Admin Console should require WiFi password length >= 8 characters

[holta]

@avni (who also witnessed this UX problem and its serious consequences) can confirm:

• Currently Admin Console allows setting of Wi-Fi passwords of less than 8 characters, which in the end blocks everyone from accessing the IIAB's internal Wi-Fi hotspot.
• The reason is that modern mobile devices (phones, tablets, laptops) obey the 8-to-63 character password requirement of WPA-Personal — i.e. not allowing users to proceed until they enter a Wi-Fi password of at least 8 characters: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Target_users_(authentication_key_distribution)

[tim-moody]

At the moment Admin Console enforces the same rules as iiab (none).

Are there other rules that should be added? For example on admin password change there are complexity rules in addition a length rule.

[tim-moody]

From the reference above I see that they must be printable characters ('must have an encoding in the range of 32 to 126 (decimal), inclusive')

[holta]

From the reference above I see that they must be printable characters ('must have an encoding in the range of 32 to 126 (decimal), inclusive')

If it's easy to enforce that as well, why not?

(Certainly enforcing the 8-character minimum would be a great addition, having seen several people now fall into that trap :-)

[holta]

At the moment Admin Console enforces the same rules as iiab (none).

Indeed.

We should probably do better.

Whether patched at a high-level (rapid UX explanation if implementer enters an illegal Wi-Fi password) &/or at a low-level here:

• https://github.com/iiab/iiab/blob/d79a0bde065a17cf9eeaa7ba720e2bade7a0fc4e/roles/network/tasks/hostapd.yml#L111-L112
• https://github.com/iiab/iiab/blob/d79a0bde065a17cf9eeaa7ba720e2bade7a0fc4e/roles/network/templates/hostapd/hostapd.conf.j2#L31

[tim-moody]

578

[tim-moody]

can anyone test?

[tim-moody]

There are two cases

1. The user edits as in the image above and saves to local vars. This is equivalent to manually editing local vars, where validation is up to ansible. Validating in Admin Console raises the question of how many ansible edits should be put into Admin Console.
2. The user changes the wifi password and Admin Console applies this change directly. Admin Console should validate the password.

[tim-moody]

requires further study

[holta]

Largely solved by:

• PR #580

[tim-moody]

does not handle reported case

[avni]

I can help test when there's a PR ready - thank you!

[avni]

1. The user edits as in the image above and saves to local vars. This is equivalent to manually editing local vars, where validation is up to ansible. Validating in Admin Console raises the question of how many ansible edits should be put into Admin Console.

Confirmed this works. TY!

2. The user changes the wifi password and Admin Console applies this change directly. Admin Console should validate the password.

For this, do I test by changing local_vars directly?

[avni]

Results of changing local_vars.yml directly shared here: https://github.com/iiab/iiab-admin-console/pull/580#issuecomment-2306284322

[holta]

2. The user changes the wifi password and Admin Console applies this change directly. Admin Console should validate the password.

For this, do I test by changing local_vars directly?

If you change these 2 lines in /etc/iiab/local_vars.yml — for example if installing a SMALL-sized IIAB...

hostapd_secure: False    # 2021-03-02 WiFi EAPOL fails if hotspot passwords,
hostapd_password: changeme    # espec if WiFi firmware patched below?  #2696

...it's true that IIAB's network role (i.e. Ansible playbook) will not currently validate / enforce that hostapd_password really should be 8-to-63 "printable characters"

As mentioned above :-)