[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
David Lang
david at lang.hm
Fri Feb 17 04:51:44 PST 2017
On Fri, 17 Feb 2017, Alberto Bursi wrote:
> On 02/17/2017 12:52 PM, David Lang wrote:
>> On Fri, 17 Feb 2017, Alberto Bursi wrote:
>>
>> And having no password is a much bigger change than having a short
>> password when you are testing things. It makes a lot of sense to be
>> excercising the password routine when doing tests, and very little
>> difference if you are excercising it with a short password or a long one.
>>
>
> What? if I'm testing things that are completely unrelated to login
> (system configurations for tutorials or stuff for device support) then
> how I log in is irrelevant.
if you are testing specific features, than any other features are irrelevant,
but if you are doing more general testing, then one of the things that needs to
be in the tests is the authentication.
and if you are setting up test scripts, it's best to make them scripts that
users can test with as well, and they are almost always going to have
authentication enabled.
>> Why are you saying that short passwords are bad? Is it just because you
>> have been told that they are?
>>
>> Remember, a short password is only a problem if attackers have the
>> ability to make brute force attacks on the system. If attackers can't
>> get at the interface, or if there are other strategies in place to
>> defeat brute force attacks, a short password can be acceptable.
>>
>
> True. Are there such systems in place for ssh access?
They are available.
To start with, SSH access is not enabled on the WAN side.
If password brute forcing from the inside is considered a threat, then turning
on rate limiting/temporary lockouts/alerts/etc is a far better thing to do than
to try to force 'better' passwords.
people who don't want good passwords are going to find a way to not have good
passwords.
password1! is not a much better password to use than password, even though the
password strength tests will claim that it is. If you force people to have
'longer' or 'more complex' passwords, they are far more likely to add some easy
to guess nonsense on the end of their previous 'bad' password than to come up
with a 'good' password.
David Lang
More information about the Lede-dev
mailing list