So I’ve been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don’t want to mix my personal password manager with my work computer and I also don’t want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I’ve been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there’s a limit to how many entries in the Yubikey 5). You can also store a password in one of it’s two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different “prefix” for each application? Example: On my banking site I type in “bank” then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don’t know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that’s backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

  • @MajorHavoc@programming.dev
    link
    fedilink
    English
    12
    edit-2
    9 months ago

    I say go for it.

    If you’re working on something sensitive enough that a Yubikey isn’t good enough security, then the team you’re working with should be enforcing other protections like MFA, which mitigate the algorithm risks.

    Obliviously, if you get a chain fraudulent MFA requests, change your password approach, though.

    Otherwise, it beats what most people are doing by a long way. Casual attacks are going to go through Karen in accountings weak password, not reverse engineering your Yubikey.

    Edit: Your prefix length matters here, though. You don’t want it to be so short that it volunteers for more scrutiny in a breached data set.

    Edit 2: Marcos makes a great point about putting yourself in a position where, when you change your password, it’s necessarily extremely similar to previous passwords. That’s not great.