Yubico Forum

Q. Does Yubico have a solution available for me to change a static, fixed long password on the Yubikey. I would like the password to be statically set on the Yubikey and would like to be able to change it if needed.

A. No, not right now. For long & static passwords we encourage users to use MashedLife.com for that purpose:

1. An admin creates/stores the static username/password that have access to a web site

2. The admin "shares" the acct with users

3. So the users can log on the web site w/o knowing the password to the site

But this is a real need and we are talking w/ some business partners to see if they can do it, then we'll link to their solution from this forum.

_________________
The YubiKey Server Guy

Although one can argue that a static OTP would somewhat compromise the whole concept behind a hardware token, there are certain use cases where this makes sense. Quite a few people have asked about this feature.

A 32-character password string that is resistant to a dictionary attack is not that bad after all. And best of all, you can use it to login to legacy systems supporting static passwords only.

Therefore, effective from firmware version 1.3.0, we've added a "sneak" feature to support static OTPs by the means of a configuration flag.

It is fully compatible with the current field layout with the difference that all dynamic fields (including the rnd16) are forced to a fixed value, in this case 0xff and 0xffff respectively. Therefore, the generated OTP remains the same every time.

We've not updated the authentication server to support this feature yet, but as it will distinguish between a BAD_OTP and a REPLAYED_OTP, responses other than BAD_OTP can be considered ok.

Jakob E
Hardware- and software guy @ Yubico