Better password security with Yubikeys

I am not a huge fan of passwords, but I happen to like passwords much more than I like biometric methods and other such things. However, getting a reasonable level of security with passwords does take some work, and a good memory. I have finally gotten to a place where I'm quite comfortable with my tradeoffs between security and convience for password usage, so I thought I'd mention a bit about what I do here.

Core to my newish system for passwords is to use Yubikeys. However, I don't use any of their fancy features - I simple use their Static Password thing, which gives me two 38-letter passwords per yubikey. That is roughly 226 bits of entropy right there, with only letters and digits. You could add any other kind of symbol if you want to get more entropy, but 226 bits should take you pretty far.

However, this doesn't really solve the problem of passwords. You can't just use two yubikey static passwords for everything you do. Then you fall in the same trap that anyone who manages to crack it will get access to your other accounts. So I still use a password safe for almost every password I use. That means I only have a few passwords that I really need to remember. Things like the password for my LUKS container on my main machine, the user password and the password for the password safe. So, I take the static passwords and then I add about 40 bits of additional entropy after the static password. Thus I have something that is easy to remember, doesn't rely completely on the yubikey and still gives me a huge chunk of security.

So why don't I use the OTP or NFC features of the yubikeys? Wouldn't that be even better? Well, yeah. It would be. But I don't trust those features. If I constrain myself to the static password feature and keep track of my keys, there shouldn't be much that the keys can actually achieve to attack me - especially if I never keep the keys in the computer except for when I need the password. I can't imagine any way of exfiltrating information or having backdoors in that specific feature. Hopefully I'm right about that.

Anyway, for now, that is the basis of how I deal with passwords. Of course I have some more complicated things going for hig security use cases, etc.