White paper: Bridge to Passwordless best practices
What is a Secure Static Password?
A static password requires no back-end server integration, and works with most legacy username/password solutions. Using the YubiKey Personalization tool a YubiKey can store a user-provided password on the hardware device that never changes. Please note that a static password does not provide the same high level of security as one-time passwords.
How is a ModHex static password generated?
Utilizing ModHex and its 16-character alphabet, and encoding that introduces a measure of “randomness”. A 32-character ModHex password would take a hacker around five billion years to even get a 1 in 2,158,056,614 chance of a correct guess (yes, that’s two billion!). Even a 16-character ModHex password would take around half a million years to crack given internet bandwidth issues and basic server security. This is the type of secure static password generated by default when using the YubiKey Manager.
How does static password work in a security key?
For this question, we’re going to speak to what we know which is static passwords in the YubiKey! We recommend you use the YubiKey in static password mode for only part of your password. To do this, manually enter a simple and easy-to-remember first part of your password, then use the YubiKey to enter a strong second part of your password. For example, you can set your password to: Sunny33rcltrcihbkkiulnveuenervidliliifv where “Sunny33” is manually entered and “rcltrcihbkkiulnveuenervidliliifv” is stored in, and entered, by the YubiKey
What types of Secure Static Passwords can I generate with the YubiKey Manager?
By default, the YubiKey Manager randomly generates a ModHex static password, which only contains the letters “c b d e f g h i j k l n r t u v” This type of static password works relatively well with all keyboard layouts, making it a popular choice.
When programming a static password onto your YubiKey, users are able to check a box that allows all US keyboard layout characters to be used (numbers, letters, special characters). Then, you can have the YubiKey Manager generate a random password that can use any valid US keyboard character.
Users also have the option to manually input their own unique, static password. We recommend ensuring that the password is a strong password, and something that an attacker won’t be able to guess easily.