Login Password too secure?

[Gishan]

Hi guys,

I've got a serious problem with my router and hope someone can provide an alternative to a hard reset.

Router: Asus RT-AC68U
Firmware: 380.57_0
Access:

• GUI only accessible locally (not from outside)
• only HTTPS
• no SSH
• no telnet

I recently changed my password to be 60 chars long.
Since then I couldn't access the router again...

Problem 1
Calling the web gui via its ip gives me an "ERR_EMPTY_RESPONSE" or "ERR_CONNECTION_REFUSED" and redirects me to "https://x.x.x.x:y/Main_Login.asp?error_status=2".

Problem 2 (minor)
Clicking on reload sometimes brings the login page. Here I can't type in the 60 char long password, the box only allows for 16 chars. Copy&Paste is also not available. My password manager somehow manages to input it nonetheless.

Problem 3
Clicking on "Sign in" leads to the right page, but it doesn't load properly.
No data is shown, just some boxes where infos would normally appear.
The frame on the right side where the connected clients should be listed shows "Server has refused connection" on mouse over. Reloading the site drops me back at Problem 1.

Is this really an issue of a too long password?
Or could this be caused by something else?

PS: Besides the mentioned access/login problems the router works perfectly fine (every attached device is routed properly, internet access works, ...)

 

[martinr]

Have you tried a different browser and cleared the cache of the one you're using. Sixty characters - half that amount would, to me, seems excessive in the extreme.

I can't vouch for Asus' tolerance of special characters, but I have in the past fallen foul of including certain special characters in passwords. I'm now more circumspect.

The ability to paste the password in was removed a couple of firmwares ago; I understand it was going to be reinstated and it may well have been in 380.57, the changelog would tell you. (I haven't uprgraded my firmware (378.55) and I consider my 12-character-long password a little over zealous.)

I suggest you have little choice (if another browser doesn't help) but to restore to factory default settings (RFDS) and start again. Before reinstalling all your settings, you could then experiment with passwords - nothing lost if you mess it up and have to RFDS again.

"Access: GUI only accessible locally (not from outside)" - 60 characters? Come on! A self-inflicted injury.

 

[PolarBear]

Some while ago I had a problem logging on from the LAN side, using PuTTY / SSH. After experimentation, it seems that the maximum password length is 16 characters. I don't know whether the limitation is in the router firmware or in PuTTY.

What I did find out is that special characters seem to be stored somewhere in %nn format, which increases the effective length of the password by 2 characters. However, the limit of 16 still applies, so for every special character, the maximum length of password is reduced by 2.

It also seems that including the dollar sign in the password makes logon impossible via PuTTY. Again, I don't know if this intolerance of dollar signs comes from PuTTY or the from router itself. I did not check if there are any other special characters which cause problems.

RT-AC66U / Merlin 378.56_2

 

[GSpock]

is there somewhere an exhaustive document describing the requirements for the router admin password ?

 

[martinr]

is there somewhere an exhaustive document describing the requirements for the router admin password ?

Do you mean requirements in the sense of what you require for security, or do you perhaps mean "limitations" in the sense of password length, unacceptable special characters......?

Either way, I doubt that such a document exists, but if it is the latter, and if you carry out some personal experimentation, you may well be best placed to write up such findings - assuming you have the time. (I think it was the "£" sign that I fell foul of.)

 

[GSpock]

Do you mean requirements in the sense of what you require for security, or do you perhaps mean "limitations" in the sense of password length, unacceptable special characters......?

Either way, I doubt that such a document exists, but if it is the latter, and if you carry out some personal experimentation, you may well be best placed to write up such findings - assuming you have the time. (I think it was the "£" sign that I fell foul of.)

thanks - I meant in the sense of length, unacceptable chars, mandatory chars .. etc ....

 

[martinr]

thanks - I meant in the sense of length, unacceptable chars, mandatory chars .. etc ....

No, I'm fairly sure such a document doen't exist, and if it did, it probably wouldn't get updated, so would go out of date over time. Similarly, if you experimented now and wrote up your findings (in terms of the variables you listed), it would be correct for now, but in 12 months' time it might not be. However, even so, I'm sure if you did have the patience and time to experiment, a lot of people would be interested in your results. (I assume such findings would apply right across the Asus model range.)

I've never seen mention of mandatory characters, and you'd best limit any experimentation to special characters normally found on the keyboard (rather than Russian cyrillic and French "e" circumflex!)

 

[martinr]

Also, have you seen this?

http://www.snbforums.com/threads/password-length.27076/#post-205056

 

[GSpock]

Also, have you seen this?

http://www.snbforums.com/threads/password-length.27076/#post-205056

I had not! Thanks for the link.
Rgds,
GS

 

[Martineau]

No, I'm fairly sure such a document doen't exist, and if it did, it probably wouldn't get updated, so would go out of date over time. Similarly, if you experimented now and wrote up your findings (in terms of the variables you listed), it would be correct for now, but in 12 months' time it might not be. However, even so, I'm sure if you did have the patience and time to experiment, a lot of people would be interested in your results. (I assume such findings would apply right across the Asus model range.)

I've never seen mention of mandatory characters, and you'd best limit any experimentation to special characters normally found on the keyboard (rather than Russian cyrillic and French "e" circumflex!)

I can't see any password config files in etc/pam.d where you may usually specify the mandatory requirements for Upper/Special etc. although I thought the default PAM is minlen=6? but I think the Asus code in /www/Main_Password.asp validates/enforces minlen=8 ?

chkLoginPw_KR: function(obj){ //Alphabets, numbers, specialcharacters mixed
var string_length = obj.value.length;
if(obj.value == ""){
showError("<#103#>");
obj.value = "";
obj.focus();
obj.select();
return false;
}
else if(obj.value == '<% nvram_default_get("http_passwd"); %>'){
showError("<#273#>");
obj.value = "";
obj.focus();
obj.select();
return false;
}
else if(!/[A-Za-z]/.test(obj.value) || !/[0-9]/.test(obj.value) || string_length < 8
|| !/[\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~]/.test(obj.value)){
showError("<#145#>");
obj.value = "";
obj.focus();
obj.select();
return false;

<snip>

}

...but I could be wrong

 

[martinr]

I can't see any password config files in etc/pam.d where you may usually specify the mandatory requirements for Upper/Special etc. although I thought the default PAM is minlen=6? but I think the Asus code in /www/Main_Password.asp validates/enforces minlen=8 ?

chkLoginPw_KR: function(obj){ //Alphabets, numbers, specialcharacters mixed
var string_length = obj.value.length;
if(obj.value == ""){
showError("<#103#>");
obj.value = "";
obj.focus();
obj.select();
return false;
}
else if(obj.value == '<% nvram_default_get("http_passwd"); %>'){
showError("<#273#>");
obj.value = "";
obj.focus();
obj.select();
return false;
}
else if(!/[A-Za-z]/.test(obj.value) || !/[0-9]/.test(obj.value) || string_length < 8
|| !/[\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~]/.test(obj.value)){
showError("<#145#>");
obj.value = "";
obj.focus();
obj.select();
return false;

<snip>

}

...but I could be wrong

It's just dawned on me that the default password is "admin", so if there is a minimum length, it's 5 or less, and no requirements for a mix of characters.

 

[Martineau]

It's just dawned on me that the default password is "admin", so if there is a minimum length, it's 5 or less, and no requirements for a mix of characters.

The (short) initial default password is expected to be immediately changed by the user as part of the initial Router setup...so when you are asked to change the admin password via the GUI....guess what?