Supergenpass and its Problems

For a very long time I have been using supergenpass as my primary password “manager”. It started as a simple bookmarklet and evolved into browser extensions and mobile apps. Taking a primary password and the domain name, it creates a password unique to the domain. There are a number of problems with this: if the master password gets compromised, all your passwords are compromised even the ones you will only create in the future. The created password is not flexible: some systems have nonsensical and ill-advised limitations on what the password must contain. It’s not easy to change your password every few months if you want to since it’d involve changing the master password. Also, since it’s domain dependent, logging into amazon.ca with your amazon.com password or ba.com with your britishairways.com password is slightly problematic/annoying. One Shall Pass iterates on this idea and adds a “generation” parameter so you can easily change your password but then you need to remember what generation were you using for a site...

And it’s only a password, it’s not a storage, so it can’t help with PIN codes or security questions and answers which is necessary because you should never use real answers to those questions as they are too easy to social engineer. When asked about your childhood address, use something like “That red van down by the river” or something similar but if you want to put in a different one for every site, you need to store your answers.

Other Solutions

Many use solutions like Lastpass, but I find them entirely unacceptable as they are black boxes and you have no control over your own data. In my world view anything interacting with my passwords must be open source. Also, it creates a huge “single point of failure” in your digital life -- if your cloud-based password manager goes down you can’t log into anything. Something like KeePassX or Kwallet is slightly better but there you have another problem: the master password. It obviously needs to be strong, but that means it’s cumbersome to type in all the time so you will have some long timeout between password prompts and then compromising your machine means compromising all your passwords in one go.

Pass and the NEO

I’ve found a program called pass “the standard unix password manager”. In fact, it’s just a friendly wrapper around GPG encoded files (GPG really needs more friendly UIs). One file per domain is the recommended way to organize your files. Pass can copy the first line of the file to the clipboard so it is recommended to put the password there and use the rest of the file for other data. By itself it’s not much stronger than KeePassX or similar: you have the gpg-agent keeping your private key open (much like ssh-agent). But then there is the Yubikey NEO (and the NEO-n) which can store a GPG key. Now you only present your private key when it’s needed for decryption. Also, since the private key can not be exported from the NEO, a simple (easy to remember and enter) PIN is adequate as it is impossible to brute force the PIN as the device will lock after a few tries.

The Worst Case

Even in the worst case where an attacker can execute arbitrary commands on your computer the pass-NEO combo is not defeated immediately: again, the NEO does not support exporting the key so each password file would need to be sent to the NEO for decryption. However, it is only present very briefly -- just when you log in. So it will take time for the attacker to walk away with every password you have and in such a catastrophic event every small hindrance might matter. (The really worst case is a machine compromised in this fashion and then the attacker physically stealing your YubiKey later. Our only advice for this case: try not to cross any three letter agencies.)

The Various Modes of the NEO
One Time Password (OTP)

The NEO can operate in a number of modes: it can provide a one time password (OTP) which is not particularly useful because the server would need to implement the YubiKey API for this to be useful and few websites do.

Universal Two Factor (U2F)

The U2F mode implements an up-and-coming standard which -- as these standards usually do -- won’t be ubiquitous any time soon. Where it is implemented, it prevents both phishing and spear-phishing attacks.

Chip Card Interface Device (CCID)

Finally, it can emulate a smartcard reader and the smartcard both, this is called the CCID mode. It is capable of emulating the removal of the smartcard as well which is very useful for the “worst case” described above. YubiKey calls this the “eject” mode: one touch of the device “inserts” the smartcard, another “ejects” it. It is even capable of triggering an “eject” automatically a few seconds after the “insert”. How long it should wait for the automated eject is configurable.

Setting up Eject Mode
GUI to Read the Warnings

There are no less than three utilities provided for mode switching. The GUI, called neoman is useless for us: it is not capable of switching on eject mode at all. Experimenting with it, however, shows a very useful warning: after switching modes you need to remove the device and plug it back. No other utility shows this warning. For this reason, if you are setting up a NEO-n I recommend using a simple USB extension cord to make it (much) easier to unplug and replug.

ykpersonalize to Set

The ykpersonalize utility can set eject mode and also can set the automated timeout. To do this, run ykpersonalize -m81:12:1 where 81 is the mode for eject, the middle number belongs to a mode we do not use (can not use alongside eject, in fact) and the last 1 means one second automated timeout. Once you’ve run this command, do not forget to unplug and replug. After that, ykpersonalize no longer recognizes the NEO. If you run pscc_scan you will get

Reader 0: Yubico Yubikey NEO CCID 00 00
Card state: Card removed, Exclusive Mode

And touching the device will switch on the LED and make pcsc_scan show the card “inserted” (press Ctrl+C to exit pcsc_scan). After one second the LED switches off and pcsc_scan now reports the card removed. If you do not get these results from pcsc_scan, make sure you have pcscd running.

ykneomngr to Reset

If you want to change the eject timeout then you need to run the third utility provided with the NEO, ykneomgr. Even this won’t be able to read the status of your device, but it will be able to reset to a mode where ykpersonalize can work again. Since this requires the device to be “present” and we set up a very short timeout, it’s recommended to run this in an infinite loop: until ykneomgr -M0 2&> /dev/null ; do sleep 0.1 ; done then touch the NEO. Once reset to mode 0, don’t forget to unplug and replug, and then you can set a different timeout if you want or completely without an automated timeout even with ykpersonalize -m81.

Now that’s sorted, we can turn to creating GPG keys, subkeys and installing them into the NEO/NEO-n. This process I won’t cover because it’s extensively covered elsewhere.

Using it All

After all this setup, the usage is fairly simple:

On Mobile

This combo works with Android as well: the NEO is NFC compatible and there is an Android version of pass which uses OpenKeyChain (the rough equivalent of gpg-agent for Android) to communicate with the NEO.

On Desktop

I’ve written a little script to make my life easier: first it waits for an URL to appear on the clipboard, then it’ll wait for a Yubikey and call pass with the domain extracted from the URL. Since there is an extension for copying URLs from Chrome and I have a NEO-n the login process becomes this: click the URL copy button in the addressbar (or press Ctrl-L Ctrl-C or F6 Ctrl-C), touch the NEO-n, wait for the notification and paste the password. Without this script, the one second auto timeout recommended in the setup section is not viable. Although certainly not as simple as the Supergenpass extension, it’s still pretty easy and incomparably more secure.