YubiKey Static Password Offers Up Options

One of the original functions on the YubiKey is a static password for use in the password field of any application. Such an option seems to challenge common misgivings about reusing passwords. And we would agree.

But if you look a little deeper, the static password, which has attracted more users than we thought it might, falls somewhere between pervasive support and strong authentication. It works with any application requiring a password, but it’s not a two-factor solution.

The static password was born from a simple idea —  since the YubiKey can function as a USB keyboard that types out characters with the touch of a button, we figured the capability provided other options in addition to one-time passwords.

Our lead engineer, Dain Nilsson, has written a whitepaper that goes into detail on this YubiKey function, but we’ll give you a preview here.

We originally achieved “static”  by freezing counter values and using crypto functions to provide the same password over and over, rather than creating a new one with each YubiKey button touch. We then added the capability for a user to create a password of their choosing on the YubiKey using scan code mode. Then we moved on to explore ModHex and its 16-character alphabet, and encoding that introduces a measure of “randomness.” That randomness helps create a password that has a tougher resistance to cracking than you might think.

A 32-character ModHex password would take a hacker around five billion years to even get a 1 in 2,158,056,614 chance of a correct guess (yes, that’s two billion!). Even a 16-character ModHex password would take around half a million years to crack given internet bandwidth issues and basic server security.

The static password is interesting to ponder, and many people use them, but it is a password. We think a second factor provides the kind of strong authentication end-users really need.

That said, you might examine if a static password has value in any of your use cases.

Talk to our teamTalk to our team

Share this article:


  • Navigating the PCI DSS 4.0 transition and meeting compliance with phishing-resistant YubiKeysIn just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card […]Read moreNISTPCI DSSPCI DSS 4.0
  • Building cyber resilience with Yubico and MicrosoftIn today’s digital landscape, cyber threats are evolving at an unprecedented pace: every second, a phishing attack takes place. In fact, over 80% of these attacks are the result of stolen login credentials and almost 70% of phishing attacks relied on AI last year alone. Recent data from Microsoft Entra also reveals a staggering increase […]Read moreMFA mandatesMicrosoft
  • Yubico’s commitment to innovation: Phishing-resistance as a cornerstone for cyber resilienceAs phishing attacks have reached an unprecedented level of frequency and sophistication, enterprises must prioritize authentication that is phishing-resistant – regardless of the business scenario, platform or device users are working with. This is why Yubico prioritizes consistent product innovations that deliver on our customer’s needs for modern, phishing-resistant authentication solutions that enable businesses to […]Read more
  • CEO Corner: Wrapping up a strong year, and looking ahead to 2025 and beyondIt’s no secret that 2024 was a big year of growth for Yubico, highlighted across many notable achievements by our team and increasing demand from our customers. As discussed in my previous post, following a transformative year driven by key cybersecurity trends like passkeys and AI, the year culminated in the significant step of Yubico […]Read moreCEOEarningsMattias Danielsson