• ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Sephula

Occasional Visitor
Is it just me, or does 16 characters just not seem long enough? Also, why are we limited to a maximum of only 5 user accounts (6 if you include the administrator)? That's obviously not a limitation of Samba. Such limitations! Is there a workaround which doesn't limit me to SSH only access? I'd feel a lot better with at least 20 characters, as that is approx as strong as MD5, which is considered weak by today's standards. Could the Merlin fork possibly increase this to 20 chars? I don't think that's too many, but would provide a 10% improvement over 16 chars. When talking about such huge numbers, 10% really is kind of a big deal. It translates into several decimal places.

Maybe even add the inclusion of a separate 4 character pin which functions like 2 factor, but simply appears on the screen as a second entry field following the password field, like (________ - ___)? That would prevent the problems with foreign languages and more than 16 characters, but still increase the security margin. Maybe add Google Authenticator as 2nd factor?
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Is it just me, or does 16 characters just not seem long enough?
16 chars is long enough for a home router. Anything longer wouldn't do anything meaningful to improve security. A 12 characters long password for instance would take years to brute force through. 16 characters would take longer than your router's life.

And increasing it is not really practical, because it would break backward compatibility if you were to revert to a firmware version that does not support longer password, locking you out of your own device.

Also, why are we limited to a maximum of only 5 user accounts (6 if you include the administrator)?
Because the router isn't a NAS, and any kind of use with more users than that would be unreliable. So Asus originally decided to limit it to what they felt was a reasonable limit considering the light file access use intended by the router. Beyond that getting a dedicated NAS is strongly recommended.

I did increase it to 10 users if I remember correctly (it's been years), but I don't want to go beyond that, otherwise users will start complaining that their router cannot properly handle 15-20 users, as the hardware is plainly inadequate for that kind of load.

Maybe even add the inclusion of a separate 4 character pin which functions like 2 factor, but simply appears on the screen as a second entry field following the password field, like (________ - ___)? That would prevent the problems with foreign languages and more than 16 characters, but still increase the security margin. Maybe add Google Authenticator as 2nd factor?
I'd have to ask, what kind of usage you are making of a home router to require that level of protection? That type of security requirements makes me believe you should be using a business-class type of product instead. Asuswrt's primary security issues are not in its password policy but in the quality of its code.

Security isn't about always going over the top. Your front door lock for instance can't compare to what is used on a bank, however for a home it's considered adequate. Same applies with software/device security. It's about balancing convenience with needs.
 

Sephula

Occasional Visitor
Getting locked out of your device seems unlikely, considering you should probably perform a factory reset before attempting a backward flash, anyway. But, I suppose you're correct. I can't argue with any of your reasoning, there.
 

RMerlin

Asuswrt-Merlin dev
Getting locked out of your device seems unlikely, considering you should probably perform a factory reset before attempting a backward flash, anyway.
Most people don't. And in many case this isn't necessary either.

Same issue would also happen when switching between Asuswrt and Asuswrt-Merlin.

The real solution is for Asus to revamp the whole user authentication design. I've seen recent hint in the code that they might have started working on that. Biggest issue of the current system is that the password is stored unencrypted in nvram.
 

umarmung

Senior Member
Why is the password even stored? Is it required for compatibility with some, hopefully ancient, service on an Asus router?
 

Adamm

Part of the Furniture
Adding to Merlin’s post, bruteforcing will also be significantly slowed down by the built in protections, I believe after 5 failed attempts the router prevents you from trying again for a few minutes. For ssh there is also protect server (I believe that’s the name of it) which limits attempts on that side of things.

Taking this into account, there’s a much more likely chance someone would use an exploit to gain access then bruitforce your 16 character alphanumeric password.
 
Similar threads
Thread starter Title Forum Replies Date
A will an ac87u have a noticeable increase in range compared to 68u? ASUS Wireless 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top