Menu
What's new
By:
Filters Better Search

Increase password length?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

S

Sephula

Occasional Visitor
Is it just me, or does 16 characters just not seem long enough? Also, why are we limited to a maximum of only 5 user accounts (6 if you include the administrator)? That's obviously not a limitation of Samba. Such limitations! Is there a workaround which doesn't limit me to SSH only access? I'd feel a lot better with at least 20 characters, as that is approx as strong as MD5, which is considered weak by today's standards. Could the Merlin fork possibly increase this to 20 chars? I don't think that's too many, but would provide a 10% improvement over 16 chars. When talking about such huge numbers, 10% really is kind of a big deal. It translates into several decimal places.

Maybe even add the inclusion of a separate 4 character pin which functions like 2 factor, but simply appears on the screen as a second entry field following the password field, like (________ - ___)? That would prevent the problems with foreign languages and more than 16 characters, but still increase the security margin. Maybe add Google Authenticator as 2nd factor?
 
Last edited:
Sephula said:
Is it just me, or does 16 characters just not seem long enough?
Click to expand...

16 chars is long enough for a home router. Anything longer wouldn't do anything meaningful to improve security. A 12 characters long password for instance would take years to brute force through. 16 characters would take longer than your router's life.

And increasing it is not really practical, because it would break backward compatibility if you were to revert to a firmware version that does not support longer password, locking you out of your own device.

Sephula said:
Also, why are we limited to a maximum of only 5 user accounts (6 if you include the administrator)?
Click to expand...

Because the router isn't a NAS, and any kind of use with more users than that would be unreliable. So Asus originally decided to limit it to what they felt was a reasonable limit considering the light file access use intended by the router. Beyond that getting a dedicated NAS is strongly recommended.

I did increase it to 10 users if I remember correctly (it's been years), but I don't want to go beyond that, otherwise users will start complaining that their router cannot properly handle 15-20 users, as the hardware is plainly inadequate for that kind of load.

Sephula said:
Maybe even add the inclusion of a separate 4 character pin which functions like 2 factor, but simply appears on the screen as a second entry field following the password field, like (________ - ___)? That would prevent the problems with foreign languages and more than 16 characters, but still increase the security margin. Maybe add Google Authenticator as 2nd factor?
Click to expand...

I'd have to ask, what kind of usage you are making of a home router to require that level of protection? That type of security requirements makes me believe you should be using a business-class type of product instead. Asuswrt's primary security issues are not in its password policy but in the quality of its code.

Security isn't about always going over the top. Your front door lock for instance can't compare to what is used on a bank, however for a home it's considered adequate. Same applies with software/device security. It's about balancing convenience with needs.
 
Getting locked out of your device seems unlikely, considering you should probably perform a factory reset before attempting a backward flash, anyway. But, I suppose you're correct. I can't argue with any of your reasoning, there.
 
Sephula said:
Getting locked out of your device seems unlikely, considering you should probably perform a factory reset before attempting a backward flash, anyway.
Click to expand...

Most people don't. And in many case this isn't necessary either.

Same issue would also happen when switching between Asuswrt and Asuswrt-Merlin.

The real solution is for Asus to revamp the whole user authentication design. I've seen recent hint in the code that they might have started working on that. Biggest issue of the current system is that the password is stored unencrypted in nvram.
 
Why is the password even stored? Is it required for compatibility with some, hopefully ancient, service on an Asus router?
 
Adding to Merlin’s post, bruteforcing will also be significantly slowed down by the built in protections, I believe after 5 failed attempts the router prevents you from trying again for a few minutes. For ssh there is also protect server (I believe that’s the name of it) which limits attempts on that side of things.

Taking this into account, there’s a much more likely chance someone would use an exploit to gain access then bruitforce your 16 character alphanumeric password.
 
You must log in or register to reply here.

Similar threads

osajoseph
Solved Possibility to increase the length of the password (16 characters for the moment) ?
Replies
14
Views
3K
osajoseph
osajoseph
K
Latest RT-AC68U Asuswrt stock vs Merlin security
Replies
6
Views
2K
KrypteX
K
J
Tutorial Guest Wifi random password + QR code generator for display on smart TV
Replies
10
Views
4K
joomlafab
J
D
Merlin Password Length
Replies
18
Views
4K
plar036
P
RMerlin
  • Locked
Release Asuswrt-Merlin 386.1 is now available
68 69 70
Replies
1K
Views
320K
RMerlin
RMerlin

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 658 (members: 19, guests: 639)
Top