Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:07 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu Nov 14, 2013 3:45 pm 
Offline

Joined: Thu Nov 14, 2013 2:31 pm
Posts: 6
Hi,

the passwords generated by the yubico personalization software are unnecessarily weak since
a) not the entire ASCII character set is used
b) more importantly only the first few characters actually even use the configured character set, the rest of the password is just using lowercase letters!
Current typical yubico password example: 15HGubelehduvtbfchkldjtjrjirntjrcdlkigdficbcfjnjcvufhggulrirgttb
A 64 character password based on the ASCII character set would have a password entropy > 384 bits.
Because of the above mentioned restrictions the generated yubico passwords have a password entropy about 128 bit less than that.


A forum user had already mentioned the isssue about the password strength in 2011 - unfortunately without any reaction from yubico. http://forum.yubico.com/viewtopic.php?f=16&t=697

The yubico website says about the static password: "Core Static Password features: Can include any combination of 16 to 64 characters and/or numbers"
Unfortunately that is not the case. 64 characters are only possible when using the yubico password generator with the above mentioned limitations. If one chooses to configure a custom static password (for example generated with other software to include the entire ASCII character set) via using the Scan Code option of the yubico config software, just 38 characters are possible. This of course results in a serious decrease in password entropy and eats up the increase in entropy achieved with the extended character set.


Although I understand yubico sees the OTP as the main source of security with the yubikeys, still the two following issues should be implemented
(1) static password generator in yubico personalization tool should create password using the entire ASCII character set for all password characters instead of just putting a capital letter and a number in front of a password otherwise just using lowercase letters.

(2) there should be an option to configure a custom 64 character password (via entering a password generated by other software)

Of course if (1) is implemented the need for (2) is very much reduced. Effort for implementation of (1) should be neglectable.

Cheers,
Marcel


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Nov 15, 2013 8:31 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello DeepSpace,

A sixteen digit Yubikey random password has an entropy of 16^16 = 1.8e19
A standard Internet eight alphanumeric random password has 38^8 = 4.3e12 (alphanumeric/caps)

(hint: 2 modhex characters encode 256 bit)

what makes the strength is the length of the password not the domain size in this case.
The caps and numbers are there just to fool password requirements from common Internet services.

Regarding your second question, you are not considering multiple keyboards layouts.

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group