IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

Pwned

Yubico 5C NFC USB-C Hardware Two Factor Security Key etc

by

I have been using Yubico YubiKeys since 2018. I have blogged a bit about them before:

At first, I used my YubiKeys to secure Mac OSX, websites I used then services like 1Password, Dropbox, Twitter. Google Mail, Github, WordPress. Now I have over 80 websites and servers protected with my YubiKeys.

I also used my YubiKeys to secure servers I setup (protecting Command-line SSH Sessions).

Security Basics

Before I begin showing the YubiKey 5C NFC device I would like to explain a bit about…

  • a) Strong Passwords, Not Reusing Passwords
  • b) Hacked Websites and Data Breaches

(Apologies for click-baiting and not showing the YubiKey 5C NFC right away but I love Security)

a) Secure Passwords, Not Reusing Passwords

Hackers trying to obtain your login and password could use Brute Force Attacks, Dictionary Attacks and other ways to try and break into your accounts.

If you have not heard of or used http://howsecureismypassword.net/ head over there now and enter your password (or enter a part of your password if you do not trust them).

Enter your password into howsecureismypassword.net

I entered an old password I used a lot in 1990’s and https://howsecureismypassword.net/ said it a computer will take 1 day to guess/generate my password.

https://howsecureismypassword.net/ 1 day to guess my password

I entered a more complex password generated in my password manager (1Passwsord) and now it will take 68 quattuorvigintillion years for a computer to guess/generate my password.

68 quattuorvigintillion years to gues my password

That sounds good but it is not, computers are getting faster and websites can still be hacked directly (bypassing complex passwords). When a website is hacked data is sold far and wide in minutes.  Anyone who obtains or buys hacked usernames and passwords will try and use those credentials on as many sites as possible.

TIP: Do not use the same password across different websites, if one site is hacked an attackers will know your password on other sites. Even if the hacked website used encryption to hash your password before storing it hackers can use Rainbow Tables to know the real password to speed up obtaining your password.

b) Hacked websites and Data Breaches

How do you know what sites have been hacked?

Enter https://haveibeenpwned.com/

Go to https://haveibeenpwned.com/ and enter your emails address and click “Pwned?” to see if your email has been obtained in past known data breaches. You can also check your password too.

https://haveibeenpwned.com/ at (great expense and complexity) indexes hacked data (called pastes) from known website breaches in as little as 40 seconds of the information appearing online. Hacked data from websites are published online to validate the hacker’s valuable data (in order to sell it) or to show a hackers achievement.

https://haveibeenpwned.com/ is a safe site run by https://www.troyhunt.com/ and is an industry-standard for sharing information about hacked websites in order to protect exposed in those hacks.

I entered my email address into https://haveibeenpwned.com/ 

Enter you email address into https://haveibeenpwned.com/

My email address has been found in multiple hacks

Enter you Email.

A full list of hacked websites with my email and password is displayed.

List of hacked websitres

When sites I was using were hackled only 1% of the sites bothered to notify me. You could have been hacked in the past and you may not be aware of it.

Subscribing to be notified when your emails(s) are seen in pasted in highly recommended (and it’s free).

Notify Me Form

fyi: Awesome Security Now Podcats

If you want to stay up to date with online security and the never-ending race for security check out the free Security Now Podcast that has been running from 2005 to 2020.  Steve and Leo do a great job ant breaking down very very very complex security topics for non-tech geeks every week.

Password Manager + YubiKey

You are still reading, good.  I know this is bad news but you need to know this stuff.

So I hear you say how can I generate (different passwords per site) and store those passwords securely?  This sounds like a plug (it’s not) but I use 1Password password manager.

1Password is an awesome password manager I use to generate and store secure passwords and best of all it only costs $2.99 USD a month (or $39.47 AUD paid annually). Here is a 3-year-old post of mine showing an older version of 1Password. I like 1Password because it’s super secure, integrates with YubiKeys and https://haveibeenpwned.com/ and works well on Windows, MacOS, iOS and Android.

1Password integrates with HaveIBeenPwned and 1Password 🙂

1Password is the right price for me and for the features it provides.

1password pricing page

1Password allows you to generate strong passwords.

1Password Password generator

fyi: Here is a list of all password managers (some free) at Wikipedia.

Of you can use https://www.grc.com/passwords.htm to generate really strong passwords manually.

Why Use YubiKeys

If you use a really simple password, reuse a password (I know you do) or you know a site will be hacked one day a YubiKey can be a physical thing you have that a hacker does not have.

Think of the YubiKey as a physical password that hackers cannot steal.

Well, you can be mugged and your YubiKey could be stolen but will they have your email and password that is needed with the key to log in to a site?

