# Human brains are wholly inadequate for secrets


![](Human_Brain.png)

<!--

* Passwords can be brute force guessed by an attacker.
* The only thing that helps is length.
  - rules for what characters don't help nearly enough
  - minimum (2010): 12 random characters
* Human-invented passwords are rarely strong.
* Humans can rarely memorise more than a couple strong passwords.
  - never mind typing them correctly
* Attacker gain more raw computing power every year. Human ability to
  remember longer passwords has already reached its limit.

Conclusion: we can't rely on passwords for security.

* Possible solutions: hardware token, password managers.

-->


-----------------------------------------------------------------------------

# What are hardware security tokens?

![Nano](YubiKey-5-Nano.png)

<!--


* A small bit of physically secured computer that can do some
  cryptography operations.
  - can store secrets
  - secrets can't be extracted - modulo bugs
* Typically a USB connected smart card of sort.
* Some kind of button for user interaction.

-->

-----------------------------------------------------------------------------

You should still use passwords. Two-factor authentication is stronger
than one-factor authentication.

Use strong passwords: randomly generated and long. Use password
managers. Use a different password for every site, application, device.

-----------------------------------------------------------------------------

# Why a Yubikey specifically

![Big](YubiKey-4.png)

-----------------------------------------------------------------------------

# Use cases

* web: U2F, WebAuthn

* local: disks, login

* OpenPGP (sign, encrypt)

* SSH: via gpg-agent

-----------------------------------------------------------------------------

# Demo

* Use U2F for 2FA on gitlab.com.

* Store GnuPG subkeys onto Yubikey

* Configure GnuPG to use Yubikey

  - scdaemon

-----------------------------------------------------------------------------

# SEE ALSO

* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>)
* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength)
* [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf)

-----------------------------------------------------------------------------

# Legalese

Copyright 2020 Wikimedia Foundation

This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.

[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/

Images from Injurymap,
<https://www.injurymap.com/free-human-anatomy-illustrations>, and
Yubico.com.




---
title: "Yubikey hardware security tokens"
subtitle: "Lunch and learn"
author: "Lars Wirzenius"
date: "2020-09-28"
...