Yubico Forum

Wow, I am not sure if what I am trying to get across is being by language barriers, or a simple misunderstanding??

Your implying that I can use a "static password" but you always include the word ARBITRARY. And it its the use of that word that is the crutch of this threads continuation. So lets first define that word so as to help clarify the complaint I and the person who started this thread have attempted to make.

ARBITRARY
1. Determined by chance, whim, or impulse, and not by necessity, reason, or principle:

Its easy to see now the problem I have........I cant use this product for my needs as I do NOT want an arbitrary static password that I CANT CHOOSE. See how easy this is to understand. While I don't wish to make an argument about how you should design your product, as a business person myself I tend to listen to my customers when they offer constructive criticism when it comes to reaching a larger market.

As mentioned, I need to have a product that...

1) Can be programmed with a password of my own choice for my needs.
2) Can use caricatures that I choose based on my companies requirements.
3) Stores the password in a manner that prevents the user from altering it.

Its obvious that the Yubikey can not fulfill the first 2 requirements, contrary to your argument that it can...because you keep inserting the catch word "arbitrary". Again, I may not be an "expert" IT person from your perception, however I have spent over 6 hours trying to program the key with a password of my own choice and its simply not possible....PERIOD

In my last post I gave the string Example: 7iLd=R0mKS*wsU$c4Gonbl}P0&i>&ok[ as what I need to program the key with so that when inserted into a computer it outputs that exact same string.

Sorry if my post seams rude, but your replies so far are implying that I can program the key (per my needs), but you always insert "exceptions" that sidestep the requirements that I have outlined. Either I can program the key with my own CHOSEN password, OR I cant......So far I cant.

If I am incorrect in the above statement than PLEASE, either explain how I can do this or simply admit that it cant be done (without any "caveats")......and I will either purchase more keys once I can program it per my needs, or I will stop wasting your time here and find a product that can perform tasks 1-3 as noted above.

Okay - apparently the discussion went wrong somehwere. I'll take the blame on me. Let's rewind the tape then and restart:

Pro primo - You can make up a password of any combination of one to sixteen characters available in your current keyboard layout that are either un-shifted or shifted. Use the configuration tool, secelect "Password mode" from the task panel and then select "Scan code mode".

Pro secundo - The current Windows configuration tool does not allow you to paste in a string as the tool captures the scan codes of each keystroke you type in. It is unfortunately non-trivial to fix or to add a function that randomizes a valid string for your current keyboard setting.

Pro tertio - Your example string won't work as it is 32 characters long. If you can tuncate it to 16 characters, your string will work.

Pro quarto - The final caveat then is that if you configure the key on your own keyboard and then use the key on a different computer with a different keyboard layout, it may not work. That is by design and nothing we can do anything about.


Regards,

Jakob E
Hardware- and firmware guy @ Yubico

Hi, trying to follow up on static mode.

I'm also trying to see how YB can fit our business.
And it seems that static mode could be the easiest first step.

1. My question to Jakob&Co. is it possible to make a new version of Configuration (or is Personalization as it referred on your website?) utility and firmware which can generate random password 64 or possibly longer.
The current Static -Basic mode when 64 characters only last 32 last characters are updates when YB button is pressed for 10 seconds,
When special character and capital letters are enabled, they are only used in a that first constant portion of password.
and '!' is always first.

Is it the limitation of API or Configuration Utility?
Most users have the same keyboard layout throughout the computers they use.
So to address Lain_'s question the only problem is to write a function that would convert a symbol to a scancode given current keyboard layout, and write their own tools using your API?

My understanding your COM API

Property ykStaticID As BSTR (Write only)
HRESULT ykStaticID([in] BSTR rhs);


and Linux library from
http://code.google.com/p/yubikey-personalization/

allows to program arbitrary 128 bit string?



The problem only is to generate new 64 character complex password internally using 10 sec YB button touch, you have to update firmware?


For using people using static mode compatibility is not an issue, and bring static mode to perfection giving people what they need, could be a real boost for YB deployment, and then when you would have enough users you can worry about compatibility?

2.
What is the meaning of Public and Private ID, AES key when programming YB in static mode.
I noticed that PID in modhex is just prepended to static password

and I guess the same algorithm used to generate OTP uses given PID and AES to generate password but in contrast to dynamic mode every time YB button is touched it just emits the same string it generated first time?


==============
Best regards,
YBTester.

Yes - there is a limitation in the configuration tool that it cannot take a string and have it pasted into the field where it gets converted to keystrokes. As I see it, there is no obvious way to make the scancode-keystroke mapping in a way so it supports all keyboard layouts. Maybe we could make a mapping tool where the user is asked to profile the current keyboard layout, where the user is asked to type in all ASCII-characters 0x20 - 0x7f. This mapping is then stored in some persistent way so it can be reused. We could then provide some default mappings for the most common keyboard layouts. Anyone with a better idea is very welcome to give a tips.

Would such a feature make sense ? We can then add this feature to the configuration tool.

As an alternative, like YBTester proposed - the configuration API can be used if you want to write your own utility.

But... The scan code mode is currently limited to 16 characters maximum and the limitation is in firmware. We could probably with a fairly small effort increase this to 16 + 6 + 16 = 38 characters by using the public ID, private ID and key fields when operating in static mode.

Regarding the 10-second manual upate feature - yes - this one updates the last 32 characters only.

I must admit that we've probably underestimated the needs of our customers with regards to the static mode. It was introduced as a gizmo kind of thing and we were prepared to drop it if users would be upset that we supported "such rubbish" as someone said in the early days. "Static mode is a joke - you guys shouldn't support such crap". It appears however like quite a few people use it and that the current implementation is not as flexible as it should be.

certain password policies. The length of the password would make it strong enough.

Apparently these assumptions were a bit wrong.

We’ll put what we’ve heard so far on the wish list for the next firmware updates. Any feedback on features is of course highly appreciated.

Thanks for all input,

JakobE
Hardware- and firmware guy @ Yubico

Thank you for your reply Jakob,

It would be great if you do symbol to scan code mapping in Config utility at least for US layout,
so users can paste in any password they want.
Maybe it is better if you figure out the mapping in advance, without having to type all ASCII-characters 0x20 - 0x7f.
It could be an option (hopefully YBCU will save it) for non-standard keyboards.

I think the more serious question is whether to allow firmware update or not.
Users always find some features they want that you did not have in mind or have your own opinion.
and it might be some other application that you had not anticipated at all, which can finally boost your product.
Isn't it one of the ideas of Open Source movement?
It especially applies to your product when you have not found your niche yet.

I was going to ask you about OATH support, but just found your post today. Great!
So what are the users who have old firmware supposed to do?

I have the same issue as above.... I'm trying to store a pre-generated 48 character numeric password (no ability to change it) to my yubikey, but it's limited to 32.

I understand you have to choose an arbitrary number for the maximum length, but more and more systems are getting longer and longer passwords (which is a great thing) and it would be great if Yubikey would be front-runner even if 128-bit entropy feels like overkill, if the input is limited to numbers (in my case) the entropy is lower than when you're able to set it to 38 different characters.