Router password philosophical issue

[Deleted member 19960]

The password for the AsusWRT-merlin and (IIRC) the standard OEM build is limited to 16 characters that can't be pasted into the change password fields on the web interface.

I am wondering if this is a great idea. My preference would be for a longer password field length and have it paste-able so that I can use a very long (20 to 30 characters at least) random password generated by a local KeePass manager. I know if that I ever lose access to the KeePass-held password, I will have to default out the router and start over. I'll accept that risk.

Am I being too paranoid?

I also understand that this might be very difficult to change and that would be an acceptable answer. If this has been covered in a previous thread, please excuse the duplication. I could not find that thread if it exists.

 

[L&LD]

Don't know if any other threads tried covering this issue, but many posts have.

The idea that you can't paste the password will be changed in the next release.

 

[Deleted member 19960]

Don't know if any other threads tried covering this issue, but many posts have.

The idea that you can't paste the password will be changed in the next release.

Thanks for the info on paste-ability, if that's a word.
Tom

 

[kvic]

Am I being too paranoid?

Maybe you're... I recall banking cards in some countries are still 4-digit PINs.

 

[Calisro]

I don't think you're paranoid if 1) you really want to expose the gui to the internet (bad) or 2) you do not control the people on your lan. Brute force attacks are simple so allowing one to happen is a problem but if you are neither 1 nor 2 then you may be overly worried.

If you ARE really worried, you can always shutdown the http interface via ssh and only start it again via ssh when you want it. or better yet keep the web interface running and firewall it on both lan and wan and use ssh port forwarding to access it so you'd need an ssh comprimse

ssh can be made far more secure than http basic auth or web form auth.

 

[Haggster]

This forum has been flooded so many times with similar threads and it keeps happening.

Adjustments will be made to this - not sure about the maximum passwd length, however there will likely be the option the restore the behavior of the old firmwares when it comes to the logon.

But we will have to wait as this is work in progress - first Asus need to finish their adjustments, then it can be customized by third parties.

Hopefully there won't be any people breaking Godwin's law again 30 times within one single post before this change is implemented.

 

[Calisro]

breaking Godwin's law

I had to google that! lol

 

[Deleted member 19960]

This forum has been flooded so many times with similar threads and it keeps happening.

Adjustments will be made to this - not sure about the maximum passwd length, however there will likely be the option the restore the behavior of the old firmwares when it comes to the logon.

But we will have to wait as this is work in progress - first Asus need to finish their adjustments, then it can be customized by third parties.

Hopefully there won't be any people breaking Godwin's law again 30 times within one single post before this change is implemented.

Thank you for both the information and your patience. Any way to put this issue in an FAQ / Sticky post so that people can refer to it without posting new (like me)?

Calisro: I like the ssh on and off idea, but it might not work in this exact situation. The situation would be for a remote client where I am not onsite a lot. I need to make sure that no one messes with things while I'm not there, but I can't turn off the GUI completely.

The use of KeePass is part of the "what if Tom gets hit by a bus" system, where someone would have to go into a safe and then a sealed envelope to get the password for KeePass. Every time I go to that office, I would check the seal on the envelope. If it ever is broken, there is hell to pay and every account in the system anywhere gets changed to random-generated and then everyone would have to reset their password from that random password. Given what I would charge on an hourly basis for that service, they really don't want to do it.

 

[sfx2000]

The use of KeePass is part of the "what if Tom gets hit by a bus" system, where someone would have to go into a safe and then a sealed envelope to get the password for KeePass. Every time I go to that office, I would check the seal on the envelope. If it ever is broken, there is hell to pay and every account in the system anywhere gets changed to random-generated and then everyone would have to reset their password from that random password. Given what I would charge on an hourly basis for that service, they really don't want to do it.

This is so true - having a PW manager and keeping the master key somewhere safe is incredibly useful - recently had to do a digital asset recovery for online accounts and devices for someone who passed away - lucky for us they did use a keychain password tool, which made things much easier..