[WARNING] Invalid Password characters that no longer work

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
Cartel
DD-WRT Novice


Joined: 14 Jun 2013
Posts: 11

PostPosted: Sun Apr 04, 2021 20:38    Post subject: [WARNING] Invalid Password characters that no longer work Reply with quote
I tried to change my password on my router and it seems I entered the password in the GUI, saved it but when I tried to log in it rejects the new password.

I spent 4 hours trying to solve this and it seems | is the character that was giving me an issue.

Is there a list of characters that are known accepted?

It may be also on the router password page when I hit "save" the password boxes go back to default "dots" and when I then hit "apply" the "dots" are saved as the username and password. I spent alot of time cursing the router and thats all the info I have right now.

thanks

Moderator Note 04.23.2021: All versions 03-09-2021-r45955 and newer have restrictions on special characters in passwords as noted below on fresh install or after a hard reset

Edit @the-joker: added | to incompatible characters list, best avoided.

Invalid `'"|
Valid ~!@#$%^&*()-_=+[{]}\;:,<.>/?
Sponsor
mastaofdisastax
DD-WRT Novice


Joined: 16 Oct 2018
Posts: 15

PostPosted: Tue Apr 06, 2021 16:52    Post subject: Reply with quote
Router/Version: Linksys wrt320n
File/Kernel: 46294 / Linux 4.4.264 #8005
Previous: 46239 / Linux 4.4.264 #7897

What version are you on? I noticed this with 46294, 46239, and a version from several months prior, I forget which. Simple router passwords work. Strong passwords with special characters, e.g. `!@#$%^&* etc, which have worked in the past no longer work when setting up the router again after a reset.

The wiki says to "use numbers and valid non-alphabetic characters", but doesn't actually say which non-alphanumeric characters are valid or invalid.

Update:

Router/Version: Linksys WRT320N
Router/Version: Netgear R6250

The issue persists in r46380 and r46395 on both of these routers. However, I've tested both routers with the special characters on r44863 and they work fine. Can anyone else confirm?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11756
Location: Texas, USA

PostPosted: Mon Apr 19, 2021 19:08    Post subject: Reply with quote
Can someone please try minimum password length with a single special character, one only, and continue changing the password with a new one, running through *all* special characters until you figure out which ones work and which do not and then post which special characters DO NOT work so the wiki can be updated? I know this topic has been discussed in the past, so the answer(s) may already be somewhere in the forum...

Ok, so far, I have not found much, so if someone would please take the time and sacrifice your sanity to help figure this out, it would be greatly appreciated so we can finally have correct information for the wiki.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=972951

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=139251

https://www.google.com/search?q=password+special+characters+site:forum.dd-wrt.com

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1212

PostPosted: Mon Apr 19, 2021 23:28    Post subject: Reply with quote
If I followed through the code correctly, I think that this is the file that is key:

https://svn.dd-wrt.com/browser/src/router/httpd/validate/validators.c

Starts with:
validate_password(...)

calls:

valid_name(...)

which calls:

ISASCII(...)

line 107:
Code:

       if (strpbrk(value, "'\"ÂŽ`")) { // filter some unwanted characters

strips out the characters: ' " Â Ž `
(the \ is the escape to get the ")

Then calls standard c function:
isascii()
checks whether c is a 7-bit unsigned char value that fits into
the ASCII character set.


isascii() might have language specific characters (not sure if it uses the standard or extended ASCII, but based on filtering out the  Ž charaters makes me think it is extended...

so I think the main chars filtered out are the single quote, double quote and tick mark... I double checked and the single quote was filtered out (ie the whole password was not changed) so I am assuming the others listed above would too.

If I have time I will try others manually but wanted to do code analysis first.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11756
Location: Texas, USA

PostPosted: Tue Apr 20, 2021 0:13    Post subject: Reply with quote
I presume it's the list of printable characters shown here, for starters:



There may be some characters that are not allowed in some other area of the code. Please compile a list of what characters will not work and post them. Thanks!

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
mastaofdisastax
DD-WRT Novice


Joined: 16 Oct 2018
Posts: 15

PostPosted: Tue Apr 20, 2021 8:33    Post subject: Reply with quote
I tested all printable ASCII special characters between decimal 33 and 126 via the web GUI. After many many hours and much head-banging due to my not always waiting long enough after saving before applying, and getting a "The connection was reset" error forcing me to reboot the router each time, here are the results.

Invalid `'"
Valid ~!@#$%^&*()-_=+[{]}\|;:,<.>/?

