Yubico Forum

I just receive my YubiKey 2.0 today, I bought it thinking to use it to store a "hard to remember password"

But I found out that I can't set my own password.
All I want to do is use it for static password to logon to my email and store my WPA key. No need for One time password.

Is there a way that i can input my own password? I dont want it to generate a password for me, I want me myself to generate password for it, not the other way around.


Regards,
Security Now! Listener from Singapore.

The YubiKey 2.0 provides an interesting feature where we can program it to emit our desired password. The Yubico personalization utility 2.0 provides an option called "Scan code mode" in the static password configuration. The scan code mode provides a mechanism to generate a string based on any arbitrary keyboard scan code. Just select the "Scan code mode" option and punch in your password in the scan code input field. After programming the YubiKey, it will emit the password punched by you. The scan code mode allows to generate up to 16 characters password.

You can download the latest Yubico personalization utility and user guide from the following link:

http://www.yubico.com/developers/personalization/

We hope this helps!

Thanks.

Is there a way to store more than 16 characters?

And how do I use the config 1 for static, and config 2 for logging in to yubico?

For compatibility (Yubikey 1) reasons, we've limited the number of characters in scan code mode to 16. As all characters (not just Modhex characters) can be used in this mode, we thought this should be enough.

Regards,

JakobE
Hardware- and firmware guy @ Yubico

Thanks for that information. However, are there any plans to change this ideally in some sort of firmware update. As to be honest I've just received two YubiKeys purely for the purpose of using for static passwords of at least 40 characters upper, lower, numeric and special and 16 characters isn't any use to me, so it looks like I have 2 beautifully made, very secure devices that are completely useless to me.

Please don't key me wrong, it's my fault as this information is available on the boards and you provide your manual to download, I stupidly inferred these features from listening to Security Now, without clarifying my understanding first.

If you can't update the firmware could I humbly suggest you consider a YubiKey 3 - Basic model which I suspect if marketed properly would out sell all your other models. All it would do is allow users to set a long password of any acceptable character, ideally storing perhaps 3 depending on the type of touch 1 tap for the first 1 two quick taps for the second 3 taps for the 3rd.
And by default to return character at the end, encouraging users to enter their own pin at the end. These could then be used for email access, on-line banking and storing WPA keys.

Although not as secure as one time passwords, they are instantly compatible with any existing system, simple to undestand and absolutely ideal to distribute between family members and friends to encourage them to be far more safe with their banking etc - although admittedly key loggers are still a problem.

Without doubt your products are great just unfortunately no use form my particular needs, so assuming there is no firmware update solution, if there is anyone in the UK that wants two free YubiKeys I'm happy to pass them on.

David in Edinburgh, Scotland
Security Now listener

The new YubiKey 2.0 provides an interesting feature called "Strong password policy" where we can program the YubiKey to generate very long static passwords with upper, lower case letters, numbers and an "!" special character. We need to use the new Yubico configuration utility to utilize this feature. The new Yubico configuration utility and the user manual can be downloaded from the following link:

http://www.yubico.com/developers/personalization/

For using this feature follow the steps given below:

1) Select the "Create a static YubiKey configuration (password mode)" from the Select task screen
2) Choose either "Basic" or "Advanced" mode and select the appropriate number of characters
3) Provide the appropriate values
4) From the "Specify output parameters" screen, select the options provided under the "Strong password policy" and program your YubiKey

Selecting all the options of the "Strong password policy" will result in the generation of a similar static password as given below:

!2VUr4jlkkcrdfkvvetgebluutccubjieblkruculrijglgejdn

We hope this helps!

I would have to (respectfully) concur with the original post here.

The use of this key for all intensive purposes is useless to my needs as well, and quite frankly I am a bit upset. I watched your YouTube video on setting static passwords and it CLEARLY showed you inserting your own static password into the key....albeit one generated from the GRC website. Now after getting 3 of these keys I find that not only can I NOT insert my own "chosen" password I can not even use more than 1 special caricature other than " ! "

I am exceptionally disappointed that a feature that WAS shown on your video is NOT a feature on the keys I have now.
At least for me, the best part of what your product USED to offer is now gone......Personally, I believe this to be a major mistake on your developers behalf.

For my business network I wished to use these for admin access to network systems where my Group Policy REQUIRES a level of complexity with mixed Upper, Lower, Numbers and special caricatures of a specified length. I currently have it set to 12 caricatures but wished to increase the length to 32 caricatures which is simply too long to remember....or brute force.

Thankfully they are not expensive, and I only purchased 3 for testing purposes so its not a huge deal. However I was looking to use these for my new network system that may eventually include up to 1000+ users and due to how I wished to manage the keys I will have to seriously re-think this product as it clearly has design limitations that prevent me from using it as I intended....Back to the drawing board.

The other issue that bothers me is that when I allow the key to be programmed with a static password, the one it generates ALWAYS has MULTIPLE repetitive caricatures like the one below......Compared to the GRC's random generator your has much to be desired.

