Yubico Forum
https://forum.yubico.com/

[Q][Issue] Static Password - Scan Code - Shift Stuck issue
https://forum.yubico.com/viewtopic.php?f=26&t=1985
Page 1 of 1

Author:  Kryptonit3 [ Thu Jul 30, 2015 5:42 pm ]
Post subject:  [Q][Issue] Static Password - Scan Code - Shift Stuck issue

I created a github issue, hopefully in the right repo, here is a link: https://github.com/Yubico/yubikey-perso ... /issues/53

Here is a copy for those that want to stay on the forum:

OS: Windows 10 x64 (build 10240)
APP: YubiKey Personalization Tool
  • application version: 3.1.20
  • library version: 1.17.0
YubiKey: Neo FW 3.4.3

When generating a static password on slot 2 with Scan Code, if the password ends in a capital letter, when using the YubiKey to generate slot 2 input, for some reason my keyboard is "Stuck" with shift. Every letter I manually type after that is capital. I was able to kick this "lock" by hitting my left shift key 5 times to prompt the sticky key window and clicking no.

Here is a video: http://youtu.be/Y28X8yA2E2U

P.S. this isn't an issue if I do Advanced instead of Scan Code. My issue with advanced is that the password it generates usually only has 2 Uppercase characters and only about 2 or so numbers and the rest is all lowercase letters and they look very similar.

Example with using Advanced: 31GUniglknrihhjbbjiclurlvrhhdrih
That password is pitiful.

Author:  Morphlin [ Fri Aug 07, 2015 5:28 pm ]
Post subject:  Re: [Q][Issue] Static Password - Scan Code - Shift Stuck iss

I have the exact same issue.

Do you think it's actually an issue from the Personalization tool or from the Yubikey firmware?

My NEO's firmware is 3.4.2. I'm on Windows 8.1 Pro MCE x64 with tool 3.1.20.

Also, I have another Yubikey NEO firmware 3.1.2 and it does not cause this problem.

Author:  dain [ Tue Sep 22, 2015 4:30 pm ]
Post subject:  Re: [Q][Issue] Static Password - Scan Code - Shift Stuck iss

We'll have to look into the shift issue, I haven't heard of it before.

Regarding the "pitiful" password, here's an explanation:

The non-scancode mode uses modhex characters (these are the same ones used in our YubiKey OTPs), which offer the benefit of working on a vast number of different keyboard layouts. This means that you can use a YubiKey with a modhex static password set on different computers that have different keyboard layouts set, and still get the same password. Some small tweaks are done to ensure that there are uppercase values as well as digits in the password, which is required for some applications. How secure is this? Let's do the math:

There are 32 characters in the password. The modifications to some characters to get uppercase and digits aside, there are 16 possible characters in each position. 16 = 2^4, which means that each character gives us 4 bits of entropy. With 32 characters, that's a total of 32*4 = 128 bits of entropy. That's 340282366920938463463374607431768211456 possible combinations. An attacker would have to try half of those, on average, to guess the correct one. If we assume that an attacker is capable of trying 1,000,000,000 passwords each second, it would take somewhere around 5395141535403007094485 years to crack it.

Author:  Morphlin [ Sun Sep 27, 2015 3:41 pm ]
Post subject:  Re: [Q][Issue] Static Password - Scan Code - Shift Stuck iss

Thanks Dain for looking into it.

If I wasn't depending on the key for code signing, it would have been RMA'd already. It's really annoying.

Author:  dain [ Tue Oct 13, 2015 12:21 pm ]
Post subject:  Re: [Q][Issue] Static Password - Scan Code - Shift Stuck iss

We've looked at the issue and have narrowed down the bug. Please follow (and post to) this Github issue for updates to this:

https://github.com/Yubico/yubikey-perso ... /issues/53

EDIT: We're making progress now, updated this post to reflect that.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/