Applications:Strongest static password

From Yubico

Jump to: navigation, search


Strongest static password by Collective Software

Image:Ref_collective.gif


The official Yubico Applications:Static_password tool does not generate very strong passwords, and it is easy to accidentally create an extremely weak, well-known password if you enter bad input into the tool. Collective has put together a simple windows script tool that makes it easy to create static passwords from a known-strong source of randomness.

ยป Get the latest script 


  StaticKey version 1.0
  Copyright(c) 2009 Collective Software, LLC
  Free to use for the yubikey community, in the hopes it will be useful.

A simple "static password" yubikey programmer for Windows Script host. It produces a 64 character password, with 256 bits of true complexity, (or shorter, if you enter a shorter input string)

Instructions:

IMPORTANT: You need to have the yubikcom.dll registered. This can be done by installing the so called "personalization tool" from http://www.yubico.com/developers/personalization/


Simple usage:

  • Install the "personalization tool" (see above)
  • Make sure you understand that you are deleting the old yubikey data!
  • Plug in your yubikey
  • Launch script
  • Enter up to a 64 character hexadecimal string as can be found at: 
  https://www.grc.com/passwords.htm
  • After the key is programmed, touch the green ring to see the static password.


There are three things you should understand about your static passwords:

1. Yubikeys always talk in the language of "modhex" which is similar to normal hexadecimal, except instead of: 

  0123 4567 89ab cdef

it uses the characters: 

  cbde fghi jkln rtuv

So no matter what you enter for the input, the output will always look like modhex.

2. A 64 character yubikey static password does *not* have 512 bits of complexity, but only 256. This is because of the hex/modhex encoding as noted above. Each character represents only 4 bits of real information.

3. (Up to) the first 32 characters of the static password will be a modhex transcription of the first characters of your input string. BUT the last 32 characters will be the result of an AES encryption operation. They will be the same every time, because all the inputs to the AES operation are the same (static). But they are not a literal copy of your exact input characters.

For example, for the input string: 

  0000000000000000000000000000000000000000000000000000000000000000

the static password generated is: 

  ccccccccccccccccccccccccccccccccncejelrjvjvvciclerknrlihnteljrcb

You see the first half is all "c"s, which is modhex for "0". But the last half is changed because of the AES. This is not a "feature" or a "bug". The AES operation does not add or subtract any security in this situation, since it produces the same static result each time. It is just an artifact of the way yubico programmed their firmware.


Other details

This programmer is completely deterministic and it does not add any randomness or complexity to your password beyond the hex characters you enter. Entering the same value many times will produce identical static password'ed keys (this is considered a feature). So it is IMPORTANT to get a VERY RANDOM entry string so you will be as secure as possible. Get your string from https://www.grc.com/passwords.htm or some other source of strong randomness. Do not just type stuff from your keyboard.

If you want to remove the "enter" key from the end of the password entry sequence, comment out the line: 

  yk.ykFlagProperty(5) = true;

by adding two slashes // in front of it.

If you want it to be a "tab" instead of an "enter", change the line to 

  yk.ykFlagProperty(2) = true;
Retrieved from "http://wiki.yubico.com/wiki/index.php/Applications:Strongest_static_password"
Personal tools
Authors/Administrators