Example generated key: L82Rdcjbllnldhdknjlfuktdtdjlgukkcgtklhedgfhjecibdibukuejicvknneb

I'm not perfectly sure I understand the issue here.

An arbitrary password can be set by using the "Scan code mode". This mode however is suceptible to different keyboard layouts so if you're fine with a 32+ character password, we recommend users to have the Modhex mode.

One can of course ask - Why not simply use an arbitrary 32+ Modhex password ? This is a V1 Yubikey limitation and also an intent to be able to use the validation server with static keys. Yes - you'll get a replay error after the second submitted, but it works.

Regarding the entropy and the security: The password generated is an encrypted output of the data generated by the configuration tool. If you use the random function provided by the configuration tool, a random number is generated using the Windows CryptGenRandom function. I beleive the function is FIPS/EAL4 certified and unless you're running Windows 2000, it should fulfil most needs.

The output is an AES encrypted Modhex string using this randomized key and an equally randomized UID as input. If you have a 32 character output string selected, you'll get an entropy of 32 x 4 = 128 bits. The AES encryption will just obfuscate it all a bit more.

As we have a 16-byte binary string as the foundation for the output, we will very likely get repeated characters. Not very strange as the probability of a byte being 0x00, 0x11, 0x22, 0x33.... 0xee, 0xff is 1/16. Given that we have 16 bytes in the output - the probablility is close to 100% that you get at least one occurance of repeated characters in the string.

The bottom line here is that the entropy is what makes up the password complexity, not the occurence of repeated characters or mix between upper- and lower case letters. This of course assumes that the password length is not an issue. If you're limited to 8 characters, it's a different story.

I won't go into details here, but I cannot possibly see how anyone could argue against an 128-bit entropy password not being strong enough. As 2^128 is approx 10^38 it should be obvious that a brute force attack is not possible for any application whatsoever.

Please let me know if there is something I've missed here.

Witht the best regards,

Jakob E
Hardware- and firmware guy @ Yubico

Its a very simple one, your product produces the password in static mode. This severely limits its use with applications where the password, or "key" has already been implemented or with products where it produces the pass phrase.

A simple example is one that I read on this very forum....A Wireless router. I cant speak for all brands, but my router lets me select a "mode" of encryption (WEP , WAP) etc, and then automatically generates a series of keys...Much like how your product works. If a person does not wish to store this information on say a wireless laptop and wants to use the Yubikey for manual insertion of that pass phrase than they can not use your product....at least not a way that I can figure out. I fully admit that I am not a "professional" coder, and maybe I am missing something here.

This is just one basic example of why the Yubikey should be able to be programmed with my own password rather than relying on your system to make one. For instance I have a web based CRM system that will be accessed by some of my business partners. The system already automatically generates a long 32 caricature user ID string that uniquely identifies each user. This ID is also used to manage the account and link other data that requires the ID string to remain static as I have bridged multiple systems together and that unique ID sting is used throughout the system to manage data for that user as well. The entire process is automatic when a new user is created and makes a phrase like this one Example: 7iLd=R0mKS*wsU$c4Gonbl}P0&i>&ok[

I had planned on programming the Yubikey with the ID string and use it as the password for access. In my case, I would have to manually access every bridged system and change the ID string to match what your configuration tool gives me, rather than the other way around. For obvious reasons that is not practical. My CRM uses other methods to help secure the server such as GEOIP location, user agents ID, DPI (deep packet inspection) and proxy detection so at least for my use some of your advanced "features" are not desirable or applicable. Also I do NOT want to implement the use of your authentication server to validate my key since I wish to have complete control in house.

So while I think this product is great, and I may still yet find a method to apply it to my existing systems, the inability to use my own static passwords makes it hard to implement without fundamentally rewriting how my system works......Not to mention the problems of implementing it for use where a user is not able to supply the pass phrase, such as the case of the Yubikey 2.0. I believe that you may find more customers using your product if you simply offer them the option rather than imposing your own restrictive configuration tool.

As mentioned, I watched YOUR video where it clearly showed how to insert your own static password, (obviously outdated) and it was that EXACT feature I was drawn too. I did read the PDF user manual before purchase, admittedly rather quickly but nowhere did it state that the version 2.0 Yubikey would NOT allow me to use that function. You should remove that video from your YouTube channel and replace it with a current one.

OR, as I am some others would agree....return the function that allows me to program the key per my requirements or needs. While its obvious that your product is intended to produce the most secure tool you can, I think that you may have "over-engineered" the process and limited its application to those like myself who wish to use it as just one part of a larger security/authentication system.

I feel a bit lost here. You can do that on the V2 keys (not on the V1 keys) - with the caveat that it may may not work on all keyboard layouts. That's not very much we can do anything about as the translation from scan codes and a specific keystroke is done by the OS.

The "scan code" mode password does just exactly that and allows you to create an arbitrary string of up to 16 characters.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico