[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
danrl
mail at danrl.com
Fri Feb 17 02:42:14 PST 2017
Hi devs,
We are trying to make passwords on LEDE a tiny bit more secure by refusing weak or short (read: less than 6 characters) passwords.
Please see related discussion over here, where the inconsistencies were discovered:
https://github.com/openwrt/luci/pull/878
Here is what the patch changes in user experience:
Router running an image NOT including the proposed patch:
root at rtr:~# passwd
Changing password for root
New password:
Bad password: too short
Retype password:
passwd: password for root changed by root
The password minimum length is not enforced for the root user, also weak passwords are accepted for the root user despite showing a warning.
Router running an image including the proposed patch:
root at lede-dev:~# passwd
Changing password for root
New password:
Bad password: too short
passwd: password for root is unchanged
It refuses to accept a password that is too short or considered weak.
Cheers,
Dan
This patches the busybox passwd source so that even root is not allowed to set
a weak (too short) password. This enables us to define a minimum password length
that is consistent over graphical interfaces (e.g. LuCI) and CLI.
Signed-off-by: Dan Luedtke <mail at danrl.com>
More information about the Lede-dev
mailing list