LastPass + YubiKey for online and computer security

carlryds · ‎14-10-2013

2016 - View the updated blog post here:
https://community.giffgaff.com/t5/Blog/Securing-your-digital-life-with-LastPass-YubiKey/ba-p/1969943...

Hi Everyone,

Do you use one or two passwords across all your online accounts? Would you like to use a single secure password across all your online accounts, but think it will be hard to keep track off them all? Think again...

What is Lastpass?

LastPass is an online password manager and form filler that makes web browsing easier and more secure. You can store all the usernames and passwords for all the websites your visit and lastpass will remember them for you. LastPass have browser plug-ins for all major browsers, operating systems and Apps for all major mobile devices.

What is a YubiKey?

A YubiKey (made by Yubico) is a strong, two-factor authentication device that creates one-time passwords. The device is so small and robust you can keep it on your keys, I like this as everywhere i go i have a key to my house, a key to my car and a key to my online life.

YubiKey on Keys

This is how a YubiKey is made...

How do they work together?

The YubiKey can be used as a way to login to your LastPass account in-conjunction with your e-mail address and master password, making it impossible for anyone to access your online life without your physical YubiKey.

Set-up a YubiKey to login to LastPass:

Set-up a YubiKey to login to your computer:

Can i trust LastPass?

When your trusting your whole online life to a single company, you have to be sure your can trust them. Here's a video from the TWIT show Security Now with Steve Gibson - the man who coined the term spyware and created the first anti-spyware software - explaining how LastPass security works (Watch out! This gets geeky).

There is also an audio Security Now on YubiKey, you can find that here.

How to Buy:

Lastpass - Access on any computer with all features = FREE

Access via Mobile Apps (iOS, Android, Etc) = $12 (Approx £8) / Year

https://lastpass.com/

YubiKey - White or Black Yubikey ON IT OWN = $25 (Approx £15.60) + Shipping

White or Black Yubikey WITH 1 YEARS LASTPASS included = $33 (Approx £20.60) + Shipping

https://store.yubico.com/

My conclusion:

I have been using LastPass with a YubiKey for about 6 months now and i feel it's made my online life 1000% more secure without making it too cumbersome to access my accounts, even on my mobile devices.

Thanks for reading,

Carl

jvector · ‎14-10-2013

I used to have the same or similar passwords over a range of sites & services... One day someone got into my GMail account and sent spam messages to all my contacts. I moved to LastPass and gave my GMail account a crazily hard password. LastPass has served me very well.

Have not tried the YubiKey approach, that's a bit hard core for me.

wbbuttercup · ‎14-10-2013

Very interesting information, thank you - will have to look at this in more detail.

jeff_elephant · ‎14-10-2013

That's a useful post considering how many people get hacked!

The only issue I can think of is not being able to log into anything because you don't have your physical YubiKey with you!

stealthybigboss · ‎14-10-2013

interesting will give it a try

zoeawesome · ‎14-10-2013

oh wow Carl, this blog is fantastic!

this is something i've never really heard of before reading, the way you structured it was really clear and ive definitely learnt a lot from this blog, thanks for making it, such a interesting subject area too

samwich · ‎14-10-2013

I've often wondered, what happens if the YubiKey gets damaged, how do you get a replacement? P.S. Thanks for the great blog.

seang · ‎14-10-2013

Good blog. Will take a look at them. Thanks.

carlryds · ‎14-10-2013

@jeff_elephant - But that's the point of it You have to decide which is more important to you, security or convience. Like I say in the post put it on your keys and you'll always have it.

@zoeawesome - Thanks Zoe

@samwich - My recommendation is to get two YubiKeys, and set them both up in your LastPass settings. Keep one in a safe with your passport or somewhere safe and then you have a back-up, just in case.

ma2013 · ‎14-10-2013

Very useful and informative blog. Keep them coming. :-)

stephenmiller · ‎14-10-2013

I have no idea what any of my passwords for anything are either, they're al 20 character strings of GHvCDdcVtyVytr563cTRV or something like that, I just use Google Authenticator on my phone for two factor but it's amazing how few services support two factor authentication

One extra thing to mention is that for LastPass make sure that you have a strong master password, prefferably not a dictionary word. Aardvark is not a good master password even though it's a pretty odd word. That'd be cracked in about 5 seconds because it's the first word in the dictionary and a dictionary attack to crack a password does exactly as you'd expect