Wildlion was on to something. Also, I was able to successfully set each of the 3 invalid characters (based on GUI results) via telnet using:

setuserpasswd user \`
setuserpasswd user \'
setuserpasswd user \"

From what I can find on isascii(), "The isascii() function shall return non-zero if c is a 7-bit US-ASCII character code between 0 and octal 0177 [0 and decimal 127] inclusive; otherwise, it shall return 0."

So, strpbrk() is filtering out the characters `'" that isascii() would return as valid.

`'" are acceptable characters for telnet's setuserpasswd as well as the WPA Shared Key set via the GUI. Can they not also remain valid for the router password set via the GUI, or is there a security concern for restricting those 3 characters in the GUI's router password field in particular? Was there a security reason `'" were disallowed sometime after build r44863?

Allowing for all printable ASCII special characters (up to decimal 126), rather than restricting some, would be ideal. If they must be restricted, it would be more user friendly to show the restricted characters next to the password field in the GUI, in addition to the wiki.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 8974
Location: Netherlands

PostPosted: Tue Apr 20, 2021 9:14    Post subject: Reply with quote
Correct the isascii() function tests for an ASCII character in the range 0 to 127.
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11756
Location: Texas, USA

PostPosted: Tue Apr 20, 2021 14:13    Post subject: Reply with quote
What would be ideal and the reality, now known, is what it is. Now we know exactly what special characters are accepted for the webUI password, and that is the key resolution here. No more need to squabble about it, really, unless @egc can convince @BrainSlayer to make changes.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 8974
Location: Netherlands

PostPosted: Tue Apr 20, 2021 14:31    Post subject: Reply with quote
kernel-panic69 wrote:
What would be ideal and the reality, now known, is what it is. Now we know exactly what special characters are accepted for the webUI password, and that is the key resolution here. No more need to squabble about it, really, unless @egc can convince @BrainSlayer to make changes.


The isascii() function is an in-built function in C.
It is not impossible (actually fairly easy) to write our own function to allow more characters, but frankly making a strong password with ascii 0-127 and a maximum length of 63 (I think it is 63) should be sufficient.

So the challenge now is, as far as I am concerned, adding it to the wiki and/or help text Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mastaofdisastax
DD-WRT Novice


Joined: 16 Oct 2018
Posts: 15

PostPosted: Tue Apr 20, 2021 17:39    Post subject: Reply with quote
It's the strpbrk() function that (unnecessarily?) removes `'". isascii() already returns the characters `'" as valid characters between decimal 0-127. It doesn't seem that any custom function would be necessary. The only change would be:

line 107 before:
if (strpbrk(value, "'\"ÂŽ`")) { // filter some unwanted characters

line 107 after:
if (strpbrk(value, "ÂŽ")) { // filter some unwanted characters
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1212

PostPosted: Tue Apr 20, 2021 22:35    Post subject: Reply with quote
The only thing I could think of is that it is possible that if you are making certain OS type calls those charcters could be trouble because you would have to escape them...

but then I do not know why the others...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 8974
Location: Netherlands

PostPosted: Wed Apr 21, 2021 12:19    Post subject: Reply with quote
To be clear what is allowed at this moment see:
https://svn.dd-wrt.com/ticket/7404#comment:2

This is since commit 45950

https://svn.dd-wrt.com/changeset/45950

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
hackler756
DD-WRT User


Joined: 17 Sep 2014
Posts: 68
Location: Austria

PostPosted: Fri Apr 23, 2021 0:43    Post subject: Reply with quote
be carefull - this is a new restriction but no warning was implemented that the password contains invalid characters. dd-wrt stores encrypted password anyway and locks the user out of the system.
_________________
ZTE MC801A - 5G bridge mode
R7000 - router, AP 2.4Ghz / 5Ghz
mastaofdisastax
DD-WRT Novice


Joined: 16 Oct 2018
Posts: 15

PostPosted: Fri Apr 23, 2021 11:06    Post subject: Reply with quote
When I upgraded from an older version (no reset) with a password saved that included these characters, the new versions continued to let me login with the old password. So I didn't notice the issue until I reset.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11756
Location: Texas, USA

PostPosted: Fri Apr 23, 2021 13:50    Post subject: Reply with quote
So, to note: All versions 03-09-2021-r45955 and newer will not allow the previously mentioned characters in passwords on fresh install or after a hard reset.

I don't think there is a need for further discussion or to have a ticket about it. There's far more important matters to deal with. This thread is now a sticky in the general forum for future reference until no longer required. Wiki has been updated.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum