Why Asus new Password security policy is ridiculous

[Poul Bak]

Just upgraded my Zenwifi BT10 and was met by the new Asus password security policy (again), which I call ridiculous.
Why?

Password security (against brute force attacks) is very simple logic:

It's all about the number of possible combinations!

And that's exactly where this policy fails.

When you apply restrictions you limit the number of legal combinations!
And that is a gift to professional hackers doing brute force attacks. The don't try to guess your dogs name or whatever. They use computers and a computer can just as easily 'guess' a special character as a regular letter. They can put those restrictions into their program so the computer skips those illegal combinations, a true gift to hackers.

Then there's the human aspect. Passwords like the ones required are impossible for humans to remember. This means you write it down somewhere. May be you save it on your computer.
Now people in your household/office has a chance to get hold of the password, even without hacking.
May be you have children you don't want to access your router. If those teenage kids are smarter than you (then there's still hope for mankind, right) then they WILL find that password (on a sticker or in your computer).

Only fools allow internet access to the web Gui/SSH!
So why bother at all? If someone is able to get access to my LAN, then I'm already screwed and I have much more serious stuff to worry about that my router's settings.

The only good thing in their policy is the 10 character minimum. At least that adds security instead of limiting it.

If they really wanted to increase security they should instead:

1. Allow all Unicode character (use UTF-8, the browser already does that, that will increase the number combinations a lot)
2. Allow more than the ridiculous 32 characters - let people assign 100 characters, if they want, making it impossible to brute force attack)

And then finally about https to the Gui:
While https on the internet is a great thing, on the LAN it is ridiculous. I use Wi-fi to access the router, it's already encrypted.
And again: If someone is already on my LAN ...................
And how should a certificate created by Asus be an enhancement of security? Why should I trust a nonpublic certificate created by anyone but myself? (I use my BT10 as access point so I can't even install another certificate!).

All in all, this so called security upgrade is the worst I have seen in a long time.

 

[Tech9]

Nothing new, not Asus exclusive, you have to live with it. Example:

https://community.ui.com/questions/Password-and-Auth-requirements/97f4bf0e-1a43-4ec2-b6e7-8ee155a15427

Ubiquiti online accounts require the above plus mandatory 2FA authorization. There were similar user complaints.

 

[bbunge]

One of my medical providers wanted me to use a 12 character password for their portal. They were told I did not need to use their portal and delete my account.

 

[Justinh]

Mandatory 2FA is a major pain. And every new (that is, more complex) secure log in method has been hacked, so why not just stick with user/pass? It's the least complicated and most reliable (in usage).

 

[Tech9]

Mandatory 2FA is a major pain

It's not every time, IP change or unrecognized PC. Email with the code arrives instantly. The UniFi App uses Face ID. Got used to it.

 

[Poul Bak]

The point of my post is: The claim to strengen security, but they are actually making it easier to brute force attack!
That's what makes it ridiculous.

 

[XIII]

they are actually making it easier to brute force attack!

What exactly did they change (make worse)?

 

[ColinTaylor]

The point of my post is: The claim to strengen security, but they are actually making it easier to brute force attack!
That's what makes it ridiculous.

You can't realistically do a brute force attack regardless of what the password security policy is. If you enter the HTTP/S password incorrectly 5 times, or the SSH password incorrectly 3 times you are locked out for 5 minutes. This makes brute forcing tens of thousands of password attempts impossible.

 

[RMerlin]

The new rules are:

• Minimum 10 characters (that's quite reasonable)
• At least one letter (perfectly fine)
• At least one digit (quite reasonable)
• At least one symbol (quite reasonable)
• A character cannot be repeated twice (that one is a bit over the top)

The only really unreasonable requirement in my opinion is preventing repeated characters. Asuswrt-Merlin will remove that requirement. I'd rather see people use:

97MissedTheNetByThatMuch!

than:

Qm4,Xet!2f

 

[RMerlin]

You can't realistically do a brute force attack regardless of what the password security policy is. If you enter the HTTP/S password incorrectly 5 times, or the SSH password incorrectly 3 times you are locked out for 5 minutes. This makes brute forcing tens of thousands of password attempts impossible.

Distributed brute force attack. Make your attempts from thousands of different IP addresses using a botnet.

 

[ColinTaylor]

Distributed brute force attack. Make your attempts from thousands of different IP addresses using a botnet.

Yeah, like that's going to happen (to a home router). Even if someone really, really wanted to do that I think the router would fall over from the load long before they found a valid password.

 

[XIII]

The new rules

What were the old rules?

(I'm still curious what ASUS changed that made security worse instead of better, according to the OP)

 

[Poul Bak]

What exactly did they change (make worse)?

