[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
Alberto Bursi
alberto.bursi at outlook.it
Fri Feb 17 04:08:03 PST 2017
On 02/17/2017 12:52 PM, David Lang wrote:
> On Fri, 17 Feb 2017, Alberto Bursi wrote:
>
> And having no password is a much bigger change than having a short
> password when you are testing things. It makes a lot of sense to be
> excercising the password routine when doing tests, and very little
> difference if you are excercising it with a short password or a long one.
>
What? if I'm testing things that are completely unrelated to login
(system configurations for tutorials or stuff for device support) then
how I log in is irrelevant.
> Why are you saying that short passwords are bad? Is it just because you
> have been told that they are?
>
> Remember, a short password is only a problem if attackers have the
> ability to make brute force attacks on the system. If attackers can't
> get at the interface, or if there are other strategies in place to
> defeat brute force attacks, a short password can be acceptable.
>
True. Are there such systems in place for ssh access?
Btw, for console access (serial or TTL or whatever) there is no login
even if you have set a password afaik.
-Alberto
More information about the Lede-dev
mailing list