I have been a longtime user of Lastpass until recently with their pricing change. This plus watching Wendell’s video I have decided to switch to Keepass. In the video, I heard yubikey mentioned and I have heard about yubkey elsewhere but haven’t put much thought into it.
I watched some videos, read some wikis, and did some google searches on yubikey and would like some advice on best/recommended use. Because I have switched to Keepassxc and will be implementing yubikey it got me thinking about using yubikey for other accounts. I see I could use a combination of yubikey in static password mode plus a custom password for each site. After further thought, I’m thinking it might make more sense to use Keepassxc to generate my passwords for many dozens of sites I use and then just protect Keepassxc with my yubikey.
What do you guys think is the better way. Using yubikey to generate my passwords or use keepass to generate my passwords.
Websites that support using a Yubikey suggest it as a second factor. The idea here is that random people can not just guess, brute-force or steal your password and login. For successfully logging in you would need some physical second factor to authenticate. This could either be a Yubikey but also a mobile phone with a TOTP-App. The fact that you need to know the accounts password and need to be in possession of a physical device at the same time makes stealing your account much harder. This is very important for accounts you need to keep secure.
The same is true for Keepass but to argue that you only need to secure Keepass with a second factor is false. You can secure Keepass with 2FA an still someone could brute-force your email or bank account. I strongly suggest securing Keepass with your YubiKey or Password and Yubikey and still secure important websites with Password and a second factor of your choosing as well.
To specify this as well it is best practice to let Keepass generate secure passwords for all websites as well. This is one of the biggest advantages of a password manager. That you can have long unique passwords for all your services. When one service gets hacked or leaks credentials you change the password to that particular service and you can be sure no other sites are affected.
I’m using yubi for gpg and ssh keys and highly recommend if those are things you use. I recommend having a backup one (or two) in any case. Some aspects of the key you can clone during setup or you can just register multiple keys with the services you use.
I used Keepass for years but recently switched to Bitwarden, I am not sure if I prefer this setup as I liked managing the keepass file locally but found it difficult to share the file without resorting to another cloud service to store it.
If I get 2 keys, use one day-to-day, and store the other one, only taking it out to register both at the same time, every time I set up a new login.
Might that reduce the hassle of account recovery When I loose the main key?
If I loose both / am not in the same place as the keys, I presume there is still typically ways to recover, but less easy? (depending on the site policy, rather than the tech?)
I get the idea, but as each is unique, they can’t cycle like backup drives.
I figure, I can have 1 on me (for day-to-day,) and one at home. And if I only register/create accounts at home, then I’d be mostly fine, or as long as I remember to register the second soon after returning home,
If I got a third for off site, it would for sure not be current/up to date.
Technically, I could keep one one me, on at home, and every [regular interval, like monthly] swap the backup, adding it as a third device to all the important stuff. Does not seem like I would keep up with that.
Perhaps if I needed security clearance, or had company/gov paperwork to secure
You can clone some aspects of them, but I don’t remember to what extent this works with say 2FA cloud accounts (I don’t even know what mechanism they are using tbh). I did have it working with macOS login where I set up 2 “identical” yubis and only needed to register one for both to work. Unfortunately, I forgot what was involved there (it was years ago). Currently, I am still only using them for gpg/ssh.