Merlin Password Length

[Davd]

Hi

I recently created a new admin password for my Asus router running Merlin. My password manager created a 24 character password, which was accepted by the router, however I cannot signon as admin anymore. In researching the issue, it appears there is a 16 character password limit. I have tried taking the first 16 characters, the last 16 characters and several 16 character strings from the generated password and none work. I have also tried using the old password and default password to no avail. I am now looking at a router reset and trying to avoid this option. If someone has a solution, please let me know or let me know if I do indeed have to take the nuclear option.

Thank you

 

[talon_262]

Hi

I recently created a new admin password for my Asus router running Merlin. My password manager created a 24 character password, which was accepted by the router, however I cannot signon as admin anymore. In researching the issue, it appears there is a 16 character password limit. I have tried taking the first 16 characters, the last 16 characters and several 16 character strings from the generated password and none work. I have also tried using the old password and default password to no avail. I am now looking at a router reset and trying to avoid this option. If someone has a solution, please let me know or let me know if I do indeed have to take the nuclear option.

Thank you

None that I'm aware; I found this out the hard way myself a long time ago.

The 16-character limit is a limitation of the AsusWRT firmware, whether it's stock, Merlin, or another fork; the best you can probably do in this case is to factory reset, then set your password no longer than 16 characters.

If someone knows different, let's hope they reply.

 

[Davd]

Thank you,

This is a hail mary attempt to avoid a reset, but things are looking like a factory reset is the answer. Thanks for your input, maybe an angel will have another option! Sometimes the best learned lessons are through the hard way.

 

[john9527]

If you set up ssh access with a key, login and
nvram set http_passwd=admin
nvram commit
service restart_httpd

 

[wesbez]

Depends. My 56u has that max but my 86u doesn’t have this issue. But I’m not sure what the max is on the 86u as I’ve not tested to see how many characters more than my 56u I can use.

 

[Davd]

If you set up ssh access with a key, login and
nvram set http_passwd=admin
nvram commit
service restart_httpd

Thanks, unfortunately I did not, but I like the recommendation!

 

[Davd]

Depends. My 56u has that max but my 86u doesn’t have this issue. But I’m not sure what the max is on the 86u as I’ve not tested to see how many characters more than my 56u I can use.

I have an 88u

 

[john9527]

Thanks, unfortunately I did not, but I like the recommendation!

If you enabled ssh, you might still try logging in there (it's a different path). Try the first 15 and first 16 characters as the password.

 

[RMerlin]

Just as a FYI: httpd_passwd is now encrypted on the RT-AX88U, so you can't just change it over SSH for that model. I suspect that change might possibly make it to other models in the future.

 

[PolarBear]

The 16-character limit is a limitation of the AsusWRT firmware, whether it's stock, Merlin, or another fork.

I discovered about 3 years ago that somewhere in the code, a non-alphanumeric character seems to be handled as 3 bytes.

So if you include (for example) a minus sign in the password, the maximum length (as seen by a human) reduces to 14 characters.

It's a long time ago and I don't remember the exact details. I'm not sure if this limitation was in the logon screen itself, or perhaps in OpenVPN.

 

[ali3000]

Thank you so much for posting this in this month and this year!! I made an account so I could add to this discussion because I set my router up yesterday, and today I thought I was going insane typing in the password and it wasn't working. Luckily I had taken screen shot when I first set it up so knew I wasn't typing an incorrect one. It was only when I finally noticed that the max character length when signing in was 16. So why did it let me create a 17+ character password in the first place?? We did end up just resetting the router just now.

 

[PolarBear]

I discovered about 3 years ago that somewhere in the code, a non-alphanumeric character seems to be handled as 3 bytes.

So if you include (for example) a minus sign in the password, the maximum length (as seen by a human) reduces to 14 characters.

It's a long time ago and I don't remember the exact details.

Found it. The restriction was in SSH / Putty.

https://www.snbforums.com/threads/login-password-too-secure.29775/#post-230945

 

[martinr]

Thank you so much for posting this in this month and this year!! I made an account so I could add to this discussion because I set my router up yesterday, and today I thought I was going insane typing in the password and it wasn't working. Luckily I had taken screen shot when I first set it up so knew I wasn't typing an incorrect one. It was only when I finally noticed that the max character length when signing in was 16. So why did it let me create a 17+ character password in the first place?? We did end up just resetting the router just now.

Welcome to our forum. There was a time when you couldn’t paste a password when logging in; I think you can now. When that was the case it would sometimes take me 3 or 4 attempts to log in, especially from a small form-factor smart phone. The frustration of that soon forced me to reasses the reasons for the length of my password. I now have 12 characters abd most times can get in first time!

 

[sbsnb]

The real question seems to be, what does the firmware do when presented with a password string longer than 16 characters? Does it truncate the string and ignore everything after the 16th? Does it take only the last 16 characters? Does it take the middle 16?

The only horribly stupid thing to do in this case is store the whole password and then truncate future login attempts, thus guaranteeing failure.

 

[Grisu]

Also it could take the first 15 characters and overwrite the 16th with the last.

 

[RMerlin]

The real question seems to be, what does the firmware do when presented with a password string longer than 16 characters? Does it truncate the string and ignore everything after the 16th? Does it take only the last 16 characters? Does it take the middle 16?

The only horribly stupid thing to do in this case is store the whole password and then truncate future login attempts, thus guaranteeing failure.

The webui input field is limited to 16 characters, so you shouldn't even be able to type more than 16 characters.

Internally, I have no idea what can happen to it, as part of the password management is closed source. Could be anything from blindly supporting it, up to potentially crashing if Asus isn't properly validating the size and causing buffer overruns. I don't know.

 

[unsynaps]

Depends. My 56u has that max but my 86u doesn’t have this issue. But I’m not sure what the max is on the 86u as I’ve not tested to see how many characters more than my 56u I can use.

Funny my 86 has the 16 limit. Put in anything over and it wont apply.

 

[sbsnb]

The webui input field is limited to 16 characters, so you shouldn't even be able to type more than 16 characters.

With Firefox 64, manually typing or pasting a string longer than 16 characters only pastes the first 16. As long as all places to enter the password are limited to 16 characters, there shouldn't be an issue even if you pasted a 32 character password since in the case of creating the password and logging in the string should be truncated to the first 16 characters.

For anyone that worries, a 16 character password is ample for WiFi security. If it's a random alphanumeric string, it offers 95 bits of security. That might seem a little low, but consider that an array of 1 million computers all running AMD Threadripper 2990WX cracking your password at the rate of one try per core per clock would still take about 5,000 years to crack it.

 

[plar036]

It is an old thread but maybe it helps.
I have downgraded from RT-AX58U_386.4_0 due to stability issues. The 386.4 accepted the 16+ password but after the downgrade I wasn't able to log in

The trick to log in for me is to use burp or a similar tool to change your "login_authorization" data (your username/password is encoded but burp does the job for you).