Security keys and online password management

If you're like most people, then you probably use the same password for multiple sites, and don't realize how crucial that password is. Take facebook, for example. You might think, "if someone manages to hack your facebook account.. no big deal. I don't have any credit card or financial information on it." But if you're like most people, you probably put a lot of personal information on facebook already, like your birthdate, name, home address, work address, the names of your friends and relatives (your mother's maiden name?). These are all prime information for identity theft. It doesn't take long for a hacker, once having control of your facebook account, to hack your email account (by resetting the password and answering those security questions like where were you born and what's your mother's maiden name... guess where all that information come from?), and from there, hack into your other sites like amazon.com (where you probably do have credit card information stored) and banking sites.

So, the best way is to use different passwords for different sites, and make the password very hard to guess or hack through a dictionary--- for example, instead of using words, use completely random characters. But how would you remember the random passwords to all those sites? There are password management applications like Roboform that plugs into your browser and automatically remembers all your passwords for you. The local database is optionally encrypted with your own "master" password (so lets hope your computer don't get stolen and your master password isn't saved on your desktop in a text file). This works for some people, but there is a disadvantage. If you have multiple computers, it's a hassle to synchronize your password database across multiple computers, and the Roboform license is per machine, so it's relatively expensive to install Roboform on each machine you own-- not to mention that it's not available if you're using a public computer.

The convenient solution to that problem is to use an online password manager, and there are a handful of them--- Billeo, Lastpass, Clipperz, Mitto, mySafeBox, Passpack, etc. The idea there is that your password is encrypted locally on your computer, and they get stored online where it's "safe" and no one can access them except you (not even the "company"). If you take the "company" at their word, all your random passwords at all of your websites are now funneled into a single master password-- i.e. if a hacker manages to get their hands on your master password, then all of your passwords are compromised.

Two things come to mind:

1. The saying, "a chain is only as strong as your weakest link."
2. Hushmail

If you haven't heard of Hushmail, it's a secure email provider claiming that all of your emails are encrypted locally on your computer and your privacy is guaranteed-- i.e. no one would be able to read your email except you. But if you read this article, then you already know that such claims are false. To co-operate with the DEA, Hushmail customized their encryption code so that the password that the user enters to decrypt his mail was secretly sent to their server so they can decrypt them. On one hand, it's comforting to know that terrorists can't use Hushmail to secretly plan a nuclear attack. On the other hand, it's not too comforting to know that your emails aren't private afterall, and that they can be turned over to state agencies at will. If you're planning a national revolution, forget it-- you'll end up getting shot in the face for treason against the state.

But lets assume for the moment that you're not a revolutionist. Using an online password management system leaves you vulnerable as all your passwords are funnelled into a single master password -- now hackers only need to hack one master password to get access to all of your information. This is also assuming that the company itself has no "leaks" and that there are no rogue/disgruntled employees with plans to sell your information to the mafia.

This is where security keys come in.

Security keys like Yubikey, for example, provides an additional authentication factor (imaginatively called "two-factor authentication"), so, in addition to the username and password, you also need to enter a "security key." In the case of a Yubikey, the security key is a very long dynamic password that changes everytime you use it. So, let's say you use this Yubikey on a computer infected with a key logger that captures everything you enter... they would get your username, passsword, and the security key itself... but the difference here is that the security key is valid only once, so if the hackers try to access your account with the same security key, the authentication would fail.

Now.. this is great... except for one thing. Yubikey, so far, isn't supported in many popular sites... facebook, amazon, your local banking site, etc. But one online password service does support the Yubikey--Lastpass. With lastpass's Yubikey support, a hacker won't be able to access your lastpass account without taking your yubikey as well. The disadvantage with lastpass is that the Yubikey support is only available for premium customers-- i.e. you need to pay money. Granted, their premium service is currently $12 a year... but, nothing beats free, right? So, luckily, I found a better alternative to Lastpass: Personal Identity Portal from Verisign.


Instead of using the Yubikey, which is a USB device that you need to buy for $25, PIP can use your cellphone (Blackberry, Symbian-based devices like Nokia and Sony-Ericsson) to access your security key, which changes every 30 seconds (feel like Jason Bourne, don't ya?). The only difference here is that you need to type the security key manually, whereas Yubikey enters the key for you. The advantages of PIP over Lastpass is that 1) PIP doesn't require a browser plugin to operate, and 2) PIP is operated by Verisign, the company that manages SSL certificates for many commercial websites, so you can have much more confidence in its security than small companies like Lastpass, where, for all you know, their whole server infrastructure can be running inside a small closet and guarded by Bob the security officer.

PIP also has additional services over online password management:

1. Free 2GB online space to store your documents
2. Security key support for other sites like Paypal.
3. An OpenID provider.
   

On point 3, clavid.com is also an OpenID provider that supports Yubikey, but that's a different topic for a different time.