My YubiKey’s

My 3 YubiKeys

My YubiKey 4 NEO (on the right) has been used about 5,000 times and it is still going strong.

YubiKey 5Ci (for Mobile)

If you need a YubiKey with a Lighting and USB C plug (without NFC) check out this review.

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Why use NFC?

Why is NFC so good? The USB Standard only allows for 10,000 inserts and removals before the pins wear out. The Wireless nature of NFC has no impact on lifespan.

YubiKey 5C NFC

On the left, you can see my YubiKey 5C NFC compared to the YubiKey 5Ci (in the centre) and the YubiKey 4 NEO (on the right).

My YubiKeys

YubiCo YubiKey 5C NFC Welcome Video

The YubiKey 5C NFC has a USB C plug and NFC. For me, this is the perfect key.

The YubiKey has a selection of covers that (for all keys) that you can stick onto the keys to stylize them and tell the difference between when you have multiple keys.

YubiStyle Covers.

I went with a Polka Rainbow Cover

Cover Applied

My cover application was not a perfect application by me but it’s Wabi-Sabi enough for me.

YubiKey with Cover on

YubiKey Authenticator

When you use a YubiKey on a site that supports them you will either be prompted to Insert and Tap they key after the traditional login process

Insert YubiKey

Or enter a 6 digit code that is randomly generated in the Authenticator App (and valid for 30 seconds).  To obtain this code you will need to install the YubiCo Authenticator for Windows, MacOS or Mobile (iOS or Android)

Download the Free Authenticator App here: https://www.yubico.com/products/services-software/download/yubico-authenticator/

Inserting or Tapping the key will display the linked sites and 6 digit codes.

YubiKey OTP Diagram
Image credit: https://developers.yubico.com/yubioath-desktop/

I have many websites OTP’s stored in my Keys 🙂

My OTP Passwords

How to use the YubiCo Authenticator App Video on the YubiCo YouTube channel

How to find sites that use 2FA/MFA

Head on over to https://twofactorauth.org/.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

For example, you can search for (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

Searched fore Play

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service. Go with the most secure provider.

List of sites thta use 2FA

Common Site 2FA Instruction Pages

Here is a list of common social media sites and their instruction pages for enabling 2FA

 

Using the Yubico 5C NFC on a Computer with no USB C Plug?

My Windows 10 PC has a USB C Plus but its on the rear of my PC.

USB C at the rear of the PC

It is a pain plugging my key into the USB C plug at the back of my PC so I ordered a $5 USB 3 to USB C adapter so I can plug this into the front of my PC

USB to USB C Adapter

I have an 8 way USB 3 (externally powered) USB Hub under my monitor to easily connect my many dongles and USB devices into.

The YubiKey 5C NFC sits high in the adapter but it allows me to use it easily on my PC when needed and more importantly I can use the USB C plug on my phone without an adapter.

USB Hub

USB (standard Plug, Lightning or USB C YubiKey have you covered.

https://www.yubico.com/store/

Risks of Hardware 2FA

If you damage or lose a YubiKey you could be locked out of a website or service. When possible I use multiple YubiKeys so you have a backup device to login with.

Multiple YubiKeys

I can add multiple YubiKeys to Dropbox

add key to dropbox

Sites will also provide a list of recovery codes you can use in case you lose your YubiKey’s. Save these codes in a safe place (you will only be given them once)

Dropbox Recovery Codes

1Password is great for storing backup codes.

Purchasing a Yubikey 5C NFC

You can buy YubiKey’s from…

Conclusion

My new YubiKey 5C NFC is sitting proudly in my YubiKey collection. I use One key for work, one key for Home (PC Use) and one key for Mobile use.

YubiKeys on my Keychain

YubiKey 5C NFC Pros

  • NFC (I use this a lot on mobile and at work on NFC printers for authentication)
  • No batteries required
  • Durable
  • Multiple usage modes (6 digit codes or insert and press)
  • Works well on my Android Phone with USB-C Plug
  • Physical security to back up my online credentials

YubiKey 5C NFC Cons

  • You need to opt-in on sites to use it (not really a con)
  • You need a PC with USB C plug to easily access the YubiKey 5C NFC.

The YubiKey 5C NFC comes at a time when “Human Malware” related phishing attacks continue to surge. I have thousands of hack attempts on my website and email daily so I know I need to stay a step ahead of hackers.

I know companies who were hacked, could not care less if my username and password were breached.

YubiCo YubiKeys allow me to feel safer online

Links

v1.0 : Initial Draft

PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API

by

Developed by Simon Fearby https://www.fearby.com to allow PHP developers to integrate haveibeenpwned exposed password checks into their websites sign up’s (or logins). Get the latest version of this code from https://github.com/SimonFearby/phphaveibeenpwned/.

