How do i modify password policy on RouterOS?

uberwebguru · Fri Apr 01, 2022 4:30 am

I have noticed whenever i have a complex password up to like 28 characters or so, RouterOS does not accept the password
I need to modify to allow even up to 256 characters or more!!!
How do i do this?

Fri Apr 01, 2022 8:39 am

As far as I know and could find there is no limit.
1 character to avoid as first is $, it might be interpreted then as "value of variable which follows"

I just created a new user (in group read) on my Hex with this password (note I also used $):
Th1s!s@VeryL0ngP@$$W0rdTh1s!s@VeryL0ngP@$$W0rdTh1s!s@VeryL0ngP@$$W0rd

Then logged in using Winbox.
Works as expexted.

You could also move to Radius for accounts/passwords but that would complicate things further.

Buckeye · Fri Apr 01, 2022 9:03 am

At first I though you were serious, then due to your uber name, I believe when you posted it was 1-APR-2022 where you are, so I assume this is an "april fools joke".

Fri Apr 01, 2022 9:04 am

That would be a nice one

uberwebguru · Fri Apr 01, 2022 1:47 pm

At first I though you were serious, then due to your uber name, I believe when you posted it was 1-APR-2022 where you are, so I assume this is an "april fools joke".

Nopes not april fools
I have tried many times and it keep not accepting but when i reduce characters it allows

So there are 2 places to set password
There is

System => Password

AND

System => Users => Password

The places where i have been having issues is

System => Users => Password

So which ones are you guys using and what does each represent?

Fri Apr 01, 2022 2:41 pm

In CLI there is no System / users.
What is your version of ROS you are using and on what device ?
I am referring to /user (no system).

If however you are referring to Winbox access: I went to System -> Users and then Password.
Example provided above worked there without any problem.

I think (but could be wrong) Winbox / System / Passwd is for setting the default admin password (an account which I by default ALWAYS DELETE when I configure a new device).

rextended · Fri Apr 01, 2022 2:45 pm

@uberwebguru
Without wasting time, publish the command line with the password that gives you the error instead of writing novels.
Don't use as an excuse that you don't want to show (rightly) the password, create another one that gives you an error and show that.

Fri Apr 01, 2022 2:50 pm

I already provided a working example.
Use that as well for testing.

rextended · Fri Apr 01, 2022 2:54 pm

This is a 1000 characters password and it works:

[rex@net] /user> set test password="1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
[rex@net] /user>

rextended · Fri Apr 01, 2022 2:57 pm

I already provided a working example.
Use that as well for testing.

@holvoetn, you have two accounts?
I ask to do that to @uberwebguru, you have used wrong browser to reply...
Or I have misunderstand your reply......

Fri Apr 01, 2022 3:00 pm

I already provided a working example.
Use that as well for testing.
@holvoetn, you have two accounts?
I ask to do that to @uberwebguru, you have used wrong browser to reply...
Or I have misunderstand your reply......

Nope.
Just wanted to indicate that adding to his wrong example which you asked him to show, I already provided a (for me) working example (with other characters then only letters and digits) which he can also test to see if it does work or not.
I got a test engineer background (long time ago). I usually test negative ánd positive.

rextended · Fri Apr 01, 2022 3:04 pm

Ok, but on your example are missing all characters usable on routeros....

Fri Apr 01, 2022 3:08 pm

Ok, but on your example are missing all characters usable on routeros....

???

Th1s!s@VeryL0ngP@$$W0rdTh1s!s@VeryL0ngP@$$W0rdTh1s!s@VeryL0ngP@$$W0rd

You only got digits (ok, a LOT of digits). I got lower case, upper case, digits, diacritics, ...
I don't need to use the complete ASCII set to
1- prove I can go larger then 28 characters (which was initiallly listed as problem) and
2- prove it's possible to use "special" characters.

rextended · Fri Apr 01, 2022 3:09 pm

You not understand?

Useless for Passwords: <TAB><CR><LF>

Usable on Passwords: <SPACE>!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

A passwrod than use all usable characters with escapes for routeros 6.x:

:put "!\"#\$%&'()*+,-./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
/user
set test password="!\"#\$%&'()*+,-./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"

If you notice ? " \ and $ must be escaped

Edit: on v7 probably ? must not be escped....

Fri Apr 01, 2022 3:12 pm

Eh, nope, not when using Winbox.
I could enter that pasword using Winbox just like I showed it.
And I even was able to login using Winbox with that test user using that exact same passwd.
There was no escaping needed.

rextended · Fri Apr 01, 2022 3:15 pm

I know that, but for be clear for the others than read this topic, on console the ? \ " and $ must be escaped...
On v7 probably the ? can not be escaped.
And probably the OP only talk about winbox, but as you notice, no problem (I use both 32 and 64 3.35)

Fri Apr 01, 2022 3:18 pm

I know that, but for be clear for the others than read this topic, on console the ? \ " and $ must be escaped...
And probably the OP only talk about winbox, but as you notice, no problem (I use both 32 and 64 3.35)

You do know we are both talking about the same thing, right ?

OP did indeed use Winbox (but he needs to confirm that).
And from CLI some characters need to be escaped, I am aware, but that was not his question.

rextended · Fri Apr 01, 2022 3:19 pm

I think (but could be wrong) Winbox / System / Passwd is for setting the default admin password (an account which I by default ALWAYS DELETE when I configure a new device).

No, "System / Password" is for the current used user for open winbox

rextended · Fri Apr 01, 2022 3:20 pm

OP did indeed use Winbox (but he needs to confirm that).

Or webfig.... has same menu structure, I do a test...

rextended · Fri Apr 01, 2022 3:23 pm

Work also on webfig 6.46.8, no problem

uberwebguru · Fri Apr 01, 2022 9:58 pm

@uberwebguru
Without wasting time, publish the command line with the password that gives you the error instead of writing novels.
Don't use as an excuse that you don't want to show (rightly) the password, create another one that gives you an error and show that.

I use winbox not CLI
I am using RouterOS 7.1.5

Like i said there are 2 places
And i provided how to navigate to them, when using winbox

System => Users => under admin users => Password...

Ok i just tried again now with 117 characters and it worked
Maybe the passwords didn't match or something before

Anyways i think am good now, thanks all

uberwebguru · Fri Apr 01, 2022 9:59 pm

You do know we are both talking about the same thing, right ?

OP did indeed use Winbox (but he needs to confirm that).
And from CLI some characters need to be escaped, I am aware, but that was not his question.

Yes i use winbox, and ROS v7.1.5

Buckeye · Fri Apr 01, 2022 11:02 pm

I know that, but for be clear for the others than read this topic, on console the ? \ " and $ must be escaped...
On v7 probably the ? can not be escaped.
And probably the OP only talk about winbox, but as you notice, no problem (I use both 32 and 64 3.35)

So, if you want to set good password, that can be used from ssh, console, winbox etc. with a password manager, set the password manager's "password policy" for RouterOS not to use ? \ " $ and most password managers probably won't use <tab> <space> or <nul> or other non-printing characters.

I prefer not to have passwords that require special use cases (like quoting), because it can be very confusing when a password works with winbox, but does not from the console.

For example the following Password Safe should work?

MikroTik_RouterOS_pwsafe_policy.png

rextended · Fri Apr 01, 2022 11:50 pm

I do not see any problem, just some hint to all:
do not use more than one <SPACE> following another,
do not use space at start or at end,
do not use ' or ` because are sometime undistinguished...

But the better password is a non standard username, deleting admin, and not using other standard names like root, user, guest, etc.

For example if username is rex576518719 and the password 713sdfas672 the user is safe and sufficently complex...
First you must find the username but... how?
You need to try all possible passwords and ALSO all possible usernames.......................................

Buckeye · Sat Apr 02, 2022 12:33 am

But the better password is a non standard username, deleting admin, and not using other standard names like root, user, guest, etc.

Totally agree. If you look at logs on any internet facing device, you will see many attempts for user "root" and "admin" using dictionary attacks.

Buckeye · Sat Apr 02, 2022 9:18 am

another "hint" when replacing admin account.

First backup and save the .backup to another computer.

Add new fully prived account from admin with good password and uncommon name.

Suggestion: save credentials in password manager.

Then log out of admin, log into new account from ssh and winbox, web access and any other method you would normally use. Verify that you can log in to the new account using any method you plan to in the future. If you saved with password manager, verify you can use it to retrieve username/password and that it works.

After you have verified that you can log into the new account multiple ways, then from the new account, delete the admin account.

If you follow these steps, you won't lock yourself out. And as long as you don't forget the new username/password you should be able to log into your router in the future.

How do i modify password policy on RouterOS? [SOLVED]

How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS? [SOLVED]

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Re: How do i modify password policy on RouterOS?

Who is online