YubiKey Static Password Offers Up Options

One of the original functions on the YubiKey is a static password for use in the password field of any application. Such an option seems to challenge common misgivings about reusing passwords. And we would agree.

But if you look a little deeper, the static password, which has attracted more users than we thought it might, falls somewhere between pervasive support and strong authentication. It works with any application requiring a password, but it’s not a two-factor solution.

The static password was born from a simple idea —  since the YubiKey can function as a USB keyboard that types out characters with the touch of a button, we figured the capability provided other options in addition to one-time passwords.

Our lead engineer, Dain Nilsson, has written a whitepaper that goes into detail on this YubiKey function, but we’ll give you a preview here.

We originally achieved “static”  by freezing counter values and using crypto functions to provide the same password over and over, rather than creating a new one with each YubiKey button touch. We then added the capability for a user to create a password of their choosing on the YubiKey using scan code mode. Then we moved on to explore ModHex and its 16-character alphabet, and encoding that introduces a measure of “randomness.” That randomness helps create a password that has a tougher resistance to cracking than you might think.

A 32-character ModHex password would take a hacker around five billion years to even get a 1 in 2,158,056,614 chance of a correct guess (yes, that’s two billion!). Even a 16-character ModHex password would take around half a million years to crack given internet bandwidth issues and basic server security.

The static password is interesting to ponder, and many people use them, but it is a password. We think a second factor provides the kind of strong authentication end-users really need.

That said, you might examine if a static password has value in any of your use cases.

Talk to our teamTalk to our team

Share this article:


  • Securing the skies with YubiKeys: Insights on cyber resilience in the aviation industry and beyondIn an increasingly interconnected world, the landscape of cybersecurity is constantly evolving. Bad actors are becoming more sophisticated, leveraging tactics like phishing and ransomware to exploit human error and weak credentials. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises – especially those in high-stakes sectors like commercial […]Read morecyber resilienceEUmanufacturingQ&A
  • Future-proofing authentication: A look at the future of post-quantum cryptographyThe path from passwords to passkeys and beyond In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full […]Read more
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet