Why Even Consider a Password Manager

If you have ever taken an interest in password security and data breaches you have no doubt come across Troy Hunts Have I been Pwned website. Have I been Pwned provides a free resource to quickly assess if you have been put at risk due to an online account having been compromised. As of April 2024 Have I been Pwned has indexed over 13 billion passwords from 770 separate data breaches.

Now I consider myself to pretty conservative with the number of websites I sign up to however one of my emails has appeared in 5 separate date breaches alone.

The datasets obtained from these data breaches and illegally bought and sold by cybercriminal groups who will use the information for further crimes such as identity theft or compromising additional accounts on popular websites such as Twitter, EBay or Facebook which can then be sold. The most common technique to compromise additional websites is through password reuse - where a username and password found in the dataset is reused another website.

Now that we know that password reuse is an issue the question is how can we solve the problem. This is where password managers come in. A password manager can generate and store all your passwords securely, so you don’t have to worry about remembering them. This allows you to use unique, strong passwords for each website.

The OnlyKey

Over the years I have tried cloud based password managers such as LastPass and BitWarden as well as client-side password managers such as KeePass. Cloud services are great for storing passwords and TOTP’s (Time-based One-time Passwords) but client-side password managers are often more feature complete and have integration for SSH, GPG, RDP and more. Using a password manager is the only practical way to consistently use unique secure passwords but also presents a risk in that in that all your eggs are now in one basket.

A number of years back I was looking at how to best manage this risk. This post will talk about a product named OnlyKey which competes in the same market as YubiKey but in my opinion is a far better product. I currently use OnlyKey to manage my most important passwords, SSH and GPG keys as well as FIDO U2F registrations.

At first glance a clear differentiator with the OnlyKey is the capacitive touch pin pad. The pin pad provides a means to pin protect access to the OnlyKey.

The OnlyKey is more akin to a client-side application when it comes to the feature set. The integrated hardware based password manager can used to store username and password entries just like any other password manager as well as SSH and GPG keys. The OnlyKey can store up to;

  • 12 password entries
  • 16 SSH or GPG private keys and
  • 4 RSA private keys

The OnlyKey is also able to be used to generate an unlimited number of derived SSH and GPG keys as well unlimited number of FIDO U2F registrations.

Having this flexibility of a hardware based password manager alongside my cloud based password manager allows me to take a more balanced and deliberate approach in managing my passwords. I store my most sensitive secrets solely on the OnlyKey as well as using the OnlyKey as a second factor to access my cloud based password manager where I store the bulk of my passwords.

How you choose to divide up your secret management is up to you but I recommend considering how the OnlyKey can act as a means to break the kill chain in the event an online account gets compromised. You may consider;

  • Storing the credentials for your primary email account used for password resets only on the OnlyKey,
  • Using the OnlyKey as a second factor in place of TOTP, phone number or backup or email address.

Profiles

The OnlyKey is capable storing 12 passwords per profile and there are 2 profiles for a total of 24 passwords. Each profile is protected by it’s own pin. The 2 profiles could serve as;

  • A work and a personal profile
  • A profile for yourself and the other for your partner or
  • A genuine profile and a thowaway profile. The throwaway profile could be used when travelling in the event you need to surrender to your online accounts and want a throwaway profile providing a level of plausible deniability.

How you choose to use the 2 profiles is up to you but it is a nice option have.

Hardware Password Manager

In order to interact with the OnlyKey hardware based password manager it is easiest to use the associated OnlyKey desktop application however you can also use the accompany command line utility.

The user interface is rudimentary but provides all the options required to enter and manage not only the password but also the URL, username and associated TOTP. I mentioned earlier that each profile stores a total of 12 passwords – each physical button on the OnlyKey represents two password slots accessible by either a short or long press.

Autofill Logon Forms

The OnlyKey is presented to the operating system as a keyboard, a short press on the the 1 button on the OnlyKey will read the corresponding entry in slot 1 and type the information to standard out. The OnlyKey also supports the programmatic entry of actions such as pressing tab to change fields, enter to confirm an entry and sleep to pause while the next page loads. In theory this is really useful if you do all your browsing in a private session with no cache but in practice most websites “remember you” and prepopulate the username field which makes the auto type feature somewhat painful. I work around this annoyance by storing the username in the cloud based password manager or the Label field (which does not get typed to standard out) and entering only the password and TOTP.

If your auto type needs are more complex, the OnlyKey does support complex login forms. Each slot values can be appended with commands. The example entry in the username field below has been appended with the commands that will enter the username, press return, pres tab 3 times, sleep for 3 seconds before continuing and entering the password which is stored in the next field in the slot.

I will not cover the command line utility but it is well documented. I have not found a need for the command line utility myself but it would be very useful for provisioning keys in bulk with prepopulated entries.

FIDO U2F and FIDO2

FIDO U2F is very common today and used as second factor along with your username and password. There is no setup process required to use FIDO U2F and there is no limit for how many FIDO U2F registrations that can be made.

When registering with a website that supports FIDO U2F the OnlyKey will flash blue, pressing any button on the OnlyKey acts as the human confirmation for registration and authentication. Note that while the OnlyKey is flashing blue the auto typing of the OnlyKeys passwords slots is disabled to prevent accidental exposure of passwords entries.

In addition to FIDO U2F the OnlyKey also supports FIDO2 which can be used for applications such as Windows Hello for hardware based authentication. Unlike FIDO U2F which requires that you enter the username and password, FIDO2 creates a smoother username-less login experience by saving the user data on the OnlyKey.

Logging into Windows with FIDO2 requires that you physically plug in the OnlyKey and then enter pin at which point you are signed in. I have not used the OnlyKey in this way but I have used YubiKeys on other devices and the process in addition to being more secure has less friction and feels modern and polished.

Using OnlyKey on the Go

It is reasonable to expect that you may not always be using the OnlyKey on your own computer, fortunately OnlyKey has you covered. Because OnlyKey is presented to the operating system as a keyboard you can still type password entries to the screen by pressing the corresponding capacitive button after unlocking the OnlyKey using the pin. This begs the question, do you expect me to carry around a piece of paper listing out what password is stored in which slot – fortunately the answer is no. By pressing and holding down button 2 for 5+ seconds the OnlyKey will type out your slot labels to the screen (ideally into a notepad application) as shown below.

1a OnePassword
2a PayPal & OTP
3a GMail
4a TrueNAS
5a Bank
6a LUKS
1b Confluence
2b eBay
3b Xero
4b GitLab
5b Gov
6b Citrix
For OnlyKey on-the-go visit https://apps.crp.to

Note that if you use TOTP that TOTP has the requirement of having the correct time. If the OnlyKey is used on a system where the OnlyKey application is not running it will type out “NOTSET” instead of the OTP code. Because OnlyKey has no battery it requires an application to send the OnlyKey the correct time to be able to generate TOTP codes.

You can use the command line utility to send the time to the OnlyKey but the more practical option is the OnlyKey web application accessible using your web browser which will perform the same function.

Durability

The OnlyKey is very durable, I have not been concerned that the key may break or bend in the ~4 years I have it. Rather than talking about my experience I suggest watching the video below. I would argue that the tests the reviewer subjected the OnlyKey to are more than adequate and a testament to its build quality.

Backup and Restore

Within the OnlyKey application is a full encrypted backup and restore capability. For redundancy I have 2 physically separate keys and use the backup and restore feature to keep the two keys in sync.

To ensure both keys function I regularly switch out one of the other on a rotating cycle. Personally I find the syncing of two keys easier than registering each key independently particularly since not all applications allow multiple FIDO U2F registrations.

That covers how I use the OnlyKey hardware based password manager. In future posts I will cover off my most used use cases which are SSH key based access and GPG signing.