Hello ! Thanks for you feedback and explanation. What I would expect is, that with a fresh Yubikey and PwSafe and a known (noted-down) OTP secret string I can re-program a empty Yubikey to re-access Yubikey-protected databases like nsa-backup.psafe3.
![pwsafe keyboard pwsafe keyboard](https://www.file.net/img/screenshot/taskman-pwsafe-exe.png)
This means that on opening a database with master password-only, I'd not expect to be able to retrieve previous OTP secrets! Expected behavior (working) Expected behavior (failing)Īs noted at step 9, I'd expect nobody to be able to to retrieve the super-secret secret without any (paper-written) copy of the original OTP Yubikey secret.
PWSAFE KEYBOARD PASSWORD
IMHO this behavior renders the added-value/security of a hardware key like yubikey to void.Īlso note: It's not essential that Alice sticks to the same master password 123456: I only chose it to reduce the attack complexity for Bob: He must only get hold to one password (plus the two backups). Using the method below: Bob can program a fresh, new Yubikey, open nsa-backup.psafe3 with your (compromised) password 123456 and reveal the deleted super-secret entry by only having access to both nsa-*.pwsafe backups and the typed password and without the need to ever had access to Alice's hardware key!.Open "Yubikey" dialog: Still be able to see & access the previous yubikey secret.Bob creates second backup: nsa-backup-2.psafe3. At this point I'd expect to be no longer able to access my super-secret secret without the noted-down copy of the OTP secret!.Delete the Yubikey secret on key: ykman otp delete 2.Change master password back to password-only: 123456.Bob creates a database backup file: nsa-backup.psafe3 Enhance security by changing to master passphrase 123456 + Yubikey.(Note it down for debugging reference only here) Generate & write a Yubikey secret to a new Yubikey.Create a new mypw.psafe3 database with a password 123456 using PasswordSafe Linux v1.12.
PWSAFE KEYBOARD HOW TO
Nevertheless – here is my issue: Problem description / How to reproduce
![pwsafe keyboard pwsafe keyboard](https://www.idevice.ro/wp-content/plugins/AppStoreZaone/images3/2014/09/22/a5664c9d0222ef779d6b7c4fd634f41b.jpg)
pwsafe3 file content using Crypt::Pwsafe.pm to better understand the internals, but failed there too. I was also looking for design documentation about how this feature is technically implemented to assess it security, but failed. Mostly I was trying to figure out recovery options with lost yubikeys (but known secrets). I'm currently evaluating if I want to migrate from „annoyingly-hard-to-type-password“-mode to „quickly-typable-password-with-yubikey“-mode for pwsafe.