Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:27 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Jun 03, 2008 5:25 pm 
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Q. Does Yubico have a solution available for me to change a static, fixed long password on the Yubikey. I would like the password to be statically set on the Yubikey and would like to be able to change it if needed.

A. No, not right now. For long & static passwords we encourage users to use MashedLife.com for that purpose:

1. An admin creates/stores the static username/password that have access to a web site

2. The admin "shares" the acct with users

3. So the users can log on the web site w/o knowing the password to the site

But this is a real need and we are talking w/ some business partners to see if they can do it, then we'll link to their solution from this forum.

The YubiKey Server Guy

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jun 03, 2008 11:44 pm 
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Although one can argue that a static OTP would somewhat compromise the whole concept behind a hardware token, there are certain use cases where this makes sense. Quite a few people have asked about this feature.

A 32-character password string that is resistant to a dictionary attack is not that bad after all. And best of all, you can use it to login to legacy systems supporting static passwords only.

Therefore, effective from firmware version 1.3.0, we've added a "sneak" feature to support static OTPs by the means of a configuration flag.

It is fully compatible with the current field layout with the difference that all dynamic fields (including the rnd16) are forced to a fixed value, in this case 0xff and 0xffff respectively. Therefore, the generated OTP remains the same every time.

We've not updated the authentication server to support this feature yet, but as it will distinguish between a BAD_OTP and a REPLAYED_OTP, responses other than BAD_OTP can be considered ok.

Jakob E
Hardware- and software guy @ Yubico

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: YahooSeeker [Bot] and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group