Why Asus new Password security policy is ridiculous

[ColinTaylor]

How do you know, you're not a 'specific valuable target'?

I wish I were. Maybe I could afford that new PC.

 

[RMerlin]

bout the length: Why does wi-fi allow 63 characters (or 64 hex) if it doesn't matter? Why does encryption use such huge key lengths?

The WPA2 passphrase is not a password. It's used to generate a 256-bit key derived from it, which is what is used for the actual encryption.

Unlike a password, it's used for encryption, not for authentication.

 

[Tech9]

bad security decisions in their past

We've been talking about some for many years, no? Asus App and AiCloud included. Asus steps in only when their reputation is affected and potentially lose money. Otherwise - don't care. So leave the consumer user alone and don't represent Asus like heroes for finally doing something. The statement "if the users cannot be trusted to secure their network, then the manufacturer had to step in" is simply not true for this particular manufacturer based on the past experience. Something bad for the business happened first.

 

[RMerlin]

The statement "if the users cannot be trusted to secure their network, then the manufacturer had to step in" is simply not true for this particular manufacturer based on the past experience

The discussion in this thread has to do with the rationale behind Asus enforcing strong password policies. In this context, yes, they enforced stronger passwords because just asking users to use a stronger password visibly does not work.

 

[Tech9]

because just asking users to use a stronger password visibly does not work

There was a specific trigger event for mass firmware updates and subsequent policy changes. What exactly was the issue was never officially disclosed. Are you saying as per Asus the recent AiCloud attack was entirely users' fault? I remember you personally discouraging the use of AiCloud because of security flaws. Even wanted to remove it from Asuswrt-Merlin at some point. Something obviously "did not work" there and wasn't limited to password strength alone. You have adopted blaming the users strategy.

 

[jzchen]

There have been times when I remote into my GT-AXE11000 to check on it and it says I have entered my password incorrectly 5 times, and is doing a count down....

Glad it's only memorable to me....

 

[XIII]

Restrictions make some combinations illegal = fewer legal combinations!

Yes, but, again, what did ASUS restrict more than before?

 

[jzchen]

Trying to keep things as simple as possible say 0-9 are the possible characters:

If repeats are allowed:

One character password has 10 possibilities
two 10^2 = 100 or if no consecutive repeat isn't it 10 X 9 = 90
three 10 x 9^2 = 810
etc.

Forcing us to use longer passwords more than make up for the no consecutive restriction...

(Feel free to correct me if I'm wrong, been a very long time since I took probability)...

 

[Martinski]

Password security (against brute force attacks) is very simple logic:

It's all about the number of possible combinations!

And that's exactly where this policy fails.

When you apply restrictions you limit the number of legal combinations!
And that is a gift to professional hackers doing brute force attacks. The don't try to guess your dogs name or whatever. They use computers and a computer can just as easily 'guess' a special character as a regular letter. They can put those restrictions into their program so the computer skips those illegal combinations, a true gift to hackers.

That's a rather simplistic and reductive point of view, indicating very little knowledge and understanding with regard to the extremely large number of possible permutations (*not* combinations) when using the 7-bit ASCII printable character set.

The new ASUS restrictions eliminate all password permutations consisting of 9 characters or fewer, and all 10-to-32 character passwords using only letters, only digits, only special symbols, or without any special symbols at all, and consecutive same-character sequences. Admittedly, the sum of all those now-invalid passwords is extremely large, but it's still a negligible number when compared to the immensely larger set of all possible password permutations consisting of 10 to 32 chars using at least one letter, at least one digit, and at least one special symbol.

Assuming that the character domain for valid passwords is the standard 7-bit ASCII character set of printable chars (say, 94 chars total), the total number of possible passwords with 10 to 32 chars in length, using at least one letter, at least one digit, and at least one special symbol, is approx. 1.38 × 10^63. That’s a 10 followed by 63 ZEROs!

For some perspective on where the above number lies among other very large estimates:

The currently accepted estimate for the total number of grains of sand on Earth is approx. 7.5 x 10^18.

The current estimates for the total number of stars in the observable universe are between 2 x 10^23 to 1 x 10^24.

The current estimates for the total number of atoms in the observable universe can range between 10^78 to 10^82.

 

[Martinski]

Restrictions make some combinations illegal = fewer legal combinations! That's gold for professional hackers.

Keep in mind that by invalidating all passwords consisting of 9 characters or fewer, ASUS has essentially removed all those "low-hanging fruit" scenarios that are much easier for hackers to crack.

They should instead make more possible combinations by using unicode passwords and allow more than 32 characters.

Yes, ASUS could increase the current maximum limit of 32 chars, and I certainly would not be opposed to it. However, many studies regarding password strength and several journals in cybersecurity have determined that the vast majority of online users create passwords with 12 characters or fewer, despite having a larger maximum limit available, and the number of users with passwords consisting of 30 or more characters has been estimated to be a very tiny fraction of 1%. IOW, even when a greater limit is allowed, users don't really take advantage of it.

In addition, beyond 32 chars (assuming a good password entropy is used), brute force and dictionary attacks become even more expensive and time-consuming to sustain due to the immensely huge number of possible permutations, so hackers see very little benefit in trying, and prefer to target the "low-hanging fruit" which are more frequent and easier to find.

 

[Martinski]

...
Unicode simply makes no sense for passwords. Overengineering something that would provide zero net benefit over a 20-25 readable ASCII characters passwords is a waste of resources.

Beyond a certain length, after you have hashed the password, additional characters do not provide any entropy benefits either.

