Yubico Forum https://forum.yubico.com/ |
|
Strong password policy ignored by Yubikey Personal. Tool https://forum.yubico.com/viewtopic.php?f=16&t=1836 |
Page 1 of 1 |
Author: | yubiesqco [ Fri Apr 17, 2015 2:14 pm ] |
Post subject: | Strong password policy ignored by Yubikey Personal. Tool |
Under Static Password in Yubikey Personalization Tool v3.1.19 (Yubikey Nano v2.4.3 on Windows 7), there's a Strong Password Policy section with options for "Upper and lower case" and "Alphanumeric". I understand these options *should* mean the static password that is output by the key contains both mixed case and digits - but in fact the output key is always lowercase letters only, with the exception of the first ~5 characters (which are mixed and contain digits). Possibly the first 5 chars are the private identity part or similar. These is surely a bug - the entire output key should be mixed if these options are enabled? Otherwise the password strength is substantially reduced. This is with 32 character, pub/priv/sec fields auto generated, Strong Password Policy options ticked, Write Configuration run successfully, then output examined in Notepad. |
Author: | Tom2 [ Mon Apr 20, 2015 9:44 am ] |
Post subject: | Re: Strong password policy ignored by Yubikey Personal. Tool |
Hello, Is it not a bug but i understand that is confusing. That is only to defeat "password" checkers, the strength of the Yubico password resides in the modhex length not in the upper/lower case. That is deterministic and does not add any security. |
Author: | yubiesqco [ Mon Apr 20, 2015 10:24 pm ] |
Post subject: | Re: Strong password policy ignored by Yubikey Personal. Tool |
Hi Tom - thanks for your reply - the user guide provides zero information on the function of the pass policy options! OK, you're saying these options only affect the internal generation algorithm (transforming the input fields into the output key) - in that case, why allow them to be disabled at all (let alone by default) if this reduces the security of the transformation? Or is it to add 2 more unknown dimensions if bruteforcing? That aside though, it is surely incorrect to state that reducing the character set for most of the output key to 26 characters instead of 62 (with the increase in entropy multiplied by the output key length) doesn't reduce security? OK, 32 chars is impractical to bruteforce (for now), even if limited to lowercase alphas - but many (most?) systems don't allow passwords that long. I don't understand then why the Yubikey is artifically limiting most of the output key to lowercase alpha - surely the algorithm could be adapted to allow expansion of the output character set (controlled via options in case the system doesn't support case-sensitivity / numeric)? Even if this wouldn't increase the entropy of the *input* fields (i.e., wouldn't increase security if the attacker is trying to bruteforce the "pub/priv identity" and "secret key" input fields and run through the same generation algorithm as Yubikey) - in most cases the attacker will have no idea that the password was generated by a Yubikey, so will be bruteforcing the output key instead. |
Author: | Tom2 [ Wed Apr 22, 2015 3:34 pm ] |
Post subject: | Re: Strong password policy ignored by Yubikey Personal. Tool |
A sixteen digit Yubikey random password has an entropy of 16^16 ~ 1.8e19 (hint: 2 modhex characters encode 256 bit) The Yubikey is a USB keyboard. It will need to "type" in different keyboards layout and to have largest support it only speaks MODHEX. I agree with you that would be better to have a 32 characters password with a domain of 62 symbols or more, but this is not the case for the Yubikey. The option Alphanumeric in the programming tool are just to "fool" password checkers on website that look for mixed upper / lower case and numbers to evaluate the "strength" of the password. There is definitely space for improvement in this area for Yubico, however I hope that this clarify why we only use MODHEX for now. |
Author: | brendanhoar [ Wed Apr 22, 2015 5:44 pm ] |
Post subject: | Re: Strong password policy ignored by Yubikey Personal. Tool |
Tom2 wrote: (hint: 2 modhex characters encode 256 bit) Correction: "2 modhex characters encode 256 possibilities, or 8 bits" Tom2 wrote: There is definitely space for improvement in this area for Yubico, however I hope that this clarify why we only use MODHEX for now. Understood. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |