[Solved] Root Password Requirements


#1

**

Summary

What are the requirements for the root password / LuCI web interface?

**

  1. minimum length
  2. maximum length
  3. allowed character sets
  • lower case latin letters
  • upper case latin letter
  • numbers
  • special characters / symbols

Neither in the wiki nor in the forum did I find this info. The closest I found was
this site it the old wiki

This password should be a minimum 15 characters & contain at least:
two uppercase letters
two lowercase letters
two numbers
two symbols

I am setting up OpenWRT and want to use a strong password but I am concerned about shutting myself out of the router.:fearful:


#2

There is no minimum requirement. I just successfully changed my root pass to 1234. Although I got a message that password is too short, after I entered it the second time it was accepted. Consider the wiki guideline as a general guideline, not a mandatory prerequisite.


#3

Make sure you have a backup of the config. If you forget the password you can reset the router to default settings and restore the backup. Make sure you remove /etc/shadow from the backup first. Alternatively you can ssh to the router before you restore, copy /etc/shadow to /tmp and use it to overwrite the old shadow after you've restored the config.


#4

I hope wiser people will correct me if I'm wrong, but I believe the following information should be in the Security section of the documentation:

About Pasword Strength and Security. OpenWRT does not, by default, make the admin interface (or ssh, if you enable that) available to the Internet at large, so you are much less likely to face a brute force or dictionary attack. Unless you change that setting, the only people who can even attempt to log in as root are the ones who can either physically plug in via an Ethernet cable or who you've already given access to your WiFi. Consider who will be using this device. If it is just your friends and family in a typical home installation, you should not overly worry about password strength.

Of course, mistakes happen and sometimes people accidentally enable administrative access on the WAN port instead of the LAN. In that case, the probability is 100% that you'll have tons of bots trying to guess your password. For that possibility, it is recommended you take these steps:

  1. Use a long password, eight letters or more. Numbers and symbols are not necessary for strong security, but they don't hurt. Write down the password and store it in a secure location. For home users, it is reasonable to simply tape the password underneath the device.

  2. Do not use the same password for the admin account as you use for your WiFi access. Giving someone access to your Internet should not be the same as giving them the keys to modify your router.

  3. After configuring your device, test to make sure you cannot log into it from a device not on your LAN.

  4. Use tools such as bearDropper and sub2rbl to detect automated attacks and stop them. https://forum.archive.openwrt.org/viewtopic.php?id=62084&p=1

If you are setting up a public WiFi access point in a particularly risky environment — say, a coffee shop next door to a halfway house for antisocial computer engineers — consider using SSH keys to login and disabling password access completely.


#5

In general, I agree, though any device that has wireless capabilities should, in my opinion, be considered as exposed to potentially hostile clients, even with wireless security enabled.

Running the server providing LuCI with HTTP-S i something I consider to be essential (or disabling LuCI completely, if you're comfortable with file-based configuration).

Running the management interfaces (SSH and LuCI, generally) only on a "private" VLAN is something that I consider good practice.

Any of the better advice about password generation and rotation is applicable to the root password for OpenWrt, much as it would be for your banking password.


#6

Thanks for the replies. The tip with backing up the config from Per encouraged me. I also realized that Save (unlike Save & Apply) lets me play around with the settings before committing.

Furthermore, upon saving a password LuCI will feedback with either
Unknown Error, password not changed!
or
Password successfully changed!

Here are the result for the password rules for LuCI:

  1. min:1 character
  2. max: 86 characters
  3. no limits on character sets =>meaning all these are possible
  • lower & upper case Latin letters
  • numbers
  • special characters / symbols (including non-printable ones)

As others have pointed out, there are further security measures documented in https://openwrt.org/docs/guide-user/start#security


closed #7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.