[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords

David Lang david at lang.hm
Fri Feb 17 03:52:14 PST 2017


On Fri, 17 Feb 2017, Alberto Bursi wrote:

> On 02/17/2017 12:26 PM, John Crispin wrote:
>>
>>
>> On 17/02/2017 12:16, Dan Lüdtke wrote:
>>> Hi David,
>>>
>>> thanks for the fast response!
>>>
>>>> On 17 Feb 2017, at 11:54, David Lang <david at lang.hm> wrote:
>>>> But deciding that you know better than the admin of the system is not.
>>>
>>> Not that I am a fan of telling admins what to do, but do you see any chance that we  can get an consistent and enforceable approach to *minimum* requirements, e.g. minimum password length? Maybe by using a configuration variable? Havon only the GUI enforce minimum password length and not the CLI is rather inconsistent (some may say useless or even confusing).
>>>
>>>>
>>>> you don't have any idea what the security environment is for the system, or why the admin is selecting that password.
>>>>
>>>> It's not just a busybox thing to allow the root user to select a password that is shorter than 'recommended', that's normal behavior on *nix systems and has been for decades, even as the 'recommendations' have changed.
>>>
>>> I rather see this as a "LEDE" system not a standard *nix system, even though it is based on Linux and runs a Linux kernel. The question is, is this a more a "product" or just another Linux system?
>>>
>>> "has been for decades" is not a good argument. The others are. But that one is just not.
>>>
>>>
>>> Cheers,
>>>
>>> Dan
>>
>> i agree with david lang, i regularly use "a" as a passwd on test units.
>>
>> 	John
>>
>
> I don't use a password in test units at all and there is no issue (shows
> the warning on login but not much else), so I think the "I need short
> passords for testing" is a weak argument here.

That's just an example of an environment where the security policy makes short 
passwords accpetable.

And having no password is a much bigger change than having a short password when 
you are testing things. It makes a lot of sense to be excercising the password 
routine when doing tests, and very little difference if you are excercising it 
with a short password or a long one.

Why are you saying that short passwords are bad? Is it just because you have 
been told that they are?

Remember, a short password is only a problem if attackers have the ability to 
make brute force attacks on the system. If attackers can't get at the interface, 
or if there are other strategies in place to defeat brute force attacks, a short 
password can be acceptable.

And if the resource you are giving access to is not very important, but you 
can't easily do a blank password, or want to stop/slow unknown automated access, 
but want to have it accessable to any human, a simple password can be a great 
choice.

David Lang
(17 years in providing network security for Banks)


More information about the Lede-dev mailing list