Why Asus new Password security policy is ridiculous

[ColinTaylor]

How do you know, you're not a 'specific valuable target'?

I wish I were. Maybe I could afford that new PC.

 

[RMerlin]

bout the length: Why does wi-fi allow 63 characters (or 64 hex) if it doesn't matter? Why does encryption use such huge key lengths?

The WPA2 passphrase is not a password. It's used to generate a 256-bit key derived from it, which is what is used for the actual encryption.

Unlike a password, it's used for encryption, not for authentication.

 

[Tech9]

bad security decisions in their past

We've been talking about some for many years, no? Asus App and AiCloud included. Asus steps in only when their reputation is affected and potentially lose money. Otherwise - don't care. So leave the consumer user alone and don't represent Asus like heroes for finally doing something. The statement "if the users cannot be trusted to secure their network, then the manufacturer had to step in" is simply not true for this particular manufacturer based on the past experience. Something bad for the business happened first.

 

[RMerlin]

The statement "if the users cannot be trusted to secure their network, then the manufacturer had to step in" is simply not true for this particular manufacturer based on the past experience

The discussion in this thread has to do with the rationale behind Asus enforcing strong password policies. In this context, yes, they enforced stronger passwords because just asking users to use a stronger password visibly does not work.

 

[Tech9]

because just asking users to use a stronger password visibly does not work

There was a specific trigger event for mass firmware updates and subsequent policy changes. What exactly was the issue was never officially disclosed. Are you saying as per Asus the recent AiCloud attack was entirely users' fault? I remember you personally discouraging the use of AiCloud because of security flaws. Even wanted to remove it from Asuswrt-Merlin at some point. Something obviously "did not work" there and wasn't limited to password strength alone. You have adopted blaming the users strategy.

 

[jzchen]

There have been times when I remote into my GT-AXE11000 to check on it and it says I have entered my password incorrectly 5 times, and is doing a count down....

Glad it's only memorable to me....

 

[XIII]

Restrictions make some combinations illegal = fewer legal combinations!

Yes, but, again, what did ASUS restrict more than before?

 

[jzchen]

Trying to keep things as simple as possible say 0-9 are the possible characters:

If repeats are allowed:

One character password has 10 possibilities
two 10^2 = 100 or if no consecutive repeat isn't it 10 X 9 = 90
three 10 x 9^2 = 810
etc.

Forcing us to use longer passwords more than make up for the no consecutive restriction...

(Feel free to correct me if I'm wrong, been a very long time since I took probability)...

 

[Martinski]

Password security (against brute force attacks) is very simple logic:

It's all about the number of possible combinations!

And that's exactly where this policy fails.

When you apply restrictions you limit the number of legal combinations!
And that is a gift to professional hackers doing brute force attacks. The don't try to guess your dogs name or whatever. They use computers and a computer can just as easily 'guess' a special character as a regular letter. They can put those restrictions into their program so the computer skips those illegal combinations, a true gift to hackers.

That's a rather simplistic and reductive point of view, indicating very little knowledge and understanding with regard to the extremely large number of possible permutations (*not* combinations) when using the 7-bit ASCII printable character set.

The new ASUS restrictions eliminate all password permutations consisting of 9 characters or fewer, and all 10-to-32 character passwords using only letters, only digits, only special symbols, or without any special symbols at all, and consecutive same-character sequences. Admittedly, the sum of all those now-invalid passwords is extremely large, but it's still a negligible number when compared to the immensely larger set of all possible password permutations consisting of 10 to 32 chars using at least one letter, at least one digit, and at least one special symbol.

Assuming that the character domain for valid passwords is the standard 7-bit ASCII character set of printable chars (say, 94 chars total), the total number of possible passwords with 10 to 32 chars in length, using at least one letter, at least one digit, and at least one special symbol, is approx. 1.38 × 10^63. That’s a 10 followed by 63 ZEROs!

For some perspective on where the above number lies among other very large estimates:

The currently accepted estimate for the total number of grains of sand on Earth is approx. 7.5 x 10^18.

The current estimates for the total number of stars in the observable universe are between 2 x 10^23 to 1 x 10^24.

The current estimates for the total number of atoms in the observable universe can range between 10^78 to 10^82.

 

[Martinski]

Restrictions make some combinations illegal = fewer legal combinations! That's gold for professional hackers.

Keep in mind that by invalidating all passwords consisting of 9 characters or fewer, ASUS has essentially removed all those "low-hanging fruit" scenarios that are much easier for hackers to crack.

They should instead make more possible combinations by using unicode passwords and allow more than 32 characters.

Yes, ASUS could increase the current maximum limit of 32 chars, and I certainly would not be opposed to it. However, many studies regarding password strength and several journals in cybersecurity have determined that the vast majority of online users create passwords with 12 characters or fewer, despite having a larger maximum limit available, and the number of users with passwords consisting of 30 or more characters has been estimated to be a very tiny fraction of 1%. IOW, even when a greater limit is allowed, users don't really take advantage of it.

In addition, beyond 32 chars (assuming a good password entropy is used), brute force and dictionary attacks become even more expensive and time-consuming to sustain due to the immensely huge number of possible permutations, so hackers see very little benefit in trying, and prefer to target the "low-hanging fruit" which are more frequent and easier to find.

 

[Martinski]

...
Unicode simply makes no sense for passwords. Overengineering something that would provide zero net benefit over a 20-25 readable ASCII characters passwords is a waste of resources.

Beyond a certain length, after you have hashed the password, additional characters do not provide any entropy benefits either.

Could you clarify the last sentence? It's not crystal clear (at least to me) whether "additional chars do not provide..." is referring to an increase in the length of the password, or to an increase in the number of chars in the character set being used..

 

[Poul Bak]

That's a rather simplistic and reductive point of view, indicating very little knowledge and understanding with regard to the extremely large number of possible permutations (*not* combinations) when using the 7-bit ASCII printable character set.

Yeah right, if you disagree, shoot the messenger.
English is not my native language, I won't fight over specific words. May be I do mean permutations, that's not important. Although if I remember my school math, permutations are used when each character is unique in the string.

As stated in my first post, the 10 character minimum is an IMPROVEMENT!
At least we can agree that its as best silly to have a max length.

One reason I love Unicode passwords is it keeps Linux hackers off: "Oh no, you can't use non-ascii letteres in passwords, no need to check those".

A bit off-topic, but a word on hashing. Hashing was a great idea when computers were slow. Nowadays when NSA gets their hand on a hash, they feed it into their new fancy Quantum computer, then it can brute force your password OFFLINE (you don't even know when it happens). That's why password lengths (and hash lengths) must grow all the time.

 

[RMerlin]

Could you clarify the last sentence? It's not crystal clear (at least to me) whether "additional chars do not provide..." is referring to an increase in the length of the password, or to an increase in the number of chars in the character set being used..

Length. I don't remember exact numbers because I've read that years ago, but I remember an article mentioning that past a certain number of characters, there was very limited gains in password strength. Someone with better understanding in crypto than me would better be able to explain this, crypto has never been an area of expertise for me. Too much maths for my taste.

 

[jzchen]

The maximum limit is probably due to memory constraints, or more specifically the variable that holds the password maximum length. They probably don't want to have to work around that limitation unless they have to.

I would hope that someone with access to a quantum computer would not waste their time trying to hack my ASUS router. They're probably/very likely already richer than me...