Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:32 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Feeling secure. :)
PostPosted: Thu Oct 17, 2013 2:23 am 
Offline

Joined: Mon Dec 19, 2011 3:24 am
Posts: 9
I am majoring right now in computer security at my online University and have been reading plenty of up to date articles about password security. Of course, this has lead me to really stop and consider just how secure are we with the Yubikey 2-factor authentication.

ARSTechnica just recently posted an article about hackers using Rainbow tables to decode passwords which were encrypted and how one hacker obtained well over 1 BILLION words recently from the Bible, Entire Wikipedia, Phone Books etc.. to add to his table and managed to crack even the most seemingly secure passwords.

http://arstechnica.com/security/2013/10 ... -cracking/

It seems to me that people are getting a false sense of security even with passwords such as f*kz3fPb1Dsq7SKwALdnh5g*7 which can apparently be decoded given enough time. :)

I ran across a very concerning discovery the other day with my Android phone and Tablet. When I loaded up Google's Authenticator to sync with my sites I access (Sadly, many don't use Yubikey - HEY MARKETING TEAM! YOU LISTENING?), I saw that the codes were renewed every 30 seconds standard giving the impression that the number code is random. I was WRONG! The tablet and phone with the same screen loaded up, changed the keys about 1 second apart (Launched 1 second apart), and lo and behold - the key on one device, was "generated" on the second device. This leads me to figure that the key can eventually be reused. While, a brute-force would probably tear apart the security, more than likely on the server's a sentry would step in and ban the IP after x amounts of failed attempts.

So, my little analytical mind went to thinking about this and was given some peace of mind if you will that yes, while we have secure passwords such as f*kz3fPb1Dsq7SKwALdnh5g*7 (BTW, I generated this with Lastpass as an example), this is only half the puzzle to cracking it.

The beauty of the system relies on the web server on the other end to allow Yubikey's to authenticate against to complete the puzzle and open the doors for access. Even if the hacker did get the Yubikey password, well...it is already expired!

Knowing that the Yubikey One time password is just that - (ONE TIME USE ONLY), makes me feel all warm and fuzzy about this. ;)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Feeling secure. :)
PostPosted: Fri Oct 18, 2013 1:11 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
The Google Authenticator codes are not random, they are TOTP code.

Some of them can be pre-computed as Google allows a wider frame then 30 seconds. The number of TOTP codes you can use depends on the implementations, some services allows 1 minute, 3 minute or more.

The strength of the algorithm resides in the secret which is stored on the Phone or in the Yubikey NEO if you use the YubiOath Authenticator (much safer)

https://play.google.com/store/apps/deta ... oath&hl=en

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group