Tuesday, 14 February 2017
Getting started with a password manager and 2 Factor Authentication (2FA)
BLUF;A password manager offers some potentially useful/ essential functionality. It is a technical tool, not a solution, and certainly not a panacea. It is impossible for the user to estimate the risks associated with its use, making comparisons with other approaches difficult. Yubikey U2F as an approach to 2FA has some way to go before it can be considered a usable tool for the individual. There are no particular grounds for believing the necessary progress will be made. More generally, will automation bring us usable security in the near future? Probably not; the forces against it are too big, and there is a pretty complete lack of good tools and guidance that start with the context of use.
I picked Dashlane. Why Dashlane? U2F with Yubikey got high praise from people I respect on security. Dashlane has an edge over its competition in this regard, and it has good reviews for being a usable password manager.
The first interaction with Dashlane is fraught with problems; it asks you to create a strong password. "WTF, I thought that was your job". It does NOT tell you that you are creating your Master Password (capital M capital P). Given that 'creating a strong password' is an extremely difficult thing (and the reason for buying a password manager), and this is the one password to rule them all, there needs to be considerable user support here.
As reported here "It's worth noting, however, that just like any software, password managers are vulnerable to security breaches. In 2011, LastPass experienced a security breach, but users with strong master passwords were not affected."
"The automation's fine when it works" Margareta Lützhöft.
After trying some unimportant passwords, I tried to use Password Changer; it turns out this is a utility that only works with some websites and none of the ones I had tried. For password managers (and 2FA) to work effectively, there needs to be some standardisation in the infrastructure, which is unlikely to happen quickly. To a novice user, "credentials not supported" is a meaningless message.
Once you have passwords generated by Dashlane, there is a sense of complete dependency on the machine. Quite a wrench. The other scary thing is the loss of physical security at the computer; get distracted and the kids are into Amazon, the flatmates are watching your pr0n etc. On a Windows machine, there is no visible status indication of whether Dashlane is active or not. There are settings to simplify logging out, and to adjust the inactivity time before it switches off, but there are contexts of use where it may still be a risk. Logging out regularly and logging in with secure passwords is a feature of working on secure networks, but is probably not a habit most folk have.
There are some quirks. On a finance website where I had what I thought was a strong password, this seemed to confuse Dashlane, and it didn't add the password. On a shopping site with a weak password, I went to the 'change password' dialogue on the site. Dashlane didn't offer me the option for it to create a strong password. There is no generic function to generate a strong password on request.
When putting in a wrong password that a site rejects; Dashlane offers to save it. On subsequently entering the right password, Dashlane doesn't re-offer. It does, of course, provide distracting alerts just at a time of anxiety and uncertainty.
Dashlane auto-fill opts to 'stay signed in' on say Ebay, which I don't want.
I went to change my Google password; successfully (I think) got Dashlane to enter a strong password. Dashlane then offered 'replace' and 'save as new' as options, with the latter as default. I took the default option, which was wrong. Why might I want 2 Google passwords for the same account?
Sometimes Dashlane would appear at a PayPal checkout, and sometimes not. Workarounds when it doesn't are a) log in to PayPal separately or b) use the Dashlane control panel to save the password.
There have been some anomalies that might be me or Dashlane.
Dashlane runs in the background when not logged in (using 224MB) and offers to save passwords entered manually. I don't see any risk from this, but I'm not an expert.
Finance sites with customer numbers and arrangements where you enter specified parts of the password seem to defeat Dashlane, not surprisingly.
The assessment of password strength by Dashlane is a black box to the user. My suspicion is that it is aimed at brute force attacks. Changes to a password that don't add much entropy can make a big difference in estimated strength, speaking as a complete beginner.
The Dashlane website offers: " Get security alerts sent straight to your device when any of your accounts may be compromised. Update your old password & stop hackers in their tracks." I don't know where they are going to get their data from, but I am not optimistic. It sounds like an invitation to sue them when they miss one.
As regards backups, Dashlane offer this "If you disabled Sync in Dashlane and would like to back up your data – to be sure not to lose anything in case your computer stops working – , we recommend using the Dashlane secure archive format. When using this format, all your Dashlane data are saved into one simple archive file protected by your master password. Keep this file in a safe place (on a USB key or on an external hard drive) and make regular backups. Note that you will have to use Dashlane again to import and restore your data from this file. Keep in mind that Dashlane will always remain free to use, so it should not be a problem!" It is possible to avoid complete machine dependency by exporting and/or printing the passwords and other data stored in Dashlane. Dashlane offer this advice: "Excel and CSV exports are unsecured and that it is not a safe way to keep a back-up of your data. We strongly recommend that you delete these exports as soon as you are done with them....If you prefer to print it to keep a hard copy of your data, you can also export it in Excel or CSV format. Remember to keep this in a safe place!"
Starting to use a password manager after some years of internet use does not produce instant security, but it does provide the means for making steady improvement.
Yubico don't do usability.This Amazon review captures the heart of the matter qute well. This getting started article illustrates the required level of geekiness.
My hopes for Dashlane with Yubikey were dashed.
The video here and accompanying text make it all look so easy and effective. Alas, Dashlane was not telling me very much of the truth - the video is a lie, basically. If Dashlane and Yubikey want my trust, then they need to become trustworthy. To get started with Yubikey as 2FA for Dashlane, you first install an app such as Authy on your phone (this requires SMS 2FA) and then show the Dashlane QR code to the phone and enter the resulting code. All do-able given time, but I had to ask Dashlane support several times to have this explained as it is not on the website. The loss of trust was considerable. The expansion in security related infrastructure was unwelcome and cannot be good. No explanation or rationale was offered. This page assumes that Yubikey is being added to a 2FA app - weird.
Before you start, you need to decide whether to use 2FA only when using your Dashlane account on a new device, or every time you log in. If you change your mind, you have to go through the exercise again. The logic for 2FA on a new device is presumably to counter the risk of someone gaining your Master Password and logging in from somewhere else. The logic for using it every time you log in is less clear. Dashlane say "Use 2-Factor Authentication for maximum protection. 2-Factor authentication is the ultimate security mechanism as it requires you to validate, or authenticate, your identity on a 2nd device before being granted account access."I am not sure in what contexts that matters. I had expected to use it for every password use, to remove the problem of password theft. Not an option as things stand. The pervasive lack of risk-driven information on computer security includes that supplied by Dashlane. Doesn't the computer security community understand how to use risks? Apparently not.
I hadn't expected Yubikey to be a replacement for the little keypads supplied by banks, and sure enough it isn't. I see HSBC is now offering the nightmare of speaker recognition as an option. The reviews of Authy on Play Store were sad to read; lots of folk wanting it to use fingerprints.
In summary, U2F looks like a busted flush and will join PGP as a niche interest. Shame, it could have been a contender. Password managers seem unavoidable as a partial solution, and can be an aid to containing the risks of computer security. Their vulnerability to keylogging is bound to make keylogging a bigger threat; I don't know what we do then to stay one step ahead. For many contexts of use, countering the increased physical risks need more support than Dashlane provides.
For sites offering Yubikey as a form of 2FA (Google, Facebook), I have not been prompted by Dashlane to add 2FA. I haven't investigated using Yubikey separately from Dashlane as yet. I find it hard to do the risk assessment if I now have an 'unhackable' password.
Update: Dashlane now using 36% CPU of an i5 laptop and no longer working on Firefox.
Posted by BrianSJ at 09:19