Password length

[Elbowman]

Hello everyone.
Maybe starting posting here from a request is not a good idea, but I try.
Limiting password length to 16 characters looks a little bit strange for me.
Would it be possible to add few more?

Thank you in advance, for support and work you provide for such a simple user like me.

 

[RMerlin]

Hello everyone.
Maybe starting posting here from a request is not a good idea, but I try.
Limiting password length to 16 characters looks a little bit strange for me.
Would it be possible to add few more?

Thank you in advance, for support and work you provide for such a simple user like me.

It's already under consideration, I need to make sure first that all the buffers in the firmware code that manipulate it are large enough to support a longer password.

 

[cofetym]

It's already under consideration, I need to make sure first that all the buffers in the firmware code that manipulate it are large enough to support a longer password.

Would the longer password, be applicable to both router access and SSID passwords?

 

[RMerlin]

Would the longer password, be applicable to both router access and SSID passwords?

If 64 characters isn't enough for your WPA2 key, then you are doing it wrong. Plus, I'd hate to configure a wireless access on a printer or a phone on your network...

 

[sfx2000]

Limiting password length to 16 characters looks a little bit strange for me.

Which password?

Admin or Wireless?

 

[RMerlin]

I cannot safely increase the router login's password length limitation. AiCloud also uses that same password for authentication, and it's closed source, so I have no way of ensuring that all the internal buffers are large enough to handle passwords longer than 16 characters.

You will have to ask Asus directly if you want that increased.

 

[cofetym]

If 64 characters isn't enough for your WPA2 key, then you are doing it wrong. Plus, I'd hate to configure a wireless access on a printer or a phone on your network...

I agree! I was more curious about the password length. Mine at the moment are not ridiculously complex. Secure enough to stop most though.

Few people in my neighborhood still using WEP.

 

[petter5]

I have a problem with password lenght running last version ( as today) version of asus merlin. After changing the admin password to a new password consisting of 14 letters, both lower and uppercase and numbers, the new password is not accepted when trying to log into the system, and I need to reset the system to be able to login again. It is 100% shure that I use the correct password. When using a password consisting of 7 letters, upper and lovercase and numbers, everything works as expected. Confirmed on RT-AC66U and RT-AC68U

 

[cofetym]

I use a 16 letters and numbers combination, without an issue for years now on the same router.

378.45 firmware

 

[Elbowman]

Which password?

Admin or Wireless?

Sorry for my silence.
I meant admin. I own two networks - my and my mother. I moved my previous router to mother's net and switched to Asus.
Before, when I was using OpenWRT I had created password, which I wanted to use on Asus as well.
Unfortunately it is 1 character too long

I cannot safely increase the router login's password length limitation. AiCloud also uses that same password for authentication, and it's closed source, so I have no way of ensuring that all the internal buffers are large enough to handle passwords longer than 16 characters.

You will have to ask Asus directly if you want that increased.

Does it mean, that this case is closed?

 

[L&LD]

Does it mean, that this case is closed?

Unless you want to contact Asus about it.

 

[Rankdropper84]

Probably shouldn't say this but whatever. I personally take something like a standard movie quote of "wakeupneo" and use a leet generator to make it W4k3UPn30. It's harder to remember but thats the point right haha?

 

[AdvHomeServer]

Sorry for my silence.
I meant admin. I own two networks - my and my mother. I moved my previous router to mother's net and switched to Asus.
Before, when I was using OpenWRT I had created password, which I wanted to use on Asus as well.
Unfortunately it is 1 character too long



Does it mean, that this case is closed?

For an admin password that DOES NOT give router access over the internet AND you have no prying kids or snoopers inside the home, then 'password' is a fine password. Who do you need protection from? And what are you afraid they'll do? It's like locking every door inside the house 'just because'.

 

[Calisro]

For an admin password that DOES NOT give router access over the internet AND you have no prying kids or snoopers inside the home, then 'password' is a fine password. Who do you need protection from? And what are you afraid they'll do? It's like locking every door inside the house 'just because'.

Respectfully. I disagree. Even in your house, you would have your diamonds and pearls in a safe. If you have a home net breach, you want to make other points in your network as safe as possible to reduce "damage" from that breach.

