I was listening to Security Now podcast, and kept hearing uberkey uberkey on i think it was episode 175. The concept of ubery key was pretty interesting, a usb device that can generate a long static password without you entering it. This can be in entering WEP or WPA keys, your normal login password etc.

I then tried to google uberkey, then realised that it was actually spelted as yubikey instead of uberkey.

Yubikey is a usb keyboard that generates a 12 character yubi ID, and a 44 character OTP or 44 static characters long password on pressing the button found on the token. The concept was interesting, especially we don’t need to rememeber long cryptographically strong password anymore. The price pitch was rather attractive @ 25USD for a single unit, and @ 20 USD when the MOQ is 10.The yubikey support openID login through it’s yubiID and OTP authentication. However this like any other OTP systems, it requires an internet connection to verify the authenticity of the id and OTP. There are several API and source code available for the development of the yubi key.

I was thinking of how can i use the yubikey for multiple sites w/o compromising the key, one possible solution on using this on multiple website or login, could be to prepend the password with a password that you normally use and subsequently use the static password generated by the yubikey. Some issues i normally face while doing such things is that the website only allows password of length which are like 12 characters or so. What is wrong with these sites? Coming to this point, i usually do a md5 on my password(which depends on which site i visit), for example my google account password could be googPASSSWORD and yahoo could be yahoPASSWORD. [Psss i use vimperator to do a md5 hash on my password, by pressing "o md5 googPASSWORD". ] This is then entered as the password for my login, and some of them refused it as they only allow 12 characters. Sites that only allow 12 characters worry me, i have visited site and registered with site that stores my password in plaintext! First i assumed it is in plaintext, because when i request for a forget password, they return me the same password that i have entered. What is wrong with these sites, they should have a reset password function during “Forget password”. It is also unlikely that they have encrypted the password with a public key and subsequently decrypted it with their private key, this is way too much work compared to the reset password feature! So how do you remember all your password. Another way to avoid all these problem of password for websites, is to make use of www.bugmenot.com, they have pre-registered accounts that just works. This is very useful for sites that require log in before downloading, searching in forum, etc.

SSL certificates as talked about in Security Now 177, has been kinda of compromised. Only for md5 signed certs though. It seems that a group of researchers made use of 200 PS3[Yeah powerful PS3 SPU at it's best?]  to brute force a fake root CA certificate that is valid. This would then allow them subsequently create SSL certificates for any site! The podcast talks about how to fix this locally on your PC, by removing all the CA certs that are md5 signed. Do check the podcast out for more details on how to drop these certs from your OS.

Been busy these days, going to post more later on.