Could you clarify the last sentence? It's not crystal clear (at least to me) whether "additional chars do not provide..." is referring to an increase in the length of the password, or to an increase in the number of chars in the character set being used..

 

[Poul Bak]

That's a rather simplistic and reductive point of view, indicating very little knowledge and understanding with regard to the extremely large number of possible permutations (*not* combinations) when using the 7-bit ASCII printable character set.

Yeah right, if you disagree, shoot the messenger.
English is not my native language, I won't fight over specific words. May be I do mean permutations, that's not important. Although if I remember my school math, permutations are used when each character is unique in the string.

As stated in my first post, the 10 character minimum is an IMPROVEMENT!
At least we can agree that its as best silly to have a max length.

One reason I love Unicode passwords is it keeps Linux hackers off: "Oh no, you can't use non-ascii letteres in passwords, no need to check those".

A bit off-topic, but a word on hashing. Hashing was a great idea when computers were slow. Nowadays when NSA gets their hand on a hash, they feed it into their new fancy Quantum computer, then it can brute force your password OFFLINE (you don't even know when it happens). That's why password lengths (and hash lengths) must grow all the time.

 

[RMerlin]

Could you clarify the last sentence? It's not crystal clear (at least to me) whether "additional chars do not provide..." is referring to an increase in the length of the password, or to an increase in the number of chars in the character set being used..

Length. I don't remember exact numbers because I've read that years ago, but I remember an article mentioning that past a certain number of characters, there was very limited gains in password strength. Someone with better understanding in crypto than me would better be able to explain this, crypto has never been an area of expertise for me. Too much maths for my taste.

 

[jzchen]

The maximum limit is probably due to memory constraints, or more specifically the variable that holds the password maximum length. They probably don't want to have to work around that limitation unless they have to.

I would hope that someone with access to a quantum computer would not waste their time trying to hack my ASUS router. They're probably/very likely already richer than me...

 

[XIII]

The new ASUS restrictions eliminate all password permutations consisting of 9 characters or fewer, and all 10-to-32 character passwords using only letters, only digits, only special symbols, or without any special symbols at all, and consecutive same-character sequences.

Thank you for posting this! Now I finally understand why the entropy got smaller.

 

[Poul Bak]

Thank you for posting this! Now I finally understand why the entropy got smaller.

Ah, ENTROPY, new word to learn, sounds good to me. That's what fighting brute force attacks is all about.

 

[Martinski]

Length. I don't remember exact numbers because I've read that years ago, but I remember an article mentioning that past a certain number of characters, there was very limited gains in password strength. Someone with better understanding in crypto than me would better be able to explain this, crypto has never been an area of expertise for me. Too much maths for my taste.

OK, thanks for the clarification. It looks like you might be misremembering some key details of what you read because, given a specific character set as the domain (e.g., 7-bit ASCII printable chars), increasing the length of a password always has a significant impact on password entropy (more so than the complexity of the string), and therefore, increases the password strength. IOW, a password length is considered to be the primary factor (although it's not the only factor) for increasing a password strength.

The main reason is that increasing the number of characters in a password always leads to an exponential growth in the total number of possible password permutations, hence making the password more computationally expensive and time-consuming to crack using common hacking methods like brute force and dictionary attacks.

Here is the standard equation used to calculate password entropy:

E = log₂(N^L)

Where E is the entropy in bits, L is the length of the password, and N is the size of the character set.

Note that inside the parentheses is the general equation for calculating the total number of possible password permutations given a specific character set and a given length (for brevity, let’s ignore for the moment the requirements of having at least one letter, at least one digit, at least one special symbol, and no consecutive same-character sequences).

P = N^L

As you can see, the total number of permutations P grows exponentially as the length L increases, so it becomes clear that increasing the password length is a very effective way to increase its entropy, and therefore its strength.

Now, in practical terms for the average user, it's very likely that after a very large number of characters (e.g. say, a 100-char password), increasing the password length even more may not yield any meaningful gains in extra security, but that scenario is highly unlikely to happen IRL.

 

[Martinski]

Now I finally understand why the entropy got smaller.

No, you misunderstood. The latest restrictions for new passwords do not cause entropy to change.

Password entropy is a measurement that reflects the theoretical randomness of a particular password string - the more random and unpredictable a password is, the greater its strength. The entropy value is calculated using the size of the character set being used and the length of the specific password string. So far, there's nothing to suggest that the new ASUS restrictions put limits on the size of the character sets (letters, digits, and symbols) you can use to create your password, nor was there a change in the maximum size of a new password (32 characters just like before). Therefore, the entropy of a given password created under the new restrictions can remain the same.

 

[XIII]

It’s maybe over my head indeed, but if the minimum length is 10 now and there was no restriction before, doesn’t that mean that a subset of previous possible combinations a hacker should try no longer need to be tested, making the search space smaller? (and thus a smaller entropy?)

 

[ColinTaylor]

It’s maybe over my head indeed, but if the minimum length is 10 now and there was no restriction before, doesn’t that mean that a subset of previous possible combinations a hacker should try no longer need to be tested, making the search space smaller? (and thus a smaller entropy?)

Yes it's mathematically fewer combinations but people seem to be missing the point.

1) You're eliminating short (e.g. 5 character) passwords that might be brute forced by a large botnet if it gets lucky.
2) By specifying a minimum of 10 characters it becomes impossible to brute force no matter how large a botnet you use. Even if you got lucky after say 0.0001% of the possible combinations all life on earth would have ceased by then.