Posted: Sun Apr 04, 2021 20:38 Post subject: [WARNING-FIXED > 49599] Invalid Password characters
I tried to change my password on my router and it seems I entered the password in the GUI, saved it but when I tried to log in it rejects the new password.
I spent 4 hours trying to solve this and it seems | is the character that was giving me an issue.
Is there a list of characters that are known accepted?
It may be also on the router password page when I hit "save" the password boxes go back to default "dots" and when I then hit "apply" the "dots" are saved as the username and password. I spent a lot of time cursing the router and that's all the info I have right now.
Router/Version: Linksys wrt320n
File/Kernel: 46294 / Linux 4.4.264 #8005
Previous: 46239 / Linux 4.4.264 #7897
What version are you on? I noticed this with 46294, 46239, and a version from several months prior, I forget which. Simple router passwords work. Strong passwords with special characters, e.g. `!@#$%^&* etc, which have worked in the past no longer work when setting up the router again after a reset.
The wiki says to "use numbers and valid non-alphabetic characters", but doesn't actually say which non-alphanumeric characters are valid or invalid.
The issue persists in r46380 and r46395 on both of these routers. However, I've tested both routers with the special characters on r44863 and they work fine. Can anyone else confirm?
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Mon Apr 19, 2021 19:08 Post subject:
Can someone please try minimum password length with a single special character, one only, and continue changing the password with a new one, running through *all* special characters until you figure out which ones work and which do not and then post which special characters DO NOT work so the wiki can be updated? I know this topic has been discussed in the past, so the answer(s) may already be somewhere in the forum...
Ok, so far, I have not found much, so if someone would please take the time and sacrifice your sanity to help figure this out, it would be greatly appreciated so we can finally have correct information for the wiki.
if (strpbrk(value, "'\"ÂŽ`")) { // filter some unwanted characters
strips out the characters: ' " Â Ž `
(the \ is the escape to get the ")
Then calls standard c function:
isascii()
checks whether c is a 7-bit unsigned char value that fits into
the ASCII character set.
isascii() might have language specific characters (not sure if it uses the standard or extended ASCII, but based on filtering out the  Ž charaters makes me think it is extended...
so I think the main chars filtered out are the single quote, double quote and tick mark... I double checked and the single quote was filtered out (ie the whole password was not changed) so I am assuming the others listed above would too.
If I have time I will try others manually but wanted to do code analysis first.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Tue Apr 20, 2021 0:13 Post subject:
I presume it's the list of printable characters shown here, for starters:
There may be some characters that are not allowed in some other area of the code. Please compile a list of what characters will not work and post them. Thanks! _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
I tested all printable ASCII special characters between decimal 33 and 126 via the web GUI. After many many hours and much head-banging due to my not always waiting long enough after saving before applying, and getting a "The connection was reset" error forcing me to reboot the router each time, here are the results.
Invalid `'"
Valid ~!@#$%^&*()-_=+[{]}\|;:,<.>/?
Wildlion was on to something. Also, I was able to successfully set each of the 3 invalid characters (based on GUI results) via telnet using:
setuserpasswd user \`
setuserpasswd user \'
setuserpasswd user \"
From what I can find on isascii(), "The isascii() function shall return non-zero if c is a 7-bit US-ASCII character code between 0 and octal 0177 [0 and decimal 127] inclusive; otherwise, it shall return 0."
So, strpbrk() is filtering out the characters `'" that isascii() would return as valid.
`'" are acceptable characters for telnet's setuserpasswd as well as the WPA Shared Key set via the GUI. Can they not also remain valid for the router password set via the GUI, or is there a security concern for restricting those 3 characters in the GUI's router password field in particular? Was there a security reason `'" were disallowed sometime after build r44863?
Allowing for all printable ASCII special characters (up to decimal 126), rather than restricting some, would be ideal. If they must be restricted, it would be more user friendly to show the restricted characters next to the password field in the GUI, in addition to the wiki.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Tue Apr 20, 2021 14:13 Post subject:
What would be ideal and the reality, now known, is what it is. Now we know exactly what special characters are accepted for the webUI password, and that is the key resolution here. No more need to squabble about it, really, unless @egc can convince @BrainSlayer to make changes. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Tue Apr 20, 2021 14:31 Post subject:
kernel-panic69 wrote:
What would be ideal and the reality, now known, is what it is. Now we know exactly what special characters are accepted for the webUI password, and that is the key resolution here. No more need to squabble about it, really, unless @egc can convince @BrainSlayer to make changes.
The isascii() function is an in-built function in C.
It is not impossible (actually fairly easy) to write our own function to allow more characters, but frankly making a strong password with ascii 0-127 and a maximum length of 63 (I think it is 63) should be sufficient.
It's the strpbrk() function that (unnecessarily?) removes `'". isascii() already returns the characters `'" as valid characters between decimal 0-127. It doesn't seem that any custom function would be necessary. The only change would be:
line 107 before:
if (strpbrk(value, "'\"ÂŽ`")) { // filter some unwanted characters
line 107 after:
if (strpbrk(value, "ÂŽ")) { // filter some unwanted characters
The only thing I could think of is that it is possible that if you are making certain OS type calls those charcters could be trouble because you would have to escape them...
be carefull - this is a new restriction but no warning was implemented that the password contains invalid characters. dd-wrt stores encrypted password anyway and locks the user out of the system. _________________ ZTE MC801A - 5G bridge mode
R7000 - router, AP 2.4Ghz / 5Ghz
When I upgraded from an older version (no reset) with a password saved that included these characters, the new versions continued to let me login with the old password. So I didn't notice the issue until I reset.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Apr 23, 2021 13:50 Post subject:
So, to note: All versions 03-09-2021-r45955 and newer will not allow the previously mentioned characters in passwords on fresh install or after a hard reset.
I don't think there is a need for further discussion or to have a ticket about it. There's far more important matters to deal with. This thread is now a sticky in the general forum for future reference until no longer required. Wiki has been updated. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net