badinnovative.blogg.se - Lastpass safe or not

Online validation is performed by Yubico's servers.After provisining a physical YubiKey the key record is "securely deleted" from the computer and the SD media.The Initial Configuration System receives key records from the SD media.The Initial Configuration System computers are physically and logically protected.

The operators are "specially authorized and trained".The Initial Configuration Facility is "sensitive to both theft and manipulation" (I assume this means that they have theft deterents and monitor the integirty of security critical components).

The physical YubiKey devices are provisioned with their keys using an Initial Configuration System.

The key records are protected with OpenPGP and transfered onto SD media.

Key generation is performed in a "highly secure facility".

The system operators are "specially authorized".

The computer system used in key generation is a stand-alone system with strong physical and logical access control.

The AES 128-bit key is generated with a "high quality pseudo random value generator".

I apologize for problems caused by my first answer.Ī quick overview (based on the documentation) Their overall process for delivering a secure product is sound. Upon reviewing Security Evaluation and Key Lifecycle Management it appears that my original concerns were unfounded. I failed to find the documents on their website that provide more detailed information relevent to security analysis. My research of YubiKey for my original answer was shallow. No system will be invulnerable but you may find the advantages of using Lastpass + Yubikey outweighs the risks for you. If you or the service discovers the compromise this gives you time at a minimum.ĭo a quick threat model, understand your risk appetite. The whole point of two-factor is that even if one factor is compromised they still require the other. Using Yubikey and a strong master password greatly improves the security of whatever you store in Lastpass.

Using a password manager is better than not using one and is a simple, cheap solution to improve the security of virtually any application/service you need a password for. The question is: are the risks acceptable to you? Refer to a sample attack tree for defeating two-factor: After all, if RSA got hacked and the attackers were able to use this to get into military contractors then no two-factor mechanism is invulnerable. Yubikey, as states, could also be vulnerable. So yes all software can have vulnerabilities. Lastpass has had a XSS vulnerability and a suspected intrusion recently.

Who are you concerned would want your passwords? Opportunistic attackers or targeted governments / organized crime?.Are you storing the whole password in there or a unique value to which you add a passphrase?.What passwords are you protecting in Lastpass?.The complex answer: it depends on your threat model and risk appetite.