Add a warning when the user tries to set a password too simple
Open, LowPublic
Actions

Assigned To

None

Authored By

	dmbaturin
	May 16 2024, 2:17 PM

Description

To prevent people from creating configurations readily available for trivial brute force, we should disallow default passwords at installation and set time. The best way to do it is probably a set-time validator.

We shouldn't prevent configs with those passwords from loading.

Details

Version: -
Is it a breaking change?: Behavior change
Issue type: Feature (new functionality)

Related Objects

Mentioned In: rVYOSONEX0af5728700b0: Merge pull request #4390 from oniko94/feature/T6353-add-password-complexity…
rVYOSONEX93f02429533f: T6353: Change cli_commit to return the command output
rVYOSONEXb5b3e85f0bc8: T6353: Add password strength check and user warning

Event Timeline

dmbaturin created this task.May 16 2024, 2:17 PM

pasik subscribed.May 16 2024, 3:04 PM

I think a warning is better than to block it from being set, specially since the workaround to load it through already existing config still remains.

VyOS is not only used in production but also in education and labs etc where a complex password is NOT needed.

The validator could still test for a "good password" (aka password strength) according to some standard that it contains lowercase letters, uppercase letters, numbers, special characters, x number of characters and whatelse thats popular to check for.

https://en.wikipedia.org/wiki/Password_strength

https://pages.nist.gov/800-63-3/

Other things to implement at the same time is to add delays for each attempt. Like the 3 first attempts have no delays (like 1 second) but after that the delay is doubled for each attempt.

Embezzle subscribed.May 19 2024, 6:15 PM

dmbaturin added a project: Bugs.Sep 15 2024, 5:03 PM

dmbaturin removed a project: Bugs.Oct 8 2024, 9:57 PM

dmbaturin changed Issue type from Security vulnerability to improvement.

syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.Nov 1 2024, 4:32 PM

syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM

dmbaturin renamed this task from Disallow setting user password to "vyos" (the default) to Add a warning when the user tries to set a password too simple.Nov 4 2024, 3:48 PM

dmbaturin moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.Nov 15 2024, 3:37 PM

dmbaturin added a project: Restricted Project.Feb 6 2025, 12:52 AM

dmbaturin changed Issue type from improvement to Unspecified (please specify).

dmbaturin added a project: VyOS 1.5 Circinus.Mar 18 2025, 3:18 PM

dmbaturin changed Issue type from Unspecified (please specify) to Feature (new functionality).

oniko94 mentioned this in rVYOSONEXb5b3e85f0bc8: T6353: Add password strength check and user warning.Mar 18 2025, 3:21 PM

oniko94 mentioned this in rVYOSONEX93f02429533f: T6353: Change cli_commit to return the command output.

Restricted Repository Identity mentioned this in rVYOSONEX0af5728700b0: Merge pull request #4390 from oniko94/feature/T6353-add-password-complexity….Mar 18 2025, 3:21 PM

PR revert https://github.com/vyos/vyos-1x/pull/4411