Yubico Forum
https://forum.yubico.com/

[SOLVED] - Static Password Strength
https://forum.yubico.com/viewtopic.php?f=16&t=1233
Page 1 of 1

Author:  DeepSpaceNine [ Thu Nov 14, 2013 3:45 pm ]
Post subject:  [SOLVED] - Static Password Strength

Hi,

the passwords generated by the yubico personalization software are unnecessarily weak since
a) not the entire ASCII character set is used
b) more importantly only the first few characters actually even use the configured character set, the rest of the password is just using lowercase letters!
Current typical yubico password example: 15HGubelehduvtbfchkldjtjrjirntjrcdlkigdficbcfjnjcvufhggulrirgttb
A 64 character password based on the ASCII character set would have a password entropy > 384 bits.
Because of the above mentioned restrictions the generated yubico passwords have a password entropy about 128 bit less than that.


A forum user had already mentioned the isssue about the password strength in 2011 - unfortunately without any reaction from yubico. http://forum.yubico.com/viewtopic.php?f=16&t=697

The yubico website says about the static password: "Core Static Password features: Can include any combination of 16 to 64 characters and/or numbers"
Unfortunately that is not the case. 64 characters are only possible when using the yubico password generator with the above mentioned limitations. If one chooses to configure a custom static password (for example generated with other software to include the entire ASCII character set) via using the Scan Code option of the yubico config software, just 38 characters are possible. This of course results in a serious decrease in password entropy and eats up the increase in entropy achieved with the extended character set.


Although I understand yubico sees the OTP as the main source of security with the yubikeys, still the two following issues should be implemented
(1) static password generator in yubico personalization tool should create password using the entire ASCII character set for all password characters instead of just putting a capital letter and a number in front of a password otherwise just using lowercase letters.

(2) there should be an option to configure a custom 64 character password (via entering a password generated by other software)

Of course if (1) is implemented the need for (2) is very much reduced. Effort for implementation of (1) should be neglectable.

Cheers,
Marcel

Author:  Tom [ Fri Nov 15, 2013 8:31 am ]
Post subject:  Re: [ISSUE] Static Password Strength

Hello DeepSpace,

A sixteen digit Yubikey random password has an entropy of 16^16 = 1.8e19
A standard Internet eight alphanumeric random password has 38^8 = 4.3e12 (alphanumeric/caps)

(hint: 2 modhex characters encode 256 bit)

what makes the strength is the length of the password not the domain size in this case.
The caps and numbers are there just to fool password requirements from common Internet services.

Regarding your second question, you are not considering multiple keyboards layouts.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/