Category Archives: Tip

Maximize LastPass Security with a Yubikey

While LastPass is very convenient and I want to be as cautious as possible when putting all of my eggs (passwords) in one basket. I have two factor authentication enabled has native YubiKey support as a second authentication factor


  • LastPass Premium – alows simple use of unique passwords for each account
  • Typed/Remembered Password – protects from a stolen YubiKey allowing access to your vault
  • YubiKey OTP – Prevents a keylogger from allowing access to your LastPass Vault
  • YubiKey Static Password – ensures your Master Password is strong enough to prevent an attacker from brute forcing your password if they are able dump the LastPass database

What you need:

Setup Your YubiKey

YubiKey Programming Dialog

YubiKey Programming Dialog (not my real password)

  1. Launch the YubiKey Personalization Tool
  2. Select "Static Password Mode"
  3. Click the "Scan Code" button
  4. Select:
    • Configuration Slot 2
    • Program Multiple YubiKeys
    • Keyboard: US Keyboard
  5. Enter a stong password
  6. Insert each YubiKey, and click "Write Configuration"

Configure LastPass

Add YubiKeys to LastPass

Add YubiKeys to LastPass

  1. Open your LastPass Vault and Click Account Settings
  2. If you have not already configured your Yubikey as a second factor
    1. Click Multifactor Options, Scroll down to yubico, Click the pencil
    2. Set Enabled to Yes
    3. If you use iOS, you will want to set Permit Mobile Device Access to Allow, even though it is slightly less secure
    4. Pick which ever option you like for Permit Offline Access. Since you should only be loging in to LastPass from trusted computers, there not much of a security risk
  3. For each of your YubiKeys, put the cursor in a YubiKey box and press the button on the YubiKey
  4. When all of your YubiKeys have been entered, click Update
  5. Under the General tab, Change Master Password. For your new master password, type a good password (it can be your current password), followed by the password in your YubiKey. This is the only time you will have to type the YubiKey password.


Now when you log into LastPass, you will type your password, insert your YubiKey, press the YubiKey button for 2 seconds. The YubiKey will type its portion of your master password and <enter>. LastPass will prompt you for your second factor. Use a short press on the YubiKey button to enter the YubiKey OTP code.

Mobile Protection

Since my iPhone SE is not compatible with YubiKeys, I had to take a different approach. This one phone is the only mobile device allowed to access my account (restricted by UUID). I authorized it using the Google Authenticator app before disabling Google Authenticator. My phone is protected by TouchID and the LastPass app is protected by a PIN. I store the "YubiKey portion" of my master password in NoteCrypt which is proteced by a different/shorter password.

NoteCrypt which appears to be developed by Tom King (LinkedIn). While I can’t audit what NoteCrypt actually does, it says all of the right things about encryption and password based key derivation. It also costs $2.99, so there is an economic model that doesn’t involve ads or selling of user data. Finally, the developer’s LinkedIn profile looks respectable.

Solved: Word 2013 does not immediately save files

After repeatedly working on a file, hitting save, attaching the file to an email, and realizing I sent the unsaved version of the file; I decided to dig into this odd behavior of Microsoft Word 2013.

My initial workaround was completely closing all Word windows, but I didn’t want to have to close all of my documents to save one.

After a little more digging a simple setting solves this problem. Go to File -> Options -> Advanced. Scroll down to Save and uncheck "Allow background saves".

Convenient Device Charging

A simple solution to charging multiple devices, keeping cords out of the way, and making everything easily accessible is using a pencil drawer and a multi port charger.

Device Charging Drawer



  1. Drill a 7/8 inch hole in the back of the drawer.
  2. Attach the USB charger to the drawer with the Velcro strips.
  3. Screw the drawer into the underside of your desk.
  4. Attach USB cables and charge.
  5. Purchase Links

How to Verify OpenSSH Source

Download the source, signature, and old key from I picked 3 different mirrors:

Download the current key from the MIT PGP Public Key Server at 0xD3E5F56B6D920D30.

