Possibility to increase the length of the password (16 characters for the moment) ?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

osajoseph

New Around Here
Hi guys,

The security aspect is important and many people have more than 12 characters. In my case, I have more than 16 and I have to change the HTML attribute maxlength="16" to a higher value at each connection.
It would be interesting to increase the password length to at least 20 characters in the next versions.

Thank you for your help !
 

dave14305

Part of the Furniture
It’s built into nvram as 16 chars and I would wager that Merlin has no desire to mess with it. Might even have repercussions on AiMesh for all we know.
 

L&LD

Part of the Furniture

sbsnb

Very Senior Member
From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.

If you're worried about security, I'd be much more worried about the fact that Google and Apple have your WiFi password and geographic location if you've ever connected an Android or IoS device to your WiFi. They could far more easily allow random members of the public to connect to your WiFi than someone could hack your WiFi password.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
It would be interesting to increase the password length to at least 20 characters in the next versions.
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.
 

osajoseph

New Around Here
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.
Ok I understand, so when ASUS will have increased it in their firmware, you will be able to increase it too. Cool !

From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.

If you're worried about security, I'd be much more worried about the fact that Google and Apple have your WiFi password and geographic location if you've ever connected an Android or IoS device to your WiFi. They could far more easily allow random members of the public to connect to your WiFi than someone could hack your WiFi password.
In fact, if we could configure dual authentication, it would be even better. But it might be overkill for a router haha!
Thanks for your answers guys! I will wait for ASUS to increase this setting on their end.

@RMerlin BTW Nice work with your firmware !
 

Martinski

Occasional Visitor
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.

According to the following post (#21), ASUS has already made changes to increase the login password length to 32 chars.

RT-AC68U Firmware version 3.0.0.4.386.43129 (released 2021-May-21):

So, in theory, any AsusWRT-based firmware using GPL 43129 (or later) should include support for 32-char long login passwords.

NOTE:
I cannot attest to the accuracy of the statements made in the linked post since I have not actually tested the OEM stock firmware version.
 

Martinski

Occasional Visitor
From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.
Password Entropy is only one factor that determines the strength of a password and should never be considered in isolation, especially given the natural human tendency to create simple, easy-to-remember, predictable, non-random passwords. By definition, password entropy is just a measurement of its "unpredictability" based only on a given character set and a number of chars used in the string. However, a password entropy value means very little if the password string itself is not sufficiently random. IOW, you can have 2 passwords with exactly the same entropy value where one is much more secure than the other simply because it's more randomly constructed.

For example, the following two 12-char passwords have the same entropy value (71.45) but one would be considered much more secure, complex, and random than the other:

MyPassWord12

M1WdJxTsP2bZ


Ironically, the vast majority of "password strength meters" tend to be extremely inadequate & misleading in their assessment of password strength because they don't take into account the randomness of a string and the raw processing power of custom-made gear. That's why most strength meters would give the same "rate" to the above 2 passwords even though their actual security strength is not the same (e.g. the 1st one is already found in several dictionary-cracking programs).

As a final point, note that research points to very strong evidence that a passphrase (i.e. a set of random "words" that make up a phrase/sentence which would be more human-friendly and memorable) tends to be significantly more realistic and secure for the average person. Thus, the greater the maximum number of chars allowed in a password field, the better chances of creating a unique, memorable, and still secure passcode without the need to resort to short, complex, and hard-to-remember gibberish.

There is no general consensus as to what the ideal passphrase length should be, but the current rule of thumb is that at the very minimum a length of 20 chars is needed to construct a secure string using at least 4 random "words" that should be uniquely personal but easy to remember for the average person. Again, while we humans are not very good at determining true randomness, a longer passphrase has a better chance of being remembered and effectively used than a complex, hard-to-remember password (hint: )

Just my 2 cents.
 

MyPal

Occasional Visitor
From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.

If you're worried about security, I'd be much more worried about the fact that Google and Apple have your WiFi password and geographic location if you've ever connected an Android or IoS device to your WiFi. They could far more easily allow random members of the public to connect to your WiFi than someone could hack your WiFi password.
Tell me more about this IOS vector? All such passwords are store in the key-chain. Would you consider WiFi personal and/or RADIUS passwords stored in the Apple key-chain (and optionally iCloud) a vulnerability?
 

MyPal

Occasional Visitor
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.
Hope they did this universally. SAMBA /etc/
 

LimJK

Very Senior Member
NOTE:
I cannot attest to the accuracy of the statements made in the linked post since I have not actually tested the OEM stock firmware version.
For the fun of it, I just tested with a 32 bit Characters password successfully for my login password on Stock Firmware RT-AX88U_3.0.0.4_386_45375 :)
 
Last edited:

L&LD

Part of the Furniture
32-bit password? Or a password that is 32 characters in length? How did you test for it, specifically?
 

sbsnb

Very Senior Member
Tell me more about this IOS vector? All such passwords are store in the key-chain. Would you consider WiFi personal and/or RADIUS passwords stored in the Apple key-chain (and optionally iCloud) a vulnerability?
I would consider anything stored remotely a vulnerability unless you have the source code to both the client (phone) and the servers to verify that there are no back doors and all data is not only stored encrypted, but never transmitted without being encrypted before transmission.
 

LimJK

Very Senior Member
32-bit password? Or a password that is 32 characters in length? How did you test for it, specifically?
Oops, I meant 32 Characters
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top