Restrictions make some combinations illegal = fewer legal combinations! That's gold for professional hackers.
They should instead make more possible combinations by using unicode passwords and allow more than 32 characters.

At the end of the day it should always be up to the user, Asus doesn't know what situation their router is used in. And if you use your dogs name as password, well then you're a fool and your neighbors and friend (and your teenage kid) will have an easy time guessing it (you can't prevent foolish behavior).

 

[RMerlin]

Yeah, like that's going to happen (to a home router)

It's all about the botnets, not about a single unique target. If 10,000 infected routers are collectively trying to increase their size, then turn into a 12,000 botnet, that's even more "horsepower" that the bad actor controlling that botnet can use to sell his "services".

It's a profitable market. Why do you think so many Asus routers have been compromised in the past few years? This is also a sign that if the users cannot be trusted to secure their network, then the manufacturer had to step in. Because when some of these sensationalist blogs post are titled "Thousands of Asus routers are INFECTED", it's bad PR for the company, regardless of whether the fault lies in them (which it does when it's a vulnerability getting exploited) or in the users (when it's poor security practices and weak passwords responsible for it).

I know that in some countries, there are some actual legal requirements that are put on Asus regarding security. Some security "features" are region-specific, and go even beyond what these recent "secure by default" requirements are.

What were the old rules?

I don't know, I never really checked. I know they evaluated the strength based on certain rules, and they also prevented the use of obvious passwords such as "admin" or "password123".

 

[Tech9]

if the users cannot be trusted to secure their network, then the manufacturer had to step in

Are you talking about the same manufacturer not long ago opening Web Access from WAN for every user with App management preference... or someone else?

 

[RMerlin]

They should instead make more possible combinations by using unicode passwords and allow more than 32 characters.

Unicode is always a nightmare to implement when you are dealing with something as critical such as passwords.

1) Your backend storage need to be able to handle these (Broadcom's nvram does not - it even chokes beyond a certain 8-bit ASCII range)
2) Your hashing/salting methods need to be able to handle these
3) The UI that receives, validates and passes it to the web server need to be able to handle these
4) The browser/proxys that you use need to not mess things up. Which "flavour" of Unicode is your browser using? Are we talking UTF-8? UTF-16?

Unicode simply makes no sense for passwords. Overengineering something that would provide zero net benefit over a 20-25 readable ASCII characters passwords is a waste of resources.

Beyond a certain length, after you have hashed the password, additional characters do not provide any entropy benefits either.

 

[RMerlin]

Are you talking about the same manufacturer not long ago opening Web Access from WAN for every user with App management preference... or someone else?

As if Asus had a monopoly on bad security decisions in their past (which they DID address since then).

Let's also talk about hardcoded credentials in many competitors. Let's pick one at random - Cisco.

 

[Poul Bak]

Unicode is always a nightmare to implement when you are dealing with something as critical such as passwords.

Beyond a certain length, after you have hashed the password, additional characters do not provide any entropy benefits either.

I forgot this is Linux (Linux has never moved to Unicode). Windows has supported Unicode passwords in more that 30 years (Windows NT).

About the length: Why does wi-fi allow 63 characters (or 64 hex) if it doesn't matter? Why does encryption use such huge key lengths?

And browsers today does use UTF-8 as default. This is from the GUI:
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

 

[ColinTaylor]

It's all about the botnets, not about a single unique target. If 10,000 infected routers are collectively trying to increase their size, then turn into a 12,000 botnet, that's even more "horsepower" that the bad actor controlling that botnet can use to sell his "services".

It's a profitable market. Why do you think so many Asus routers have been compromised in the past few years? This is also a sign that if the users cannot be trusted to secure their network, then the manufacturer had to step in. Because when some of these sensationalist blogs post are titled "Thousands of Asus routers are INFECTED", it's bad PR for the company, regardless of whether the fault lies in them (which it does when it's a vulnerability getting exploited) or in the users (when it's poor security practices and weak passwords responsible for it).

I understand what you're saying. I just don't believe a botnet speculatively brute forcing tens (if not hundreds) of thousands* of password attempts at a single random target is a realistic scenario. Yes, theoretically it's possible. But it's more economic to attack a specific valuable target, target devices with known vulnerabilities, or use traditional dictionary attacks.

* As a simple example: An "easy" password of exactly 10 characters consisting of only letters and numbers would result in 835,643 trillion combinations.

 

[Poul Bak]

But it's more economic to attack a specific valuable target, target devices with known vulnerabilities, or use traditional dictionary attacks.

How do you know, you're not a 'specific valuable target'?