On Fri, 17 Feb 2017, danrl wrote:
Date: Fri, 17 Feb 2017 11:42:14 +0100
From: danrl <m...@danrl.com>
To: lede-dev@lists.infradead.org
Cc: Dan Luedtke <m...@danrl.com>
Subject: [LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
Hi devs,
We are trying to make passwords on LEDE a tiny bit more secure by refusing weak
or short (read: less than 6 characters) passwords.
Please see related discussion over here, where the inconsistencies were
discovered:
https://github.com/openwrt/luci/pull/878
Here is what the patch changes in user experience:
Router running an image NOT including the proposed patch:
root@rtr:~# passwd
Changing password for root
New password:
Bad password: too short
Retype password:
passwd: password for root changed by root
The password minimum length is not enforced for the root user, also weak
passwords are accepted for the root user despite showing a warning.
Router running an image including the proposed patch:
root@lede-dev:~# passwd
Changing password for root
New password:
Bad password: too short
passwd: password for root is unchanged
It refuses to accept a password that is too short or considered weak.
Please don't do this.
providing a warning in fine, even asking for a confirmation is acceptable.
But deciding that you know better than the admin of the system is not.
you don't have any idea what the security environment is for the system, or why
the admin is selecting that password.
It's not just a busybox thing to allow the root user to select a password that
is shorter than 'recommended', that's normal behavior on *nix systems and has
been for decades, even as the 'recommendations' have changed.
David Lang
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
