search

PenangScienceCluster / digital-library

Files and documents for setting up a Calibre-Web container on a QNAP device.
https://penangsciencecluster.github.io/digital-library/
Mozilla Public License 2.0
0 stars 1 forks source link

Default password requirements are insecure #10

Open chanjuping opened 1 year ago

chanjuping commented 1 year ago

Describe the bug No matter how long the password is, if it does not strictly contain a number, capital, or symbol, it is rejected. This actually means the password search space is less secure, because the passwords being eliminated for example are Sq$Y/DsZ="!-#tLvm:}x which is clearly quite strong, and the search space for brute force password cracking is significantly lessened.

To Reproduce Steps to reproduce the behavior:

  1. Try to change passwords.
  2. Use a random Password generator in a password manager to generate a password.
  3. >ñhooãgâÖsxOôÆÙR is an example password that has no numbers and so would be rejected.

Expected behavior Not accepting common passphrases is the more appropriate password rejection step, alongside password length. Implementation of a hardware security key architecture would negate the need for strong passwords in all but the most mission critical environments.

Additional context Eliminating any potential variable in passwords means the sample size for potential passwords is significantly reduced. The more secure way to adopt is from https://cry.github.io/nbp/ to eliminate common password usage.

KahJunC commented 1 year ago

JuPing, you mean on QuRouter from router side or QTS from NAS side?

KahJunC commented 1 year ago

Default Password for QuRouter / QTS "Default password" is MAC Address.

KahJunC commented 1 year ago

Original we designed rejected it if the password is not follow rule complete.

MicrosoftTeams-image (9)

chanjuping commented 1 year ago

JuPing, you mean on QuRouter from router side or QTS from NAS side?

QTS user side is where I saw this problem.

The default password options on the sticker as standardised, I understand. It's the setting up of a new passphrase that's an issue. I use a passphrase generator to randomly set my passphrases, so oftentimes I have to generate several new passphrases before I hit on one QTS will accept by default, which shows in practice how introducing criteria that is not well thought out, will degrade security rather than enhance it.

Implementing the commonly-used passwords to reject database by default should be a better option in terms of eliminating bad passwords.