Skip to content

Using Yubikey with constant keys

Yubikey is the first one-time password generator I saw that can also emit a static password. When you press the button, a constant pre-defined string is entered, just as if it was typed on the keyboard. Is it more secure than typing the password on the keyboard? Not at all (unless shoulder-surfing is an issue.) So how does it differ from entering a long key yourself? It does not. And still, local encryption is a valid use-case just for such a function.

If you got a Yubikey, or any other one-time password generator, then you got it to compute one-time passwords, not to emit constant strings. However, there still is value to having a device that enters a very long impossible-to-remember (hence secure) string, which is not stored anywhere on the computer. The primary use case I see for that is encryption on the workstation. Having Yubikey type a string is not more secure than entering the string yourself, but it does ensure that the password is of ultimate entropy; something that is difficult to assure with memorable passwords, unless they are made very long. It also saves the typing effort.

The entered string (or password) is still susceptible to key-loggers, and so is a password entered manually. Generally speaking, every use of encryption of files, folders, or anything else, on the running workstation, is always susceptible to attacks by malware on that workstation. Regardless of what password is used and how it is entered, the data was encrypted with a key that derives from that password, and this encryption key is fully reconstructed in memory upon decryption, making it available to privileged malware once it was constructed. This is a fact of life, unfortunately. While a token emitting a constant long password cannot mitigate this attack vector, it at least allows you to enjoy a full entropy password without having to remember and type one.

Not ironclad, but still a good deal.


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

Markdown format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via (_word_), else escape with (\_).
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.