[Payload] Yubikey Style Password Prefix

[ApacheTech Consultancy]

Is there a more secure password than one you don't even know yourself?

Password Prefixing is a form of two-stage authentication. A user-chosen password is prefixed by a given string, much like a password salt.

The first action is to generate the prefix string. The best way to garble this so that it is not known is by hashing it.

Head over to http://www.adamek.biz/md5-generator.php and generate your token.

md5("My Password Prefix") = "b6b8fbc2caf2ff719c7894c83db0b998"

Now, we can create the DuckScript based on that MD5 string.

DELAY 3000
STRING b6b8fbc2caf2ff719c7894c83db0b998_

Here, I've suffixed the prefix with an underscore to separate the token from the rest of the password.

Whenever you register a new password, keep the password box focused and place the Ducky in to input the prefix token, then put the rest of the password.

Your password for that site is now: b6b8fbc2caf2ff719c7894c83db0b998_pa$$W0rd

Whenever you sign in, place the Duck in the PC and the prefix will be inputted, followed by your own, known password.

To create an even more secure token, you can use the Perfect Passwords generator at: https://www.grc.com/passwords.htm to create pseudo-random strings as prefixes, that way, you can't even say to someone "My password is the MD5 hash of "My Password Prefix" followed by Pa$$W0rd".

DELAY 3000
STRING EkRjsmp8oNLmwKdLEVXhqLlcls5TQOVTk7mXcj4Km0KMJKAIw920rtsfq0Cevgb_

Edited February 20, 2013 by ApacheTech Consultancy

[no42]

You could leave the "Naked Duck" (this time the exposed board not the firmware) plugged in, and just press the GPIO (ducky's tiny button) to replay the sequence.

[ApacheTech Consultancy]

You could leave the "Naked Duck" (this time the exposed board not the firmware) plugged in, and just press the GPIO (ducky's tiny button) to replay the sequence.

You could indeed. :D

Or even use the MultiDuck to deploy different prefixes based on keyboard LEDs. :D