[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords

Rafał Miłecki zajec5 at gmail.com
Thu Feb 23 12:40:00 PST 2017

On 17 February 2017 at 11:42, danrl <mail at danrl.com> wrote:
> We are trying to make passwords on LEDE a tiny bit more secure by refusing weak or short (read: less than 6 characters) passwords.
> Please see related discussion over here, where the inconsistencies were discovered:
> https://github.com/openwrt/luci/pull/878
> Here is what the patch changes in user experience:
> Router running an image NOT including the proposed patch:
>   root at rtr:~# passwd
>   Changing password for root
>   New password:
>   Bad password: too short
>   Retype password:
>   passwd: password for root changed by root
> The password minimum length is not enforced for the root user, also weak passwords are accepted for the root user despite showing a warning.

Just to add my personal opinion: I also don't like this ideas. I've
plenty of routers just for testing LEDE I don't need any/complex
passwords on.

If this is really important feature for you, maybe try sending busybox
patch for an option adding such restriction also for a root user. Then
we could have our option enabling that busybox option.

More information about the Lede-dev mailing list