Verify the current key is signed with the old key:

Kenjis-MacBook-Air:ssh kenji$ gpg --import DJM-GPG-KEY.asc

gpg: key 86FF9C48: "Damien Miller (Personal Key) <[email-removed]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Kenjis-MacBook-Air:ssh kenji$ gpg --import 0xD3E5F56B6D920D30.asc

gpg: key 6D920D30: public key "Damien Miller <[email-removed]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Kenjis-MacBook-Air:ssh kenji$ gpg --check-sigs 0xD3E5F56B6D920D30

pub   3200R/6D920D30 2013-12-10 [expires: 2021-01-01]
uid                  Damien Miller <[email-removed]>
sig!         86FF9C48 2013-12-10  Damien Miller (Personal Key) <[email-removed]>
sig!3        6D920D30 2013-12-10  Damien Miller <[email-removed]>
sub   3200R/672A1105 2013-12-10 [expires: 2021-01-01]
sig!         6D920D30 2013-12-10  Damien Miller <[email-removed]>

Verify the signature of the openssh source.

Kenjis-MacBook-Air:ssh kenji$ gpg --verify openssh-7.1p2.tar.gz.asc openssh-7.1p2.tar.gz

gpg: Signature made Wed Jan 13 17:13:46 2016 PST using RSA key ID 6D920D30
gpg: Good signature from "Damien Miller <[email-removed]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30

Full Process

Download the OpenSSH source, signature, and old key as described above.

Use pgpdump to determine the full Key ID used to sign the tarball.

Kenjis-MacBook-Air:pgpdump-0.29 kenji$ ./pgpdump openssh-7.1p2.tar.gz.asc 
Old: Signature Packet(tag 2)(428 bytes)
	Ver 4 - new
	Sig type - Signature of a binary document(0x00).
	Pub alg - RSA Encrypt or Sign(pub 1)
	Hash alg - SHA512(hash 10)
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Wed Jan 13 17:13:46 PST 2016
	Sub: issuer key ID(sub 16)(8 bytes)
		Key ID - 0xD3E5F56B6D920D30
	Hash left 2 bytes - d2 4c 
	RSA m^d mod n(3197 bits) - ...
		-> PKCS-1

If you don’t have pgp dump, you can use gpg --verify to see the short key ID:

Kenjis-MacBook-Air:ssh kenji$ gpg --verify openssh-7.1p2.tar.gz.asc openssh-7.1p2.tar.gz
gpg: Signature made Wed Jan 13 17:13:46 2016 PST using RSA key ID 6D920D30
gpg: Can't check signature: public key not found

OR you can manually parse the signature packet as described below.

Download the signature key from the MIT PGP Public Key Server at 0xD3E5F56B6D920D30.

The OpenSSH mailing list ( shows that Damien Miller is the signer of the portable source. Search for all of his keys on the MIT Key Server This shows 0xD3E5F56B6D920D30 and 0xCE8ECB0386FF9C48 (i.e. DJM-GPG-KEY.asc) belonging to Damien Miller. Even though the 0xCE8ECB0386FF9C48 is listed as revoked, I think the keys can be trusted; because DJM-GPG-KEY.asc continues to be posted on the OpenSSH mirrors, and the creation date for 0xD3E5F56B6D920D30 is consistent with the mailing list announcement.

Verify the signature on the current key and the source as described above.

PGP Signature Parsing

Extract the raw signature:

Version: GnuPG v2


Copy this into a file.

