A 32-character password string that is resistant to a dictionary attack is not that bad after all. And best of all, you can use it to login to legacy systems supporting static passwords only.
Therefore, effective from firmware version 1.3.0, we've added a "sneak" feature to support static OTPs by the means of a configuration flag.
It is fully compatible with the current field layout with the difference that all dynamic fields (including the rnd16) are forced to a fixed value, in this case 0xff and 0xffff respectively. Therefore, the generated OTP remains the same every time.
We've not updated the authentication server to support this feature yet, but as it will distinguish between a BAD_OTP and a REPLAYED_OTP, responses other than BAD_OTP can be considered ok.
Jakob E
Hardware- and software guy @ YubicoStatistics: Posted by Jakob — Tue Jun 03, 2008 11:44 pm
]]>