this post was submitted on 12 Mar 2024
39 points (93.3% liked)

Cybersecurity

5750 readers
388 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

So I've been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don't want to mix my personal password manager with my work computer and I also don't want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I've been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there's a limit to how many entries in the Yubikey 5). You can also store a password in one of it's two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different "prefix" for each application? Example: On my banking site I type in "bank" then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don't know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that's backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 40 points 8 months ago* (last edited 8 months ago) (1 children)

I have responsibility. They require us to change our passwords every 3 months.

I mean, do your best, but honestly temper your understanding of your responsibility here.

You may feel responsible, but your employer DOES NOT.

How do I know? Because it's been the NIST guidelines for like a fucking decade already NOT to use such policies because they are EMPIRICALLY PROVEN to REDUCE security and INCREASE the likelihood of a system compromise.

The fact that you're here trying to "solve" a "problem" that was artificially generated by your employer is exactly the reason it's the case. While you personally are diligently considering how to best "solve" it, everyone else is doing something more hack-y and introducing new attack vectors.

So... Long story short, it's awesome you care. Your employer does not.

[–] Eezyville 7 points 8 months ago (1 children)

I'm sorry. My original post did not convey my intentions adequately. The fact that I have to change my password every 3 months is what sparked my curiosity and question for my original post. For work I just generate a password using a password manager and store it on a Yubikey that I use for work purposes when I need to update my password. The question in the post is for a personal Yubikey. I started using a generated password on that one and wondered if adding a prefix password to it, changing the prefix for different applications, would be considered secured.

[–] [email protected] 3 points 8 months ago

Lol no, they did reply correctly.