0

LastPass with YubiKey: The ultimate solution to protect your passwords

* This post may have affiliate links. Please see my disclosure 

Security of LastPass with YubiKey: Ultimate Solution to Secure Your Passwords

In modern times, the digital workplace is replacing physical offices exponentially, and COVID-19 plays a vital role in this transformation. According to Statista, about 4.66 billion people were actively using the internet, which makes 59% of the whole world population (stats collected in October 2020).

According to NordPass research conducted on Oct 26, 2020, an average person has to memorize 100 passwords. As a result, 90% of the people struggled to secure their passwords and are concerned with their data and passwords being compromised (Avast blog, 7 May 2020).

Nowadays, no one can claim that he/she has the most secure password, as spammers and hackers are using trailblazing software that can decipher your most protected passwords with little effort. Your ex’s name or wife’s birthday is not even near a strong password and can easily be breached by hackers. The most commonly used passwords are ‘iloveyou’ and ‘sunshine’.

The question is, how can we select an unbreachable password and protect our online identity? Don’t worry. When you reach the end of this article, you’ll know and everything about securing your passwords.

How Can You Choose a Secure Password?

The internet is involved in the lives of 4.66 billion people. According to Lawless Research and TeleSign, 71% of online user accounts are secured by passwords. That is why people need to have a secure and reliable password security solution.

Cybersecurity experts highly recommend selecting a strong and unique password for every individual online account to prevent the theft of personal data and information. One onf the best solution to the password security strategy can be achieved by generating passwords consisting of a long and distinctive string of random characters. Most of all, avoid words or phrases that are easy to guess.

 

The best way to adhere to password best practices is by using a password manager. I recommend using LastPass due to multiple reasons. Let’s first see what LastPass is, its attributes, and how we can set it up.

What is LastPass?

LastPass is a secure password manager with a freemium business model that stores all your online credentials in an encrypted database; this is called a ‘Vault.’ Whenever a user stores his username and password on LastPass, it is stored in the vault. When you are required to access a particular website, your LastPass fills in all the specific information for you.

According to the Ponemon Institute, an employee spent an average of 12.6 minutes per week while entering or resetting passwords.

LastPass.com – Homepage

LastPass offers its own web interface. It also provides plugins on many eminent web browsers such as Google Chrome, Mozilla Firefox, Apple Safari, Opera, and many authenticated apps.

Main Advantages of Using LastPass

Currently, 25.6 million people and 70,000 businesses are using LastPass. The main advantages of using are given below:

  • Auto-fill all your online credentials, such as logins and passwords.
  • Simplifies online shopping for you, by storing credit card information and online bank information.
  • Generates secured and reliable security passwords.
  • Can save your digital records, such as addresses, notes, security questions, etc.

How LastPass Works?

You can set up LastPass by downloading extensions on your PC, Laptop, phone, or tablet through their android and iOS applications. Download the extension, add it to your web browser, and sign up for the LastPass extension. Please note that you have to be very careful while creating this password called the ‘master password.’

How LastPass Works dashboard

By using the master password, you will access your vault. The password should contain at least 12 or more characters. It should be a combination of ASCII-standard characters only (i.e., lower- and upper-case letters, numbers, and symbols).

After you set your master password, then start adding items to the vault. You can add all the logins and passwords of your favorites websites, your banking card information, or even secret notes. Now, let’s see what was happening on the backend. The security of your LastPass vault is as secure as your master password. When you first sign up for the extension, your vault is encrypted with your master password.

 

One good thing about LastPass is that it never looks inside your secret vault. For logging into your desired website, you enter your master password, and this password is jumbled using a one-way hash function and reaches the LastPass encrypted database. Here, both the hashes are compared, one from your computer and others available on file. If everything matches, then the database sends back the secured vault to your device. Here, your device decrypts the secured vault with the help of a master password, and access is granted to your requested website.

LastPass Security Vulnerabilities

What if LastPass gets hacked? In July 2015, one of the most secure password managers got hacked, and the hackers entered into LastPass encrypted servers. Nothing is 100% secured in the digital world, and you can only make your online security as tough as possible for hackers. Hackers were after vaults but remained empty-handed because LastPass design its security algorithms so that they intentionally don’t store your master passwords on their servers.

Security Vulnerabilities security breach

The question arises here, what about the security of your master password? Usually, people recommend applying the 2FA authentication method. 2FA is called two-factor authentication, two-step verification, or dual-factor authentication is a password security authentication method that provides an extra layer of security to sensitive or personal data.

When you try to login into your required website with two-factor (2FA) authentication is enabled, an interim security code will be sent to your provided cell number. Then you need to enter the security code to gain access. The first factor is your online login credentials (your master password in this case), and the second factor is the code sent on your mobile. These two factors form 2FA authentication that ensures your password security.

