91 likes
·
79.6K reads
43 comments
Came for the Harry Potter reference, stayed for the content. Great article ! I use this approach when allocating secrets to users : the secret is a mix of a unique secret in database per user, and a environment secret shared by all users. This way if one of the source is compromised my secrets remains safe.
The "2FA with my head" looks very interesting to me.
On a side note, the risk of using only one Horcrux is that if 2 of your passwords gets compromised, your Horcrux gets slayed by Basilik Venom (because that's an easy catch). Somehow Voldemort was ahead of us in muggles in terms of security with the powerful choice of 7 Horcrux.
Haha, Lord Voldemort was way ahead of his time, even without a time turner! :P
Yeah, the risk of using only one Horcrux exists. I guess one can create as many Horcruxes as their memory permits, but one still beats zero.
This Horcrux password is new to me, so did I get it right, you'll have your password auto-filled by 1password (or whatever) and then typo your addition to it (which was stored in your head)?
I use the following at the moment: 1Password (Master pass only in my head, very long and random) All passwords generated and unique 2FA for all-important apps with G2FA
To me, that seemed pretty solid because even if you'd get my 1Password you couldn't really get into the important part.
Hey Chris
Yeah, you understood it right. The horcrux (stored in your head) is effectively a second factor.
Your password + 2FA usage is pretty secure IMHO. You can probably use a horcrux for websites that don't offer 2FA, or use it as a third factor for websites which do offer 2FA (3FA might seem a bit too much but to each his own I guess :)
Phani Karan Well it's also not adding a factor. 2 passwords is not 2FA. It has to be 2 different factors. A master password for a password manager and a mini-password are still just different version of "what you know" and are just a slightly more complicated single factor.
Very good idea. Best solution for my password management. I am gonna implement it.
Great article i use last pass to store all my passwords. Technology made it to a point where we have so many passwords so its very difficult to remember all those passwords
Thanks Prashanthi! :)
Thanks ranjith Guduru :) I'd suggest you try out BitWarden or any other open source password manager. I liked the UI/UX of BitWarden over LastPass tbh. And there's a simple way to export all your passwords from LastPass to BitWarden.
That is such a good title I had to click :) Great job!
Thanks Szymon :)
This was such a fun read! All I gotta do now is change only every password of mine.
Haha, thanks! Make the passwords long & strong, you must.
May the horcrux be with you :)
Terrific job - well explained for someone not as familiar with password standards. Hope to read more of your posts!
Thank you, Molly :)
So this is great but... I have left a sealed envelope for my wife in case I violate Rule #1 ("No dying!")
I would have to put my horcrux in there, which renders it pretty useless as such.
Thoughts?
I wouldn't say it is totally useless as long as it is sealed and stored in a secure place - your wife's password manager, a physical vault (many people use this to actually store their private keys), or your wife could commit it to memory.
The core idea is to keep adding as many layers of security as possible without inconveniencing you/your wife much.
Multiple levels of security is a good suggestion and a layman can adhere to the new rules of securing personal information. Appreciated for the quick education to the new bees.
Thanks Appaji :)
Phani KaranI use one password for password management, it works great and it also works great with the two-factor authorization for GitHub or any other site which supports 2FA.
Hey Sridhar
The horcrux is effectively a second factor to your password, especially when the website doesn't offer the regular 2FA.
Very well explained.
Thank you, Vaibhav :)
Makes sense, reduces the possibility of the password manager being a single point of failure.
Also today I learned I can use a passphrase in bitwarden :-)
This is cool Phani, I have an add-on technic for it. Use a fixed number like 4 or 5 along with Horcrux.After the password manager fills the password enter left-arrow 4-5 times (the fixed number that you have in mind) and start entering the Horcrux. You need to remember the number+Horcrux. Some of my colleagues were using it, I felt it super cool. Just incase anyone likes it. 2FA is a must these days BTW.
Cool! I have an add on to your add on, instead of pressing the left key 4-5 times before entering the ‘horcrux’ - how about replacing part of the stored password? Eg, the first or last 4 characters?
I had a related idea of how to do encrypted messaging: horcruxencryptedmessaging.jperla.com
For that system, you have to have a system you trust to make a cryptographically secure one time pad. If that software or hardware is compromised your entire system falls down still.
Obviously that's true of any system you write your message on....
Joseph No, if the computer you write the message on isn't attached to the internet, you don't really care that much if it's a bad actor as long as it isn't expected that it has updates that might specifically target your scheme, but if you are going to question the security of the hardware in general, you should also be questioning the security of whatever you are using to generate your pad.
If you do accept things at the algorithmic level but not the client/protocol level, then you can get pretty close to the same by just nesting encryptions of a root key and use something like AES as well.
Mostly I was just pointing out that if you don't trust the cryptographic principles of your own clients, you still have a single point of failure on the cryptographic principles of the offline "magic wand", if you do trust the cryptographic principles of the machine, then you don't need the in-between steps necessarily.
I already mention that the Magic Wand is an offline not internet connected device.
This supports the security attack profile even if the NSA for example has cheated and fixed your cryptosystem.
Joseph But it doesn't fix it. Even if offline, if the NSA has put a pattern in to the CNG of Windows for example and you use the randomness from that machine, they may be able to defeat it and thus defeat your one time pad.
Granted, you might be able to get around this by having multiple systems work together to form the one time pad, all offline.
Please read the website. I already say the hardware should have a good random (ideally hw source) source of randomness.
While it is great advice/suggestion. Here is a catch that should be carefully considered. You can't have too many Horcrux phrases. Using the same one across all websites means that when a website handles your data irresponsibly and is leaked to hackers/unintended-users, then the phrase is ousted immediately and rendered useless (and leaving you under a false sense of security). So Horcruxes need to be used selectively. Not on websites that don't offer 2FA, but on websites/services where you trust them to handle your data responsibly. for example using the same Horcrux for a food delivery app and a banking app is a bad idea. They don't do the same threat modeling and possibly don't look at data privacy and security with the same lense.
This is exactly like salting hashes before storing them in a DB, quite clever.
Except that salting is only intended to make the use of rainbow tables inefficient. It doesn't add a security benefit beyond making it harder to attack an individual password. In this case, it's more accurate to say that in the compromised password DB scenario, this provides a very weak password as a protection against the main password being converted to effectively being a salt.
Unfortunately, that's not likely to do much if someone has both a compromised hash table and your main password and the simple "horcrux" would rapidly be found by brute force hashing given it is short and rememberable.
See arxiv.org/abs/1706.05085 - "Horcrux: A Password Manager for Paranoids".
I'm not seeing what this adds. This is the same thing as putting up 2 passwords and calling it 2FA (which it isn't). Under the vast majority of threat cases I can think of, you are either still screwed because they capture your login at the same time they capture your master password or you are stuck back with the problem of remembering a secure, non-guessable element for every account, which is exactly why password managers exist in the first place.
This is either ineffective, impractical or both depending on the threat you are trying to protect against. It's also trying to solve a problem that was already solved. This is exactly the reasoning behind 2FA/MFA and making sure that access to multiple things is needed.
It would be much better to get a Yubikey or similar and put your HOTP/TOTP secrets in to that so that it is physically isolated from your phone and the internet and thus can't be compromised without direct theft of multiple devices. You get the same advantages without the disadvantages and limitations of hanging your security on two of the same factor.
This is good advice, and in fact I make and sell a line of offline password generator/recall rings, key fobs, bracelets and cards which help to do exactly this: tindie.com/stores/russtopia
The advantage to these is that they are not software which can be hacked like password wallets, being completely offline.
It really isn't good advice though. Having offline generators and rings is a good idea. I suggested using 2FA and a Yubikey for exactly the same reason. Simply adding a bit of complexity to the "what you know" factor doesn't add much security because the means of compromise of one mean the other is also likely compromised, as well as some other problems I mentioned in my own main post.
AJ Henderson As you correctly point out, just having a scheme to create randomness, plus a mentally-remembered 'horcrux' isn't 2FA. It serves only to keep full passwords from residing in one place.
My widgets were specifically created for people who are techno-phobic, who in my experience were resistant to using any sort of software wallet solution -- at least it gets them to stop using the same password or a trivial variant thereof, across all their accounts...
As always, defense-in-depth is important; each measure can serve to incrementally improve security.
R. M. yeah, to be clear, I think your devices are a good idea. My point was mostly that this original post isn't really that useful of an idea. Much better to harden the password storage instead, which is exactly what an offline device does for you.
Okay so I have been using this method of making my own extra word, remembering it and adding it to password for sometime now and its been great. But honestly, I never knew this was "actually" a method that was used to give passwords an additional layer of security until I read this article. What an amazing article !