 

[AdvHomeServer]

Respectfully. I disagree. Even in your house, you would have your diamonds and pearls in a safe. If you have a home net breach, you want to make other points in your network as safe as possible to reduce "damage" from that breach.

Given my scenario above, who, exactly, is going to break in? The dog?

If you're afraid a burglar might change a router setting, I think your worry is misplaced. They have other interests.

Are you afraid someone you gave your wireless password to might do something bad to a router setting?

Why not put passwords on microwave ovens. Someone might cook something smelly or eat something someone was saving.

 

[Calisro]

Script kiddies, malware, bot nets. We can agree to disagree but if you turn on logging on your router, you'll see lots of interest in breaking in. Your router is secure but other devices that are exposed (on purpose or by accident) may not. If one is compromised, your net is easily compomised. If your router's password is 'password', that makes it that much easier to elevate from a network breach to a full control of everything breach.

 

[AdvHomeServer]

Script kiddies, malware, bot nets. We can agree to disagree but if you turn on logging on your router, you'll see lots of interest in breaking in. Your router is secure but other devices that are exposed (on purpose or by accident) may not. If one is compromised, your net is easily compomised. If your router's password is 'password', that makes it that much easier to elevate from a network breach to a full control of everything breach.

Read the post. NO OUTSIDE access. If you do, then a certificate is better than a password, if possible. I have no script kiddies in my home. do you? Hopefully your router has a setting that permits / denies outside access to the router. This setting has nothing to do with access to the network from afar. A simple, complex, or no password makes no difference in that instance. Watching your slingbox from a hotel room has no bearing on your router password, or even if you have one.

If you can't deny router access (not remote network access ... two different things) over the internet via a simple setting, then buy a new router today.

For SSH remote access, if you don't use a certificate, then you are at high risk. A password isn't good enough.

 

[Calisro]

If your router is plugged into the wan port to an isp, it is externally exposed. I wasn't referring to exposing the asus UI externally either. I am referring to breaches through hacking of less secure devices. If you think it doesn't happen, you're mistaken.

Sorry but advice to set your router password to "password" isn't sound.

 

[AdvHomeServer]

If your router is plugged into the wan port to an isp, it is externally exposed. I wasn't referring to exposing the asus UI externally either. I am referring to breaches through hacking of less secure devices. If you think it doesn't happen, you're mistaken.

Sorry but advice to set your router password to "password" isn't sound.

Your router has NAT and SPI. They all do. Even the $20 refurbs. If you have remote access yes/no set to no, then who is going to log in to router settings? They can't. Not even you. This setting has nothing to do with remote network access, which should be covered by far more thoughtful security measures. That password is never accessed during these sessions.

Describe a realistic scenario of how someone from afar would break into your router even if it has a weak password, bypassing NAT and SPI. Remember, remote access is not enabled. Please explain why the router admin password mattered at all in the network hack. Please include an explanation of why a hacker would want access to your router settings as opposed to accessing the PCs it's attached to. They don't need the router password for that. Please include why SSH, if used, does not use certificates in this case.

Sometimes password is a fine password. Most times, no it's not. But sometimes it doesn't matter.

 

[AdvHomeServer]

If your router is plugged into the wan port to an isp, it is externally exposed. I wasn't referring to exposing the asus UI externally either. I am referring to breaches through hacking of less secure devices. If you think it doesn't happen, you're mistaken.

Sorry but advice to set your router password to "password" isn't sound.

Explain the hack .. how did they get past NAT and SPI. Then how was the device hacked? Those devices don't care about the router admin password. The network security is the same if even of there's no router admin password or an infinitely complex one. No device needs to know it to get to the network from outside.

The router admin password is to protect router settings from people who shouldn't be playing with them. SSH access requires better access than a password. Anyone without a certificate is playing with fire. A password there is reckless.

Agree if someone doesn't know much about network security, fearing that everyone out there is a 100 foot tall boogyman with all capable super powers is prudent. A little good education can bring down the need to be afraid of everything and only be afraid of the remaining things one doesn't understand. I still have a long list of those. This one isn't that complicated.