Asus new firmware doesn't allow spaces in WPA2/WPA3 passwords

[OzarkEdge]

I use a long passphrase and use spaces in my passwords.

While not a crisis, if Asus changes which characters are allowed that would be unfortunate.

Their popup help says 'letters and numbers' which suggests no symbols or punctuation.

I use the first letter of each word in an easy-to-remember passphrase, plus some key numbers inserted at key places. For example:

"The grass is always greener on the other side."

Becomes WPA Pre-Shared Key: tg2021iag2021otos

OE

 

[XIII]

Using a space might make your password "safer"...

None of the brute-force attempts used passwords that included white space

Attackers don't bother brute-forcing long passwords, Microsoft engineer says

According to data collected by Microsoft\'s network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

therecord.media

 

[OzarkEdge]

Using a space might make your password "safer"...

Attackers don't bother brute-forcing long passwords, Microsoft engineer says

According to data collected by Microsoft\'s network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

therecord.media

A space is just another character and is generally not permissible (causes more trouble than it's worth)... why would hackers try to brute force a character likely not used.

With the exception of WiFi, I don't use the same password twice and they look like these:

zg0>@ltl5~)mzRWx
a%|5~is&dyfH$Jd}
0a4k$yTo}P%eW}m?
tcr*jbgHbm%t}UL:
.C;.Ha>;+.ao~bIz
HO%GL:49'!}orKcG
}C&E.EGX`MW?.<od

They're safe enough without a space character.

OE

 

[Spc]

I just got official word from asus:
If you want to use space at the end of the wpa password stay on lower firmware and don't upgrade.

New firmware doesn't support space at the end and that's final.

 

[Tech9]

space at the end

What's the problem actually? Space at the end or space anywhere?

 

[bbunge]

Space, the Final Frontier!
Will Asus or any other consumer company bow to customer wishes and allow spaces again?
Or, will users risk the security of their equipment by staying on old firmware fraught with vulnerabilities?
Stay tuned! But, "Difficult to see. Always in motion is the future."

 

[Spc]

What's the problem actually? Space at the end or space anywhere?

I tested it on newest firmware.
For me space doesn't work at the end and in the middle of the password.

Maybe we need asus merlin fork that allows spaces at the end and in the middle with latest 82u firmware.

Space, the Final Frontier!
Will Asus or any other consumer company bow to customer wishes and allow spaces again?
Or, will users risk the security of their equipment by staying on old firmware fraught with vulnerabilities?
Stay tuned! But, "Difficult to see. Always in motion is the future."

Yep i guess anyone who wants a space in the password will be vulnerable to other attacks as there will be no new firmware updates for us.

Maybe if we can get merlin official or FORK working on 82u, we can create a script or make merlin version accept passwords with space at the end and space in the middle.
Or if someone from you knows a guy that works for ASUS, you can kindly ask them to add support back as it was in old versions.

 

[L&LD]

There is no need for spaces in passwords. There are many reasons why there shouldn't be any.

Time to move on. Asus has fixed the code (finally).

 

[Tech9]

doesn't work

Just one more thing that doesn't work in Asuswrt. Enjoy the RGB lights.

 

[OzarkEdge]

I tested it on newest firmware.
For me space doesn't work at the end and in the middle of the password.

Maybe we need asus merlin fork that allows spaces at the end and in the middle with latest 82u firmware.


Yep i guess anyone who wants a space in the password will be vulnerable to other attacks as there will be no new firmware updates for us.

Maybe if we can get merlin official or FORK working on 82u, we can create a script or make merlin version accept passwords with space at the end and space in the middle.
Or if someone from you knows a guy that works for ASUS, you can kindly ask them to add support back as it was in old versions.

If you want spaces, spell 'em out!

OE

 

[Spc]

It's very funny, as these spaces work on all other firmware, including merlin, dd-wrt, openwrt, linksys, tp-link, cisco, belkin... etc.

 

[XIII]

Are spaces allowed in the specification?

(Wikipedia claims this, but I can’t find the correct original document)

Can a company loose WiFi certification for “such a small thing”?

 

[Spc]

Can a company loose WiFi certification for “such a small thing”?

Maybe.
And yes, spaces are allowed by standard, also ASUS official firmware is the first firmware that disallows spaces.

 

[Spc]

Wikipedia's Wi-Fi Protected Access says the WPA-PSK passphrase is 8 to 63 printable ASCII characters, and includes this reference as a footnote:

"The space character is included in this range"

Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), inclusive. (IEEE Std. 802.11i-2004, Annex H.4.1) The space character is included in this range.

Quote here:
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#cite_ref-21

So ASUS is not compliant to RFC standard.

 

[Kritiker]

I just got caught by the the inability to use white space in WPA Pre-Shared keys. I just upgraded to Merlin 386.5 from older stock version and suddenly couldn't make changes to the Advanced Settings | | Wireless General tab because I had WPA pre-shared key with a blank and while the firmware upgrade carried over the pre-shared key with white space and I didn't have to change it, I am now unable to make any changes to this Wireless General tab unless I change the Pre-Shared key so it doesn't have white space. But that would affect too many people and devices in the household to be undertaken lightly. Any change attempt, even leaving the current password unchanged produces the message "Pre-shared key can not contain white space!".