Update 2018: For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

This demonstrates a PHP framework less way (using HTML 5, Javascript and PHP) to validate a password by hashing (SHA1) the password (before the HTML form is submitted). A part of the password hash is checked at https://api.pwnedpasswords.com/range/{[}xxxxx} API (before a decision to save the form data is made). A Password exposed result returns the user to the sign-up form and no match completes the submission process.

SHA is performed on the password entered in the HTML form in Javascript (Your password never leaves the browser) and the PHP submit receiver performs a partial hash check at api.pwnedpasswords.com. Only a fraction of your password hash is sent to api.pwnedpasswords.com and only a partial hash of your password is returned with other partial matches (Making it hard (for anyone listening) to know what password you used).

This demo does not enforce SSL, sanitize, validate any form data or save the password to a database etc. The aim of this page is to demonstrate integration with api.pwnedpasswords.com. This demo displays a password strength meter. signup_submit.php allows you to enable debugging to see what is going on (detected errors are sent back to the submit.php and alerts shown.

Basics

signup.php – Main PHP file with a form with basic Javascript validation.

signup_submit.php – The form submit sends the form data here and calls the pwnedpasswords API

signup_ok.php – Is loaded if the password is not exposed

The initial HTML code was generated with the Platforma GUI web generator.  I added to the Javascript and relevant code. the HTML input field types are set to “text” (not “password”) so you can see the passwords.  A password SHA1 hash is generated on form submission and the user’s password never leaves the browser.

haveibeenpwned-001

A SHA1 hash of the password is updated and displayed (I am using the jsSHA library).

<script type="text/javascript" src="./js/sha/sha1.js"></script>

haveibeenpwned-002

After a basic HTML Javascript form validation is performed the uses password is replaced with a hash then the form is submitted (to signup_submit.php).

// Generate SHA1 Hash
var shaObj = new jsSHA("SHA-1", "TEXT");
shaObj.update(document.forms["submitform"]["password1"].value);
var passwordhash = shaObj.getHash("HEX");
document.getElementById("sha135").value = passwordhash;

signup_submit.php then takes the password hash, get the first 5 chars and fires up a curl connection to https://api.pwnedpasswords.com/range/$data when the data returns PHP checks the haveibeenpwned API body for matches of the matching password hashed and compared the known hash with the passwords has. Read more about how the API works here.

The PHP function that does the AI check is located here

function sendPostToPwnedPasswordsCom($data) {

    $curl = curl_init();		// Init Curl Object

    if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
    	echo "Data to Send: $data <br />";
    	echo "Sending Data to: https://api.pwnedpasswords.com/range/$data <br />";
    }

    // Set Curl Options: http://php.net/manual/en/function.curl-setopt.php
    curl_setopt($curl, CURLOPT_URL, "https://api.pwnedpasswords.com/range/$data");
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); 
	curl_setopt($curl, CURLOPT_FRESH_CONNECT, true); 		// TRUE to force the use of a new connection instead of a cached one.
	curl_setopt($curl, CURLOPT_FORBID_REUSE, true); 		// TRUE to force the connection to explicitly close when it has finished processing, and not be pooled for reuse.
	curl_setopt($curl, CURLOPT_TIMEOUT, 10); 
    curl_setopt($curl, CURLOPT_MAXREDIRS, 10); 
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);		// TRUE to follow any "Location: " header that the server sends as part of the HTTP header (note this is recursive, 
    														// PHP will follow as many "Location: " headers that it is sent, unless CURLOPT_MAXREDIRS is set).

	// Make a request to the api.pwnedpasswords.com
    $http_request_result = curl_exec ($curl);
    $http_return_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);

	// api.pwnedpasswords.com Response codes
	/*
	Semantic HTTP response code are used to indicate the result of the search:

	Code	Description
	200	Ok — everything worked and there's a string array of pwned sites for the account
	400	Bad request — the account does not comply with an acceptable format (i.e. it's an empty string)
	403	Forbidden — no user agent has been specified in the request
	404	Not found — the account could not be found and has therefore not been pwned
	429	Too many requests — the rate limit has been exceeded
	*/


	// Change the return code to debug
	//$http_return_code = 429;
	if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
      	echo "Return HTTP CODE: $http_return_code <br />";
    }
	
    // What was the http response code from api.pwnedpasswords.com
	if ($http_return_code == 200) {
		// OK (All other return codes direct the user back with an error)
		if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
	    	echo "Return HTTP Data site: " . strlen($http_request_result) . " bytes. <br />";
	    }

	} elseif ($http_return_code == 400) {
		// api.pwnedpasswords.com: API Bad Request
    	if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
        	echo "API Bad Request <br />";
        }

        header("Location: signup.php?Error=PwnedpasswordsAPIBadRequest&code=" . $http_return_code);
		die();

	} elseif ($http_return_code == 403) {
    	// api.pwnedpasswords.com: API Bad User Agent
    	if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
        	echo "API Bad User Agent <br />";
        }

        header("Location: signup.php?Error=PwnedpasswordsAPIBadUserAgent&code=" . $http_return_code);
		die();

	} elseif ($http_return_code == 404) {
		// api.pwnedpasswords.com: API User Not Found, not needed in his password hash check but we may as well catch now
    	if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
        	echo "API User Not Found <br />";
        }

        header("Location: signup.php?Error=PwnedpasswordsAPIuserNotFound&code=" . $http_return_code);
		die();

    } elseif ($http_return_code == 429) {
    	// api.pwnedpasswords.com: API Too Many Requests
    	if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
        	echo "API Too Many Requests</ br>";
        }

        header("Location: signup.php?Error=PwnedpasswordsAPIuserTooManyRequests&code=" . $http_return_code);
		die();

    } else {
    	// api.pwnedpasswords.com: API Down

		if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
        	echo "API Down!</ br>";
        }

        header("Location: signup.php?Error=PwnedpasswordsAPIDown&code=" . $http_return_code);
		die();
    } 

    // Tidy up the curl object and return the request api body
    curl_close ($curl); 
	return $http_request_result; 
}

You can enable debugging in signup_submit.php if you wish (but if an echo has presented debug data and a header redirect happens it will produce an error).

// define('ENABLE_DEBUG_OUTPUT', true);
define('ENABLE_DEBUG_OUTPUT', false);

echo statements are wrapped

if (defined('ENABLE_DEBUG_OUTPUT') && true === ENABLE_DEBUG_OUTPUT) {
    echo "API Bad Request <br />";
}

signup_submit.php will redirect the browser back to signup.php if an error is found

header("Location: signup.php?Error=PwnedpasswordsAPIuserTooManyRequests&code=" . $http_return_code);
die();

A success event (no password hash found) the user is sent to ignup_ok.php

header("Location: signup_ok.php");
die();

signup.php will check for the Error query string

Then display bootstrap alert errors for each error case

if ($error == "PwnedpasswordsAPIuserTooManyRequests") {
    echo '<div class="alert alert-danger" role="alert">';
    echo '<br /><a target="_blank" href="https://api.pwnedpasswords.com">https://api.pwnedpasswords.com</a> reported too many requests to the API from this IP, please wait a few seconds and try again.<br /> (E009)<br />';
    echo '<br />Please consider donating to Troy Hunt <a target="_blank" href="https://www.troyhunt.com/donations-why-i-dont-need-them-and-why/">https://www.troyhunt.com/donations-why-i-dont-need-them-and-why/</a> (<em>developer of <a target="_blank" href="https://haveibeenpwned.com">https://haveibeenpwned.com</a></em>).<br />';
    echo '</div>'; 
}
if ($error == "PwnedpasswordsAPIuserTooManyRequests") {
    echo '<div class="alert alert-danger" role="alert">';
    echo '<br /><a target="_blank" href="https://api.pwnedpasswords.com">https://api.pwnedpasswords.com</a> reported too many requests to the API from this IP, please wait a few seconds and try again.<br /> (E009)<br />';
    echo '<br />Please consider donating to Troy Hunt <a target="_blank" href="https://www.troyhunt.com/donations-why-i-dont-need-them-and-why/">https://www.troyhunt.com/donations-why-i-dont-need-them-and-why/</a> (<em>developer of <a target="_blank" href="https://haveibeenpwned.com">https://haveibeenpwned.com</a></em>).<br />';
    echo '</div>'; 
}

Sample Errors

Sample Password exposed to error.

haveibeenpwned-003

Sample API Offline alert

haveibeenpwned-005

If form field needs attention a JavaScript event is written to set the focus etc.

if ($error == "PasswordExposed") {
    echo '<script>';
    echo 'document.getElementById("password1").focus();';
    echo 'document.getElementById("password1").select();';
    echo '</script>';
}

If no password hash has been matched with pwnedpasswords the user is directed to signup_ok.php (not very exciting but that’s your jobs to integrate it with your system and harden).

haveibeenpwned-006

Sample debugging output

haveibeenpwned-007

Get the code: https://github.com/SimonFearby/phphaveibeenpwned/

More Reading

If you are using Ubuntu don’t forget to set up a free SSL cert, setting up an SSL cert on OSX is also a good idea. I have guides on setting up an Ubuntu server on AWS, Digital Ocean and Vultr. I love Vultr VM hosts and have blogged about setting up WordPress via the CLI, uploading files with SSH, restoring Vultr Snapshots etc.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.0 Initial post