Passwords are something of a weakness in our connected world.
Although I use long passwords, unique to each login, it’s not enough. It’s getting easier and easier to crack passwords, and at some point soon it may become technologically trivial to crack passwords longer than I can easily remember. My limit is around 85 characters, and they’re random in the xkcd sense, not in the mathematical sense.
One solution is to use a password manager, but I’ve always had problems with them. I’m allergic to single points of failure: if I get too close to one, I break out in digital hives. For them to be useful, they have to be portable between systems, which means either USB keys or storage in the cloud. Most people seem to go for cloud storage, over which they have no control. Given the not uncommon disconnect between corporate assurances of good practices and reveals of dreadful practises after everything’s been stolen (although admittedly I’ve not heard such stories about cloud suppliers), I’ve always felt using the cloud risks a third party getting access to the encrypted containing and using the computer power of the cloud to break it at their leisure.
So I would prefer a USB based approach. But most USB fobs are not securely protected in any way at all. You might store your password database on a fob, but, in most cases, there’s nothing to stop malicious software on the machine you’re using grabbing a copy for subsequent transmission elsewhere for analysis and cracking.
It’s not that I’m a natural target. I have nothing beyond the kind of thing that most other people have: an identity with an attached overdraft. By using various means of online protection, I believe my online presence is not worth the hassle of cracking. Why should a criminal spend time trying to steal my stuff when there’s much low hanging fruit out there?
Obviously, sophisticated crackers and state level actors could break in to my systems willy–nilly, and there’s nothing I can do about that, but, so what? If the state is into stealing my identity, that’d be bizarre, given they issue it. If it’s another state doing something like that, why me? There’s so much more low hanging fruit out there.
So I’ve no reason to use higher level security devices. But that won’t stop me! They’re interesting! They’re shiny! I’m a computer nerd, and they’re computer toys! Yay!
And that’s why I bought some nitrokey USB keys, to store my passwords and protect my servers.
Mind you, so far, I’ve only opened the packets. The documentation appears to suggest getting them set up correctly risks being quite complex.
I had one immediate disappointment. My terminal runs macos. Nitrokeys don’t support macos login. Windows: yes; linux: yes; macos: no; bsd: maybe. That info’s on their website, incidentally.
Still, they do support secure shell (SSH) login, which is far more important to me. The way my systems support remote access, I have to first log in to SSH before I log in to anything else. Thus, with my configuration, these nitrokeys should still provide the protection I want.
I ordered the four keys, which arrived quickly. They also send me a computer camera lens cap. Speaking as a photographer, is a damned good idea. Obviously, the intention is a little more than stopping dust. It’ll replace the address label I stuck on my terminal a long while ago—I don’t want some over–nosy hacker suing me for the fright she got when she saw my image just when I’d just got up at silly o’clock.
I intend to write some more about these nitrokeys when I’ve got them set up to my satisfaction.