Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The justification is absolute rubbish. I The argument is that it reduces attack surface, but compared to what, the alternative to including the yubikey code is not using a yubikey, which reduces security. The alternative to using the browser integration (or the ssh agent) is to use the clipboard, which is likely more code and definitely less vetted code.

By the same argument we should remove encryption as well, because it increases the amount of code and thus the attack surface.



>the alternative to including the yubikey code is not using a yubikey, which reduces security.

The physics of someone cracking my passphrase and the physics of someone cracking my Yubikey are both in the boil the oceans amount of energy.

I'm fine not letting a usb device masquerading as a keyboard have access to my password database.

Remember: "When you lose your YubiKey or someone else gets access to it, your database is not secure anymore."


> When you lose your YubiKey or someone else gets access to it, your database is not secure anymore.

You don't store your password on the YubiKey, you use it as a second factor in addition to your password.

Do you know what a YubiKey is when you argue against it?


You can add different kinds of authentication to your password safe. I use a password and a key file. You can use just the Yubikey just like you can also have no encryption applied to the password safe.


What is the physics of someone sniffing your passphrase with a keylogger?


The same as someone sniffing the Yubikey communications.


except yubikey communications are not static, so unlike password, sniffing it doesn't allow attacker to open all future versions of the db




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: