|
|
|
|
|
|
by vifon
1202 days ago
|
|
|
> I don’t see any use case or security benefits by using the static password feature. Even if you enter a password manually and concatenate it with the password of the Yubikey, a keylogger still gets both parts (assumption: You don’t reuse passwords). If keylogger is what you're defending from, yes, it doesn't help. And in this scenario you've probably already lost. On the other hand, it makes a large portion of the password immune to video-recording you typing the password in. Yes, it's technically trivial to then steal your Yubikey, extract the static password and combine it with the recorded one, but these are still quite some extra steps. My point is, if a particular service or application doesn't support anything more refined, using a static password as a pepper[0] is perfectly fine and still an improvement over not doing so. [0] https://en.wikipedia.org/wiki/Pepper_(cryptography) |
|
|
I use Apple's Advanced Data Protection product. This product gives you a 64-character code you must know. I am probably not capable of committing this code to memory.
I wish I could tell my Yubikey this code, and it would save it.
---
Now, as a US citizen, it is very hard for the government to compel me to disclose a password or a pin code. If the static password feature required a simple password (say 6 characters), with reasonable brute force prevention, it'd make it so that I have a way to protect myself. On the other hand, if it is not pin protected, there is nothing preventing the government from getting a search warrant for the Yubikey itself and using that.