Yubikey and Keepass

I have been a longtime user of Lastpass until recently with their pricing change. This plus watching Wendell’s video I have decided to switch to Keepass. In the video, I heard yubikey mentioned and I have heard about yubkey elsewhere but haven’t put much thought into it.

I watched some videos, read some wikis, and did some google searches on yubikey and would like some advice on best/recommended use. Because I have switched to Keepassxc and will be implementing yubikey it got me thinking about using yubikey for other accounts. I see I could use a combination of yubikey in static password mode plus a custom password for each site. After further thought, I’m thinking it might make more sense to use Keepassxc to generate my passwords for many dozens of sites I use and then just protect Keepassxc with my yubikey.

What do you guys think is the better way. Using yubikey to generate my passwords or use keepass to generate my passwords.

It may not answer your questions, but this article might help others to get started with hardware keys:

1 Like

It seems you are mixing things together.

Websites that support using a Yubikey suggest it as a second factor. The idea here is that random people can not just guess, brute-force or steal your password and login. For successfully logging in you would need some physical second factor to authenticate. This could either be a Yubikey but also a mobile phone with a TOTP-App. The fact that you need to know the accounts password and need to be in possession of a physical device at the same time makes stealing your account much harder. This is very important for accounts you need to keep secure.

The same is true for Keepass but to argue that you only need to secure Keepass with a second factor is false. You can secure Keepass with 2FA an still someone could brute-force your email or bank account. I strongly suggest securing Keepass with your YubiKey or Password and Yubikey and still secure important websites with Password and a second factor of your choosing as well.

To specify this as well it is best practice to let Keepass generate secure passwords for all websites as well. This is one of the biggest advantages of a password manager. That you can have long unique passwords for all your services. When one service gets hacked or leaks credentials you change the password to that particular service and you can be sure no other sites are affected.

1 Like

I appreciate your input. I probably did a poor job of outlining my post. My main question was directed towards password generation and since that was my focus I skipped over some stuff.

I do plan on securing websites with yubikey as well, or at least ones that are compatible. I had intended to use it with my bank, but it doesn’t seem my bank and cc sites are compatible with yubikey.

The Yubikey has no function to generate static passwords. It generates one time passwords and it can save one static password. But it is not a random password generator.

2 Likes

I’m currently using a yubikey for oauth and bitwarden for my password manager and password generator.

I’m using yubi for gpg and ssh keys and highly recommend if those are things you use. I recommend having a backup one (or two) in any case. Some aspects of the key you can clone during setup or you can just register multiple keys with the services you use.

I used Keepass for years but recently switched to Bitwarden, I am not sure if I prefer this setup as I liked managing the keepass file locally but found it difficult to share the file without resorting to another cloud service to store it.

1 Like

If I get 2 keys, use one day-to-day, and store the other one, only taking it out to register both at the same time, every time I set up a new login.
Might that reduce the hassle of account recovery When I loose the main key?

If I loose both / am not in the same place as the keys, I presume there is still typically ways to recover, but less easy? (depending on the site policy, rather than the tech?)

2 Likes

Yeah it should.

Yeah it would depend on the service. If you’re in charge of something that’s important to others, maybe think about a safety deposit box.

If you really want to be safe, have 3 and never let them all be in the same place. Obviously that’s a huge hassle though if you’re regularly using them to register new services.

2 Likes

I get the idea, but as each is unique, they can’t cycle like backup drives.

I figure, I can have 1 on me (for day-to-day,) and one at home. And if I only register/create accounts at home, then I’d be mostly fine, or as long as I remember to register the second soon after returning home,

If I got a third for off site, it would for sure not be current/up to date.

Technically, I could keep one one me, on at home, and every [regular interval, like monthly] swap the backup, adding it as a third device to all the important stuff. Does not seem like I would keep up with that.

Perhaps if I needed security clearance, or had company/gov paperwork to secure

You can clone some aspects of them, but I don’t remember to what extent this works with say 2FA cloud accounts (I don’t even know what mechanism they are using tbh). I did have it working with macOS login where I set up 2 “identical” yubis and only needed to register one for both to work. Unfortunately, I forgot what was involved there (it was years ago). Currently, I am still only using them for gpg/ssh.

1 Like

Thanks!

I appreciate the feedback, on the random yubikey thread from ages ago…

1 Like

The instructions/ website tells you what the keys Can do, and how sites Should use them, but not the actual limitations and stuff.

More research, but I’m relieved as wasn’t sure one could have multiple keys registered.

Are there any other Hardware Tokens that DO NOT cost as much as a Yubikey 5 that work on KeePassXC? If not why are only Yubikeys allowed for usage on KeePassXC?

3 Likes

I use Bitwarden myself. Its free but they also have subscription options and you can just about use it on any device.