[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
David Lang
david at lang.hm
Fri Feb 17 02:54:20 PST 2017
On Fri, 17 Feb 2017, danrl wrote:
> Date: Fri, 17 Feb 2017 11:42:14 +0100
> From: danrl <mail at danrl.com>
> To: lede-dev at lists.infradead.org
> Cc: Dan Luedtke <mail at danrl.com>
> Subject: [LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
>
> Hi devs,
>
> We are trying to make passwords on LEDE a tiny bit more secure by refusing weak or short (read: less than 6 characters) passwords.
>
> Please see related discussion over here, where the inconsistencies were discovered:
> https://github.com/openwrt/luci/pull/878
>
> Here is what the patch changes in user experience:
>
> Router running an image NOT including the proposed patch:
>
> root at rtr:~# passwd
> Changing password for root
> New password:
> Bad password: too short
> Retype password:
> passwd: password for root changed by root
>
> The password minimum length is not enforced for the root user, also weak passwords are accepted for the root user despite showing a warning.
>
>
> Router running an image including the proposed patch:
>
> root at lede-dev:~# passwd
> Changing password for root
> New password:
> Bad password: too short
> passwd: password for root is unchanged
>
> It refuses to accept a password that is too short or considered weak.
Please don't do this.
providing a warning in fine, even asking for a confirmation is acceptable.
But deciding that you know better than the admin of the system is not.
you don't have any idea what the security environment is for the system, or why
the admin is selecting that password.
It's not just a busybox thing to allow the root user to select a password that
is shorter than 'recommended', that's normal behavior on *nix systems and has
been for decades, even as the 'recommendations' have changed.
David Lang
More information about the Lede-dev
mailing list