It is unfortunate and annoying that so many companies, decide for whatever reason to have slightly different rules for such keys. Some years ago now, I had an IOT device (a thermostat, I believe) that refused to connect until i removed characters that were disallowed in its pre-shared keys. I had to change the router password to match and then change the other router clients' keys too - and they had different sets of characters that weren't allowed - no consistency - and not documented either. I had to contact the thermostat's tech support for help and then found out about the banned characters.

Apparently there is some good reason why Asus disallows white space, in contravention of the above quoted "Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), inclusive. (IEEE Std. 802.11i-2004, Annex H.4.1) The space character is included in this range."

What is that good reason and is Merlin likely to change back to allowing it? I thought I read, not.

Thanks.

 

[bbunge]

I just got caught by the the inability to use white space in WPA Pre-Shared keys. I just upgraded to Merlin 386.5 from older stock version and suddenly couldn't make changes to the Advanced Settings | | Wireless General tab because I had WPA pre-shared key with a blank and while the firmware upgrade carried over the pre-shared key with white space and I didn't have to change it, I am now unable to make any changes to this Wireless General tab unless I change the Pre-Shared key so it doesn't have white space. But that would affect too many people and devices in the household to be undertaken lightly. Any change attempt, even leaving the current password unchanged produces the message "Pre-shared key can not contain white space!".

It is unfortunate and annoying that so many companies, decide for whatever reason to have slightly different rules for such keys. Some years ago now, I had an IOT device (a thermostat, I believe) that refused to connect until i removed characters that were disallowed in its pre-shared keys. I had to change the router password to match and then change the other router clients' keys too - and they had different sets of characters that weren't allowed - no consistency - and not documented either. I had to contact the thermostat's tech support for help and then found out about the banned characters.

Apparently there is some good reason why Asus disallows white space, in contravention of the above quoted "Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), inclusive. (IEEE Std. 802.11i-2004, Annex H.4.1) The space character is included in this range."

What is that good reason and is Merlin likely to change back to allowing it? I thought I read, not.

Thanks.

Sigh... And the space goes on... No, spaces in passwords have never been good since the early days of DoS. Spend the time now to reset all your devices with a new space less password .Alpha numeric only, please!

 

[Kritiker]

Sigh... And the space goes on... No, spaces in passwords have never been good since the early days of DoS. Spend the time now to reset all your devices with a new space less password .Alpha numeric only, please!

Yeah, it goes on. And on, and on, and on. Just one surprise or side effect after another.

Sorry, but I did not find your response in any way helpful.

Would you, please, be so kind to explain to me what's wrong with using blanks and special characters in keys instead of chastising me for doing so?

Why did Asus only disallow them recently? And why does the specification still appear to allow them?

Yesterday I did a firmware update and suddenly blanks in keys were disallowed. Yet another surprise, yet another side effect. Yet more work foisted on my by a technology firm.

I've been around since the early days of DOS and have somehow managed to avoid learning that spaces in keys "are not a good thing". What about punctuation? And special characters?

An inability to handle blanks and special characters in fields, requiring just alphanumerics, is so 1990s. I thought the airlines, at least until just a few years ago, were the last bastions of not being able to handle passengers given names like "Mary Jane" or sur-names like "Smythe Jones" or O'Neal".

It is not just the effort of making the change. It is once again being forced into someone else's idea of what I should or can be doing for no good, stated reason.

And surely you are not saying that I cannot use hex 20 in a hex string used as a key?

At least the firmware upgrade left my keys intact so I can change them at a more convenient time; I will change them; Asus has seen to that.

But I do not like surprises.

 

[thiggins]

Would you, please, be so kind to explain to me what's wrong with using blanks and special characters in keys instead of chastising me for doing so?

At the risk of your thinking I'm "chastising" you, I'm surprised you did not learn this lesson back in DOS days. The root of the problem is that not every system handles spaces the same way. Spaces are also handled differently in different contexts (filenames, passwords, data entry fields, URLs).

It is not just the effort of making the change. It is once again being forced into someone else's idea of what I should or can be doing for no good, stated reason.

Welcome to the wonderful world of technology.
"Life: live it or live with it!" -- Firesign Theater

 

[Kritiker]

What lesson? Please tell me.

Blanks have certainly caused many problems in the past but we have figured (most of) those out.

I'd just like to know:

• What is bad about blanks in WPA keys? Not in file names, not in paths but in WPA keys?
  
  
• Why would the standard still allow them?
  
  
• Are other companies following Asus' lead?
  
  
• Why disallow them now, after all these years? Were they causing problems?

 

[OzarkEdge]

What lesson? Please tell me.

Blanks have certainly caused many problems in the past but we have figured (most of) those out.

I'd just like to know:

• What is bad about blanks in WPA keys? Not in file names, not in paths but in WPA keys?
  
  
• Why would the standard still allow them?
  
  
• Are other companies following Asus' lead?
  
  
• Why disallow them now, after all these years? Were they causing problems?

Passwords restricted to using a specific subset of characters and no spaces is common... and not a problem.

OE