put a pin in. Password managers have had exploits found.
So if the machine or user account is owned (malicious software running in parallel), then the website you’re logging into needs to support 2fa (ideally u2f through WebAuthn) or needs to be able to delegate auth using oauth2. (and needs to make those settings hard to change). Otherwise, as long as the site is using passwords as the only auth mechanism, no matter how they’re stored you’re screwed.
If it supports u2f, you can sort-of/kind-of be a little bit safer in a sense that you can revoke/close a session reliably from e.g. your phone after you’ve done using the untrustworthy computer. And this may make it harder to not lose your account or get your account taken over.
It does mean that your account on the site was temporarily partially compromised.
With a password only website, that doesn’t use a second factor, your account on a given site might be permanently owned if your password is leaked from your key into your browser.
A good password manager has access to multiple passwords, but you kind of want it locked most of the time, and you want unlocking/using to require some hardware tap.
That way you only compromise a subset of most frequently used password only sites if/when your machine is owned - not all of them.
Moving a password manager to another device, like the OnlyKey, doesn’t help with password only sites, it merely just changes one password manager with another.
e.g. Have you tried bitwarden?
Password managers have had their databases hacked. An onlykey makes that impossible. It just manages your passwords per site. Protection against someone sniping my clipboard is something else.
if your machine is compromised all bets are off
malware can just screen snoop and wait for you to log in and authenticate via whatever method. and then hijack that session, live.
This is false. A hardware 2FA does not make it impossible to have your passwords exposed.
- Many sites do not support 2FA or non-password single-factor logon.
- A hardware key alone does not represent superior security to a password in any fashion.
- Password managers are not necessarily centralized, cloud options.
- Exploits get patched out and security improved over time. Best practices (e.g. 2FA use) mitigates the effect of existing exploits (eg social engineering, which a hardware key cannot protect you against).
You have a much better option. I’ll go ahead and detail it.
Host the password manager yourself, where the database is on hardware that you control. You are a much smaller target than a Lastpass or a Bitwarden company, and if you set it up right, attacks will require physical access to your hardware or access to your network, and either way, you have ways to protect against that. I suggest using Vaultwarden. It’s got a lot of nice features as an implementation (unofficial) of Bitwarden. You are going to have to make compromises here. For example, if you need mobile access, the syncing server capacity is an attack surface - but that doesn’t mean it’s likely to be used against you. Figure out what’s reasonable in your context (Who’s going to attack you? What are they going to gain? Why would they do that? etc) and act accordingly. Either way, make sure your vault password is complex and memorable: do not write this password down anywhere or use it for anything else or keep any record of it outside the vault.
Use a correcthorsebatterystaple password generator to increase the strength of all your passwords – reset all of them to unique passwords of this type. I like this generator, just remember that each password should be unique from all others and check each against haveibeenpwned.
Considering removing accounts that have refused to implement 2FA or that use insecure methods for changing passwords – such as a forgot password link that sends an email with your password actually in the text.
Buy 4, or 6 yubikeys or similar.
Set up half the keys to handle just your password vault, so it needs password+one of these keys to unlock.
Set up your accounts to require pw+key, and set up your other yubikeys as that key.
Keep the first pair of keys (vault+accounts) on your person. Keep the 2nd pair in a lockbox in your home (warm backup). Put the 3rd pair in a buddy or relative’s home in a safe or lockbox (cold backup). if you’re worried about social engineering, talk to support on all these accounts, and get a note placed on your account to lock it if someone tries to deactivate the 2FA.
If you want to go even further, set up keys for 2FA access to your actual devices. Do this with the same things – complex passwords (but make sure you can remember this one), backup key locked up, primary key always on your person. This step may well require Linux, btw.
With this, you should be able to significantly increase your security with hardware keys, unlike your initial plan which does not increase your security in a meaningful manner.
Hardware encryption is more secure.
For above 24 websites I’ll have a Qubes vm setup without internet connection. I also have two yubikeys coming for the sites that support it. I also have a key that detects if the boot process has been tampered with. I believe it’s a librakey. I’m sitting behind a switch with multiple vlans too, and will be getting a security audit of my network.
Each website used will have a different Qubes vm as well. I’ll probably have a separate Qubes for each email account used, and will upgrade to a Purism machine once I’m more familiar with the Qubes install process, and run something crazy like 32 to 64 vms.
My typical daily driver won’t be setup this way nor access the sites I need secured. It will be on a separate vlan. I’ll have to figure out if it’s safe for distcc to cross vlans.