So i recently setup my first openwrt setup, and beginning to get more comfortable.
Now i want to set a good root password etc, and ive been reading threads where they talk about /etc/login.defs which i dont have, and ways of encrypting the content etc.
Where should i start and what is the current best-practice with 19.07.3?
IMO, start by thinking about your expected threat profile.... for example, are you running an open hotspot in a dense urban location, or do you have a strong wifi password in a very rural area. Are you a high value target, or just another home network. Do you have users/devices on your network that are untrusted, or is it just you? Do you have any services exposed to the internet (ports opened or forwarded) that could potentially be used to gain access to other network resources including the router?
Generally speaking, if you are not a high value target and aren't opening ports/forwarding, the threat profile is mostly about those connecting to your network (wired and/or wireless -- could be people you allow to connect or people hacking at your wifi password). Selecting a strong password isn't terribly difficult -- there are lots of resources on general password best practices -- the longer, the better, including upper and lowercase characters, numbers, and special characters. There is a debate about the value of a completely random string vs one that is 'sentence' based -- but either way you want to make sure that you won't be subject to a dictionary attack. So 'supercalifragilisticexpialidocious' is long but easy to crack with dictionary attacks, so not great. 'myF4v0r1teR()uter-O5=0wR7' would be pretty good (My favorite router-OS is OWRT).
Since OpenWrt really just works as root, once you've logged in you have access to everything, which is part of the reason the passwords aren't encrypted in the files [EDIT: apparently they are encrypted as @hnyman points out below... my mistake!] . That said, it really isn't much of an issue provided that you don't make yourself an easy or valuable target and that you have a nice strong password.
Cheers for good answer.
Yeah i was also thinking and trying to find, what the maximum root password length is? Im not going crazy or anything just dont want to set one that is longer then it can be, and having to figure out where it cut off the password.
I read you can use sha256 sha512 md5 etc to encrypt configs/password in files?
The password is encrypted by default and only the hash is stored...
And where can i read about what password recipes are allowed? Ambigious characters? Symbols? How long?
Pretty much standard Linux rules, I think.
As the password gets encrypted via hashing and only the hash is stored, the "maximum length of the password" has no real impact. The key is have long enough and complex enough that a simple dictionary attack does succeed.
OpenWrt itself does not enforce any mandatory pw minimum length. (root password is initially empty by default)
I haven't checked the source code of "busybox" that takes care of most of the basic shell related commands (like "passwd"), but I guess that it follows the generic Linux rules that pretty much anything is allowed.