Tutorial How to reset encrypted admin password via SSH

[Yota]

Asus and Asuswrt-Merlin have introduced encrypted passwords since 3.0.0.4.384_81790 and 384.17 firmware, which I appreciate, but I messed up a few days ago.

I tried backing up all encrypted password hashes in nvram in ssh and re-writing to nvram, but I found that even though nvram didn't change anything, the GUI told me the password was wrong. because there are many important settings that are not backed up, I don't want to do a factory reset, so I tried looking for a solution, the good news is I found it.

Prerequisites:
You must be able to log into your router via SSH.
(For me I'm using Authorized Keys so I can still log in even if the GUI password is incorrect)

How to do:
1) Enter the following commands in SSH:

nvram set http_passwd=admin
nvram commit

2) Now logging into the GUI with admin as the password should ask you to reset the password (Or just open: http://192.168.50.1/Main_Password.asp )

3) Congrats, you've unlocked your password without resetting the router

How it works:
I remember that when 378 or 380, asus introduced an initial setting check, when the default password is admin, it will enter an interface and ask to change the password before continuing to enter the GUI, This is a security feature to make sure no one uses admin as the password.
So we just need to use SSH to write the plaintext admin password to nvram, we can trigger the interface to reset the password, and when we reset the password, we can enter the GUI.
In short we are using one security feature to hack another security feature.

Note:
This method may not work for everyone because not everyone has SSH enabled and Authorized Keys set. So when there is no way to log into the router via SSH, the only way is to do a factory reset.
Anyone is welcome to copy this thread to the wiki.

 

[Yota]

Encrypted passwords are a challenge for nvram save restore utility, maybe it's time to revive it with this trick @Xentrk

Edit:
Just realized that RMerlin discovered this trick two years ago:

At a quick glance, I think httpd has a special case for when httpd_passwd is set to the default password. So, try setting it to "admin", it might then let you connect over http, and define a new, encrypted password.

 

[anaknipedro]

I have the same issue but luckily I can login via SSH. I have https turned on. is the command just https_passwd ?

 

[Yota]

I have the same issue but luckily I can login via SSH. I have https turned on. is the command just https_passwd ?

nvram set http_passwd=admin
nvram commit

Whether you have HTTPS enabled or not, the command is the same, no s

 

[anaknipedro]

Thanks again for this tip. I've run into this problem again so I'm revisiting the thread. I've tried the commands you suggested via ssh (I am using authorized keys and can successfully login via terminal.) but I'm still unable to login. Could I be experiencing problems because I'm not using the default username?

 

[Yota]

Thanks again for this tip. I've run into this problem again so I'm revisiting the thread. I've tried the commands you suggested via ssh (I am using authorized keys and can successfully login via terminal.) but I'm still unable to login. Could I be experiencing problems because I'm not using the default username?

Sorry to see you locked out again.

What version of firmware are you using, and what model?

I don't know if the current version of the firmware fixes this, but it's worth trying to change the username to admin as well.

nvram set http_username=admin
nvram commit

 

[austin17427]

I have the same issue but luckily I can login via SSH. I have https turned on. is the command just https_passwd ?

When you ssh `nvram show | grep pass` will show you the keys, so you'll see it's `http_passwd=blah`

 

[SeaGee]

Ive recently ran into the same problem and have tried going through these steps and cannot replicate. I dont even have http_pass so i tried it on a few others. I have an 86u. The fields that have admin now were blank before.

 

[Jeffrey Young]

Ive recently ran into the same problem and have tried going through these steps and cannot replicate. I dont even have http_pass so i tried it on a few others. I have an 86u. The fields that have admin now were blank before.
View attachment 53205

I had to use this great info today. What router and firmware are you using?

Always possible Asus has changed something. I used it today on a AC86U, 386.7 firmware.

 

[SeaGee]

Hmmm, you know I had just updated it the other day when I saw there was a new update available, pretty certain that this was it. The same most updated version, .7

 

[SeaGee]

Also now that I think of it this is the first time I had tied logging into the GUI since the update

 

[Yota]

Ive recently ran into the same problem and have tried going through these steps and cannot replicate. I dont even have http_pass so i tried it on a few others. I have an 86u. The fields that have admin now were blank before.

You are correct, Asus has hidden the http_passwd variable in the latest firmware (386.12). They may be aware that malware with root privileges can change the router's password in this way.



@RMerlin Any thoughts on this?

 

[SeaGee]

Crap, so strange this happened, I really didn't want to reset it.

 

[Jeffrey Young]

You are correct, Asus has hidden the http_passwd variable in the latest firmware (386.12). They may be aware that malware with root privileges can change the router's password in this way.



@RMerlin Any thoughts on this?

That is unfortunate. Saved my but today as I did not remember the password to my test router. But, I can understand where Asus is coming from.

 

[Yota]

That is unfortunate. Saved my but today as I did not remember the password to my test router. But, I can understand where Asus is coming from.

Which model? firmware version?

 

[Jeffrey Young]

AC86U, 386.10, I believe. What ever my signature says.

 

[RMerlin]

@RMerlin Any thoughts on this?

I don't know how webui passwords are now being handled. Probably wouldn't matter anyway since you'd need to be able to encrypt/decrypt the password if you decided to interact directly with the nvram value.

I guess you could try setting it for "admin" and see if after a reboot it gets encrypted and applied to the new storage location.

 

[mmmmmm]

I am also locked out of the web GUI.

ASUSWRT-Merlin RT-AC86U 386.12_0 Mon Sep 4 15:48:44 UTC 2023

I can SSH and tried the following:

admin@RT-AC86U-3CC8:/tmp/home/root# nvram get http_passwd
admin@RT-AC86U-3CC8:/tmp/home/root# nvram set http_passwd=admin
admin@RT-AC86U-3CC8:/tmp/home/root# nvram commit
admin@RT-AC86U-3CC8:/tmp/home/root# nvram set http_username=admin
admin@RT-AC86U-3CC8:/tmp/home/root# nvram commit

None of the above helps.
Can anyone, please, advise?

 

[ColinTaylor]

I am also locked out of the web GUI.

ASUSWRT-Merlin RT-AC86U 386.12_0 Mon Sep 4 15:48:44 UTC 2023

I can SSH and tried the following:

admin@RT-AC86U-3CC8:/tmp/home/root# nvram get http_passwd
admin@RT-AC86U-3CC8:/tmp/home/root# nvram set http_passwd=admin
admin@RT-AC86U-3CC8:/tmp/home/root# nvram commit
admin@RT-AC86U-3CC8:/tmp/home/root# nvram set http_username=admin
admin@RT-AC86U-3CC8:/tmp/home/root# nvram commit

None of the above helps.
Can anyone, please, advise?

Have you rebooted the router since making those changes?

 

[mmmmmm]

Have you rebooted the router since making those changes?

No, I did not. I feel so stupid.
It worked after reboot. It directed me to the change password page and now I am back in.
Thank you Colin