While 2FA increases security, it also has some serious drawbacks. What if your phone is lost, stolen, or contravened by a hacker who somehow got access to your device or SIM card? Then they will use it to get your security code and try to get into your LastPass security manager. It can be worst if they already possess your laptop or know your credentials.

Is there a better solution? Don’t worry and keep on reading. By the end of the article, you will be able to secure your digital life. Our solution to this problem is hardware-based protection of your password manager (LastPass). You can use YubiKey.

Using LastPass With YubiKey: Adding Extra Security Layer to Your Online Credentials

Lastpass with yubico

 

As we are already familiar with securing and safely accessing our online credentials using LastPass, but overcoming the vulnerabilities, we attach a hardware-backed password authentication device (i.e., YubiKey).

What is YubiKey?

YubiKey is a hardware-backed password authentication device used to strengthen your online credentials by providing an additional security layer.

some yubikey

This device is manufactured by Yubico and similar in size to a USB flash drive. It uses the U2F (Universal 2nd Factor Standard Authentication) and FIDO2 protocols (Fast IDentity Online) to protect your device. It also supports OTP (One-Time Passwords), OpenPGP 3, and smart card authentication. Yubico manufacture keys are battery-free, trusted, and water-resistant.

A single YubiKey security key can be attached to multiple online credentials. You only need to insert your key into the device’s USB port, or you can connect it wirelessly by pressing the button on it. When you are all set, YubiKey will be presented with an encrypted challenge from a web browser or your application. It will sign the challenge cryptographically verifying if you are trying to access emails or other sensitive information.

YubiKey defends your device in case of any internet bot software application and direct attacks by swaying cryptology for identity theft and getting the URL of your login page. It also provides resistance to phishing attacks.

Main Advantages of Using YubiKey

  • It supports OTP, Public-Key Encryption, and U2F.
  • It allows storing static passwords for website usage, which does not require any unique password.
  • With YubiKey, you can access all your accounts four times faster than 2FA authentication.
  • It does not store any data, requires no network connection and software.
  • It supports OTP, Public-Key Encryption, and U2F.
  • Excellent support for users.

How to Setup LastPass and YubiKey

Setting up a YubiKey with LastPass is very easy and straightforward. All you have to do is follow the steps below:

Select Multi-factor Option on LastPass

First of all, you need to have access to the LastPass premium version. If you already have it, then just login to LastPass using your master password. Choose “Open My Vault” and click on “account settings”. Then you will go to the multi-factor option.

lastpass account settings

 

Connect Your YubiKey Device

Insert your YubiKey security key into the device’s USB port. Your device will recognize it if it is plugged in properly.

Connect Your YubiKey Device

Grant Access to YubiKey

After connecting the key, a pop up will appear. Grant access to YubiKey by clicking yes.

Enter Your LastPass Master Password

After granting access to YubiKey, choose the line with “Yubikey #” and then press the button on the key. You will see multiple dots.

2fa settings

Update Your LastPass

The last step involves updating your password manager and entering the master security password

Update Your LastPass

Congratulations! By following all the steps, you have successfully set up YubiKey with LastPass. You can also see the status on the LastPass dashboard.

 

LastPass and YubiKey Security Scheme Vulnerability

As YubiKey is set up to protect and provide extra security to your LastPass, what if your physical security key is lost or stolen? What will happen to all your sensitive digital credentials? Don’t worry about your lost or stolen security key. If the physical key is lost, it will become useless.

The combination of YubiKey and LastPass is vulnerable only when the thief has physical access to your laptop or mobile and has succeeded in hacking the LastPass database simultaneously.

Final thoughts 

There are many 2FA security providing software and devices, and selecting the right one is up to you. We have already recommended Yubico’s hardware-backed password authentication key YubiKey due to the above-discussed reasons.

Of course that there’s no technology those days that can claim a perfect and 100% unbreakable security solution. Still, in my opinion, the use of physical security keys outweigh software-based 2FA in many ways as they reduce vulnerabilities of a security breach. It does not require any network to verify or an electronic device. Suppose you are traveling overseas or places where your mobile signals are unavailable and cannot receive SMS codes. Maybe your phone ran out of battery and cannot connect to your token app. In events like the above, a physical security key like YubiKey could come very handy.

Therefore, secure your LastPass together with YubiKey is the ultimate solution to secure your passwords. I personally use it and recommend the same setup to anyone who asks me for a better way to protect their passwords. I hope you learned something from this article. Let me know in the comments if you have other solutions or additional comments. I would love to hear other perspectives from my readers.

Recommended read:

What is OpenDNS? Why should I use it, and how to set it up?

 

Juana Melo

I'm a self-taught security network engineer and blogger, sharing everything I'm learning along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *