Yubico Forum

I created a github issue, hopefully in the right repo, here is a link: https://github.com/Yubico/yubikey-perso ... /issues/53

Here is a copy for those that want to stay on the forum:

OS: Windows 10 x64 (build 10240)
APP: YubiKey Personalization Tool

• application version: 3.1.20
• library version: 1.17.0

YubiKey: Neo FW 3.4.3

When generating a static password on slot 2 with Scan Code, if the password ends in a capital letter, when using the YubiKey to generate slot 2 input, for some reason my keyboard is "Stuck" with shift. Every letter I manually type after that is capital. I was able to kick this "lock" by hitting my left shift key 5 times to prompt the sticky key window and clicking no.

Here is a video: http://youtu.be/Y28X8yA2E2U

P.S. this isn't an issue if I do Advanced instead of Scan Code. My issue with advanced is that the password it generates usually only has 2 Uppercase characters and only about 2 or so numbers and the rest is all lowercase letters and they look very similar.

Example with using Advanced: 31GUniglknrihhjbbjiclurlvrhhdrih
That password is pitiful.

I have the exact same issue.

Do you think it's actually an issue from the Personalization tool or from the Yubikey firmware?

My NEO's firmware is 3.4.2. I'm on Windows 8.1 Pro MCE x64 with tool 3.1.20.

Also, I have another Yubikey NEO firmware 3.1.2 and it does not cause this problem.

We'll have to look into the shift issue, I haven't heard of it before.

Regarding the "pitiful" password, here's an explanation:

The non-scancode mode uses modhex characters (these are the same ones used in our YubiKey OTPs), which offer the benefit of working on a vast number of different keyboard layouts. This means that you can use a YubiKey with a modhex static password set on different computers that have different keyboard layouts set, and still get the same password. Some small tweaks are done to ensure that there are uppercase values as well as digits in the password, which is required for some applications. How secure is this? Let's do the math:

There are 32 characters in the password. The modifications to some characters to get uppercase and digits aside, there are 16 possible characters in each position. 16 = 2^4, which means that each character gives us 4 bits of entropy. With 32 characters, that's a total of 32*4 = 128 bits of entropy. That's 340282366920938463463374607431768211456 possible combinations. An attacker would have to try half of those, on average, to guess the correct one. If we assume that an attacker is capable of trying 1,000,000,000 passwords each second, it would take somewhere around 5395141535403007094485 years to crack it.

Thanks Dain for looking into it.

If I wasn't depending on the key for code signing, it would have been RMA'd already. It's really annoying.

We've looked at the issue and have narrowed down the bug. Please follow (and post to) this Github issue for updates to this:

https://github.com/Yubico/yubikey-perso ... /issues/53

EDIT: We're making progress now, updated this post to reflect that.