Convert the base64 to binary and then view in a hex editor:

base64 -D <file> | xxd
0000000: 8901 ac04 0001 0a00 0605 0256 96f6 4a00  ...........V..J.
0000010: 0a09 10d3 e5f5 6b6d 920d 30d2 4c0c 7d17}.
0000020: 7cbb 53fc f910 d7a0 5df6 ba1b 4ec1 0018  |.S.....]...N...
0000030: df57 09cf 6801 7f68 e705 5fc1 133c 4134  .W..h..h.._..<A4
0000040: 2be9 39b1 3d10 208c c962 b445 20a3 1d00  +.9.=. ..b.E ...
0000050: 717f 0a16 e187 6400 0ac1 6716 dec5 7b54  q.....d...g...{T
0000060: 7d73 a551 d701 d5c7 383a a82f bee7 e4b4  }s.Q....8:./....
0000070: cb79 b718 35ed 548a bfcb 48db 7982 4f42  .y..5.T...H.y.OB
0000080: 1bb3 7769 a73f 8f34 01f6 2f37 0a59 35db  ..wi.?.4../7.Y5.
0000090: 1ebe cf43 3638 aae7 d9df 7e91 e800 cab9  ...C68....~.....
00000a0: 7a9f 5050 cdc7 ba0b 1227 a14e b482 ec08  z.PP.....'.N....
00000b0: 4833 759a 82ab f675 1049 3645 bf0a 2df0  H3u....u.I6E..-.
00000c0: a969 d343 a20e 0f90 3ffc 40cb 556d 12a9  .i.C....?.@.Um..
00000d0: 0d7f e27e e658 19a4 a224 70d3 1cc5 c519  ...~.X...$p.....
00000e0: e71c a8e1 c081 aac2 3e68 3a80 c5cd 939a  ........>h:.....
00000f0: e97b 4e70 8c21 f555 de99 3979 1aaf 996a  .{Np.!.U..9y...j
0000100: 2691 140d 5344 7b15 5d54 f54e 0494 801d  &...SD{.]T.N....
0000110: ccbb 2dcf c8e1 4798 7119 94bc 9f3e b355  ..-...G.q....>.U
0000120: fd68 e857 5f33 a2c5 4677 67a0 181f 232b  .h.W_3..Fwg...#+
0000130: ac73 7eda 4f7a 8567 7625 8fc1 2233 e761  .s~.Oz.gv%.."3.a
0000140: 3ac4 1b68 0955 ebd2 4b23 cf7c 1b83 1fbd  :..h.U..K#.|....
0000150: 34e5 45e7 c668 d7d7 8de8 d7f5 1f81 0fdc  4.E..h..........
0000160: ad1a 3439 e333 996c 072a 6118 6939 5bbb  ..49.3.l.*a.i9[.
0000170: 1051 cd2e e18b f0e1 16dc f551 95f0 8fd9  .Q.........Q....
0000180: 49d7 70e5 63eb a0d4 179a c3b4 e9e3 b67b  I.p.c..........{
0000190: 2f0f 3942 3809 a293 7bc5 167d cef8 3179  /.9B8...{..}..1y
00001a0: 05f7 79bc 303e d576 6078 9580 ac16 2f    ..y.0>.v`x..../
Packet Tag: 0x89 = Old Format Packet, Tag = 2, 2 octet packet length
Packet Length: 0x01AC = 428 bytes
Signature Version: 0x04 = Version 4
Signature Type: 0x00 = Binary Signature
Signature Algorithm: 0x01 = RSA
Hash Algorithm: 0x0A = SHA-512
Hashed Subpacket(s) Size: 0x0006 = 6 bytes
Hashed Subpacket: 0x05025696f64A
   Size: 0x05 = 5 bytes
   Type: 0x02 = Signature Creation Time
   Time: 0x5696f64a = Wed Jan 13 17:13:46 PST 2016
Unhashed subpacket(s) size: 0x000A = 10 bytes
Unhashed subpacket: 0x09 10D3 E5F5 6B6D 920D 30
   Size: 0x09 = 9 bytes
   Type: 0x10 = placeholder for backwards compatibility
   Key ID: D3E5F56B6D920D30
Left 16 bits of hash: 0xD24C
MPI Length: 0x0C7D = 3197 bits = 400 bytes