[Cryptography] Low-tech password safe was: Passwords (Smallest feasible work factor today?
crypto at senderek.ie
Mon Oct 3 12:11:17 EDT 2022
On Mon, 3 Oct 2022, Natanael wrote:
> Den fre 16 sep. 2022 kl 21:42 skrev Ralf Senderek <crypto at senderek.ie>:
> It might as well mean that we need to add an external device to the
> mix to ensure that manual actions on such a device is necessary to
> enable the use of stored passwords. So I'd like to ask people on
> the list who might have experience of using external security devices
> (like for example the yubikey, or similar) to share their experience
> in order to integrate this into the best electronic password safe
> Some banks have also started switching to security tokens with a built in
> camera for when you want to log in without
> a smartphone app;
> The top device scans a Qr code and shows you what you're approving. The message is encrypted so the browser don't
> know what it says, and the device has to generate an appropriate one-time response code for you to enter.
The problem I have with such one-time response codes is that in order to create
such one-time responses an AES session key must be stored both on the
user's device and on the provider's server. Instead, I am looking for a
solution where secrets only reside on the user's device, preferably
not accessible by the malware running in the user's ID on the main
I have been experimenting lately with RSA private keys generated on a
Yubikey, which will never leave the Yubikey. But so far I am unable to
encrypt a password with "openssl rsautl" and decrypting it on the Yubikey.
If anyone out there has a solution for that I'd be all ears to hear it.
More information about the cryptography