This past Wednesday, October 26, 2011, Yubico announced that the company has successfully implemented the Initiative For Open Authentication (OATH) Time-based One-time Password (TOTP) configuration for the YubiKey USB authentication key, enabling secure access to Gmail and Google Apps.
Built into the Google account framework to supplement traditional password protection, Gmail and Google Apps users are able to authenticate their login with an additional layer of security using OATH TOTP. The YubiKey simplifies the process of logging in with a one-time password token, as it does not require the user to re-type long passcodes from a display device into the login field of the computer.
“The OATH-TOTP configuration of the YubiKey enables Google Apps and Gmail users to authenticate with a simple click of the mouse, with a higher level of security than a smartphone application and with a minimal sized and practically indestructible token,” said Stina Ehrensvard, CEO and Founder, Yubico.
The OATH-TOTP protocol relies on using the current time to create a hash-based message authentication code for login credentials. To utilize the YubiKey to support this protocol, Yubico has developed a small Windows app. Once installed, the app sends the current time as a challenge to the YubiKey and the response is processed to produce the OATH-TOTP six-digit response.
You can get full details here: yubico.com/totp.
Now, I’m off to set up Google two-factor authentication on my accounts.]]>
Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.
Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa, 12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.
Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.
If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.]]>