Console Screen and Password change
-
When you are on the actual console of pfSense (not web configurator), there's an option to reset the password without authentication. Did I miss an area where it requires previous password? If there isn't, then this seems to be very open security hole - being able to change password just because you have access to the console directly.
-
If you have your console open to access you have risk of people booting from other media and getting rid of any protection anyway, but there is an option under system > advanced to disable that console access.
P.S. Even on Cisco hardware, you can always get into a router with a password on it by telling it to ignore the config on boot up. They added a no service password recovery option to still require the password, but you can still interrupt the boot earlier to get past that.