Much Ado about Passwords Part 2

I talked about how passwords suck in Part 1. I found a solution that I can work with going forward, but there is a lot of preparation work that I needed to do. The solution is a piece of hardware called a Yubikey, and the prep-work I needed to do was clean up my e-mail and close all the online accounts, websites, newsletters I no longer use or really care to engage with further.

Introducing the Yubikey. Think of it as a bridge between the concept of physical keys and the world of passwords and online security. The Yubikey is one of the most prominent example of a "hardware security key".

At the moment, it is strictly used as a secondary method of logging into most websites, other knows as a "secondary factor" or "2 factor Authentication (2FA)". Normally, one would log in with a password, then when the app or website asks you for your security key, plug it in to your computer, then touch the circular contact with your finger. This will log you in.

This makes hacking into your account significantly harder, or if your login information is compromised in a data breach, then those who would use that information to try to hack into your account would be thwarted at the login screen.

"OK, but you started out with telling us that passwords suck and that you found a way to work without password?!" I hear you ask. This is where the second part comes in. I use a password manager to keep records of my passwords, and it is protected by my Yubikey. I cannot open the password manager and gain access to my passwords without it. The password manager I use is called QTpass. The idea is to set up the Yubikey to also act as a master key for password manager. The password manager then uses it to do all its features, such as generating passwords for you, keeping it safe and secure.

All one has to do is to plug in and touch the Yubikey to deal with passwords automatically and to log into websites. To log into a site or service, when you are prompted to log in, you just have to open the password manager, and copy the password in. If you turned on extra security for a site with 2FA, then touch the Yubikey to provide that.

As use of such hardware keys like a Yubikey becomes more common, we will see more and more websites and services only require that key to be present to log in, so over time, that password manager will be needed less and less. For now this is the system I am using to minimize the headache of passwords to the extent where I do not need to remember them or write them down somewhere.

In the next article, I will demonstrate the setup and use of my password system and conclude this series.

---