Yubico Forum

Feeling secure. :)
Page 1 of 1

Author:  medfordite [ Thu Oct 17, 2013 2:23 am ]
Post subject:  Feeling secure. :)

I am majoring right now in computer security at my online University and have been reading plenty of up to date articles about password security. Of course, this has lead me to really stop and consider just how secure are we with the Yubikey 2-factor authentication.

ARSTechnica just recently posted an article about hackers using Rainbow tables to decode passwords which were encrypted and how one hacker obtained well over 1 BILLION words recently from the Bible, Entire Wikipedia, Phone Books etc.. to add to his table and managed to crack even the most seemingly secure passwords.

http://arstechnica.com/security/2013/10 ... -cracking/

It seems to me that people are getting a false sense of security even with passwords such as f*kz3fPb1Dsq7SKwALdnh5g*7 which can apparently be decoded given enough time. :)

I ran across a very concerning discovery the other day with my Android phone and Tablet. When I loaded up Google's Authenticator to sync with my sites I access (Sadly, many don't use Yubikey - HEY MARKETING TEAM! YOU LISTENING?), I saw that the codes were renewed every 30 seconds standard giving the impression that the number code is random. I was WRONG! The tablet and phone with the same screen loaded up, changed the keys about 1 second apart (Launched 1 second apart), and lo and behold - the key on one device, was "generated" on the second device. This leads me to figure that the key can eventually be reused. While, a brute-force would probably tear apart the security, more than likely on the server's a sentry would step in and ban the IP after x amounts of failed attempts.

So, my little analytical mind went to thinking about this and was given some peace of mind if you will that yes, while we have secure passwords such as f*kz3fPb1Dsq7SKwALdnh5g*7 (BTW, I generated this with Lastpass as an example), this is only half the puzzle to cracking it.

The beauty of the system relies on the web server on the other end to allow Yubikey's to authenticate against to complete the puzzle and open the doors for access. Even if the hacker did get the Yubikey password, well...it is already expired!

Knowing that the Yubikey One time password is just that - (ONE TIME USE ONLY), makes me feel all warm and fuzzy about this. ;)

Author:  Tom [ Fri Oct 18, 2013 1:11 am ]
Post subject:  Re: Feeling secure. :)

The Google Authenticator codes are not random, they are TOTP code.

Some of them can be pre-computed as Google allows a wider frame then 30 seconds. The number of TOTP codes you can use depends on the implementations, some services allows 1 minute, 3 minute or more.

The strength of the algorithm resides in the secret which is stored on the Phone or in the Yubikey NEO if you use the YubiOath Authenticator (much safer)

https://play.google.com/store/apps/deta ... oath&hl=en

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group