What's new

Solved Possibility to increase the length of the password (16 characters for the moment) ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

osajoseph

New Around Here
Hi guys,

The security aspect is important and many people have more than 12 characters. In my case, I have more than 16 and I have to change the HTML attribute maxlength="16" to a higher value at each connection.
It would be interesting to increase the password length to at least 20 characters in the next versions.

Thank you for your help !
 
From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.

If you're worried about security, I'd be much more worried about the fact that Google and Apple have your WiFi password and geographic location if you've ever connected an Android or IoS device to your WiFi. They could far more easily allow random members of the public to connect to your WiFi than someone could hack your WiFi password.
 
Last edited:
It would be interesting to increase the password length to at least 20 characters in the next versions.
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.
 
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.
Ok I understand, so when ASUS will have increased it in their firmware, you will be able to increase it too. Cool !

From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.

If you're worried about security, I'd be much more worried about the fact that Google and Apple have your WiFi password and geographic location if you've ever connected an Android or IoS device to your WiFi. They could far more easily allow random members of the public to connect to your WiFi than someone could hack your WiFi password.
In fact, if we could configure dual authentication, it would be even better. But it might be overkill for a router haha!
Thanks for your answers guys! I will wait for ASUS to increase this setting on their end.

@RMerlin BTW Nice work with your firmware !
 
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.

According to the following post (#21), ASUS has already made changes to increase the login password length to 32 chars.

RT-AC68U Firmware version 3.0.0.4.386.43129 (released 2021-May-21):

So, in theory, any AsusWRT-based firmware using GPL 43129 (or later) should include support for 32-char long login passwords.

NOTE:
I cannot attest to the accuracy of the statements made in the linked post since I have not actually tested the OEM stock firmware version.
 
From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.
Password Entropy is only one factor that determines the strength of a password and should never be considered in isolation, especially given the natural human tendency to create simple, easy-to-remember, predictable, non-random passwords. By definition, password entropy is just a measurement of its "unpredictability" based only on a given character set and a number of chars used in the string. However, a password entropy value means very little if the password string itself is not sufficiently random. IOW, you can have 2 passwords with exactly the same entropy value where one is much more secure than the other simply because it's more randomly constructed.

For example, the following two 12-char passwords have the same entropy value (71.45) but one would be considered much more secure, complex, and random than the other:

MyPassWord12

M1WdJxTsP2bZ


Ironically, the vast majority of "password strength meters" tend to be extremely inadequate & misleading in their assessment of password strength because they don't take into account the randomness of a string and the raw processing power of custom-made gear. That's why most strength meters would give the same "rate" to the above 2 passwords even though their actual security strength is not the same (e.g. the 1st one is already found in several dictionary-cracking programs).

As a final point, note that research points to very strong evidence that a passphrase (i.e. a set of random "words" that make up a phrase/sentence which would be more human-friendly and memorable) tends to be significantly more realistic and secure for the average person. Thus, the greater the maximum number of chars allowed in a password field, the better chances of creating a unique, memorable, and still secure passcode without the need to resort to short, complex, and hard-to-remember gibberish.

There is no general consensus as to what the ideal passphrase length should be, but the current rule of thumb is that at the very minimum a length of 20 chars is needed to construct a secure string using at least 4 random "words" that should be uniquely personal but easy to remember for the average person. Again, while we humans are not very good at determining true randomness, a longer passphrase has a better chance of being remembered and effectively used than a complex, hard-to-remember password (hint: )

Just my 2 cents.
 
From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.

If you're worried about security, I'd be much more worried about the fact that Google and Apple have your WiFi password and geographic location if you've ever connected an Android or IoS device to your WiFi. They could far more easily allow random members of the public to connect to your WiFi than someone could hack your WiFi password.
Tell me more about this IOS vector? All such passwords are store in the key-chain. Would you consider WiFi personal and/or RADIUS passwords stored in the Apple key-chain (and optionally iCloud) a vulnerability?
 
I can't do it until Asus themselves does. Which they recently did, I think it was increased to something like 32 characters, but I can't remember for sure.
Hope they did this universally. SAMBA /etc/
 
NOTE:
I cannot attest to the accuracy of the statements made in the linked post since I have not actually tested the OEM stock firmware version.
For the fun of it, I just tested with a 32 bit Characters password successfully for my login password on Stock Firmware RT-AX88U_3.0.0.4_386_45375 :)
 
Last edited:
32-bit password? Or a password that is 32 characters in length? How did you test for it, specifically?
 
Tell me more about this IOS vector? All such passwords are store in the key-chain. Would you consider WiFi personal and/or RADIUS passwords stored in the Apple key-chain (and optionally iCloud) a vulnerability?
I would consider anything stored remotely a vulnerability unless you have the source code to both the client (phone) and the servers to verify that there are no back doors and all data is not only stored encrypted, but never transmitted without being encrypted before transmission.
 
32-bit password? Or a password that is 32 characters in length? How did you test for it, specifically?
Oops, I meant 32 Characters
 
The new 386.4 firmware on GT-AX11000 solved my problem. Thanks a lot!
The maxlength="16" has been replaced by the maxlength="128"
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top