2012 now
Rootiest
joined 1 year ago
This is silly, it's much easier to bill their loved ones
Having a recovery process for the YubiKey would really just be a potential security hole.
Ideally you have a backup clone of the key in case yours is lost/broken.
Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.
A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.
Also worth noting that the way KeePassXC handles the HMAC challenge-response is different from how KeeChallenge does it.
In KeeChallenge the HMAC secret is used to encrypt the database, which requires storing the encrypted secret in a separate file.
In KeePassXC the database's seed is used as the challenge and the response is used to encrypt the database.
The benefit to the KeePassXC method is two-fold:
-
It's less vulnerable as the HMAC secret never leaves the YubiKey or get stored in a file.
-
It increases security because the challenge-response changes every time you save the database (changing its seed)
Keepass (and most password managers) are vulnerable to this as well.
Not if you use the browser extension
Plus it does automatically clear the clipboard after a short time which isn't perfect but it's still an improvement over using a text file
cancer of all modern religions
Meh, they're all pretty bad imo
Modern Religion is an oxymoron
If California is anything like Massachusetts then it's a bit more complicated.
Over there several towns and cities have decriminalized and it's on the state ballot much like California, but cannabis dispensaries in those towns and cities are already "gifting" mushroom chocolates and such to customers.
The law says they can't sell it yet but they still manage to get it into the hands of paying customers
Use KeePass.
My concern with using a text file is you have to defrost it to use it and whenever it's not encrypted it's potentially exposed. You are also vulnerable to keyloggers or clipboard captures
KeePass works entirely locally, no cloud. And it's far more secure/functional than a text file.
I personally use KeePass, secured with a master password + YubiKey.
Then I sync the database between devices using SyncThing over a Tailscale network.
KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it's protected.
You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it's useless without the combined password/hardware key.
the ~~spice~~ paperwork must ~~continue to~~ flow
Yes, let the paperwork flow through you, feel it's power
YubiKey works for me, both on desktop with KeePassXC and on Android with KeePassDX to the same DB