Device Account password requirments
Hello,
Setting up a new Omada software controller on Linux, version 5.15.24.17. This is our 6th or 7th controller we've set up over the last 2 years.
As part of the initial setup there is a section to enter the Device Account username and password. It appears that the password requirements have changed and are a bit ridiculous. Plus the error message is incorrect.
We have been using a very strong 20+ character password that meets all of the above requirements except that it has 2 consectutive characters. Failing a 20+ character password for this reason is silly.
And the error message is wrong. It reads "The password should not contain consectutive identical characters." The use of the word "should" implies that this is a recommendation and not a requirement. (The use of the word "must" implies requirement.) Unfortunately the set up page will not accept a password with two consectutive identical characters which means that this is a hard requirement.
The last time we set up a new controller a which was version 5.15.8.2 the no "consectutive identical characters" requirement was not present.
I totally understand the challenge of ensuring users create good passwords. Doing so is a good thing! However, arbitrary requirements is a bad thing.
A better approach would be to require a minimum amount bit entropy in the password and ensure that the entered password meets a minimum secure threshold.
Just my $0.02. But more than annoyed enough to write this up.
Hi @Vincent-TP,
With all due respect, the IMDA document you linked to (https://www.imda.gov.sg/-/media/imda/files/regulation-licensing-and-consultations/ict-standards/telecommunication-standards/radio-comms/imda-ts-rg-sec.pdf) is not really applicable.
First the document is titled:
Technical Specification Security Requirements for Residential Gateways
So this applies to residential WiFi routers, like the very good TP-Link AX55, and not a WiFi AP like the (also very good) Omada EAP655-Wall.
Second, ihe the report is from the IMDA which is a Singapore Organization and not a international standards organization. From the IMDA (https://www.imda.gov.sg/) web site:
This document was written by and for Singapore. It is not relevant to any other market. So it feels like your referencing the requirement in the IMDA document is a bit disingenuous.
Finally, you also failed to address the incorrect language in the error message I highlighted. Specifically the error message states the passwords "should not" not include 2 consecutive identical characters, when the implementation treats the requirement as a "must not".
I should also add the the "no consecutive character" requiment is only for device account access. it does not apply to controller accounts. The inconsistency is annoying.
Respectfully.