Password Limits?

firewalluser · Jan 18, 2015, 6:33 AM

Is there a limit to how many chars can be used in a password via the gui?

Changed Admin's password after upgrading yesterday, gone to log in today and it doesnt work.

The GUI didnt throw any messages/warnings or errors when accepting yesterdays password.

This was yesterdays passwords: oiuEDE9J&£"%*&dfcoiu987cd32j7XDJH (32chars)

21char passwords work fine which is the length I had previously been using.

doktornotor · Jan 18, 2015, 8:18 AM

@firewalluser:

This was yesterdays passwords: oiuEDE9J&£"%*&dfcoiu987cd32j7XDJH (32chars)

kejianshi · Jan 18, 2015, 8:23 AM

There is no correct horse battery staple…

firewalluser · Jan 18, 2015, 5:05 PM

@doktornotor

I dont believe the NSA or GCHQ have found a way to get a watch off my arm or a digital organiser out of my pocket without my knowing. ;D

https://www.casio.com/products/Watches/Databank/
http://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=m570.l1313&_nkw=electronic+organiser&_sacat=0

phil.davis · Jan 18, 2015, 5:27 PM

That password works fine on my 2.2 system. And trying to login using all but the last char of the password fails, so it is respecting all the chars.
1234567890123456789012345678901234567890
also works - 40 chars.
I suspect there is no practical limit (which is the case with FreeBSD), just some maximum input buffer size somewhere that will be many KB.

firewalluser · Jan 18, 2015, 6:15 PM

I've yet to try the pwd again, still piecing together whats been going on as I had another instance of the sip server playing up this morning as reported previously here https://forum.pfsense.org/index.php?topic=86087.0 but the change of pwd makes it hard to piece together what went on, and an alternative way to stopping the logs as reported here https://forum.pfsense.org/index.php?topic=86397.0.

I'm aware of how to slip into someone else's state if they fail to log out from a website, which is why getting pfsense to manage states properly is important and quite surprised at the soon to be Release status of 2.2 as the above happened running yesterdays image.
pfSense-memstick-2.2-RC-amd64-20150116-1153.img

doktornotor · Jan 18, 2015, 6:32 PM

@firewalluser:

I dont believe the NSA or GCHQ have found a way to get a watch off my arm or a digital organiser out of my pocket without my knowing. ;D

That's a different one:

:D :D :D

kejianshi · Jan 18, 2015, 7:45 PM

The wrenches are usually more expensive than $5 (Its government after all).

firewalluser · Jan 18, 2015, 9:54 PM

Got the handbook http://pastebin.com/irj4Fyd5.

firewalluser · Jan 19, 2015, 10:39 PM

Possibly found the problem but its intermittent or maybe related to the very first user added to a new system installation as I cant reproduce it again with subsequent users, but just a moment ago when adding a new user for the first time on a new system, the username accepted illegal chars ie those that are not a-z A-Z & 0-9 and it didnt throw an error msg or warning when I saved it, unlike the 2nd attempt and subsequent attempts to add a new user with illegal chars when I repeated the test.

Feature Request. Add some notes with the prompts or after the entry fields, detailing what chars we can and cant use with min and max lengths for the username & pwds. Different systems have different rules, so it would be useful to new users.

Anyway, just a moment ago I originally set up a new user 879342fsd9898fds£*#@ and used for the pwd oiuEDE9J&£"%*&dfcoiu987cd32j7XDJH to test the pwd again. The pwd works fine on all users btw.

Although the system log does not log and thus show news users or changes to users made from the User Manager webpages which would be useful for auditing purposes (another feature request), you can see in the systems log I tried logging in with 879342fsd9898fds£*#@ and was rejected having just set it up.

21:51:22 was the first attempt to log on, 22:17:11 was the second attempt.

Second problem I have found with users, is there is still an entry showing with no username after you delete a user which will explain the system log entry at 22:16:52. It seems you need to delete the user twice to clear the blank entry, havent tried to log in with blank user details yet or try some other tricks to log in with.

Jan 19 22:17:20 php-fpm[51681]: /index.php: Successful login for user 'admin' from: 192.168.100.2
Jan 19 22:17:20 php-fpm[51681]: /index.php: Successful login for user 'admin' from: 192.168.100.2
Jan 19 22:17:11 php-fpm[51681]: /index.php: webConfigurator authentication error for '879342fsd9898fds£*#@' from 192.168.100.2
Jan 19 22:17:11 php-fpm[51681]: /index.php: webConfigurator authentication error for '879342fsd9898fds£*#@' from 192.168.100.2
Jan 19 22:16:58 php-fpm[51681]: /index.php: User logged out for user 'admin' from: 192.168.100.2
Jan 19 22:16:52 check_reload_status: Syncing firewall
Jan 19 22:16:52 php-fpm[51681]: /system_usermanager.php: The command '/usr/sbin/pw groupmod admins -g 1999 -M '0,2002' 2>&1' returned exit code '67', the output was 'pw: user `2002' does not exist'
Jan 19 22:16:52 php-fpm[51681]: /system_usermanager.php: Tried to remove user but got user pw instead. Bailing.
Jan 19 22:15:41 check_reload_status: Syncing firewall
Jan 19 22:15:41 php-fpm[51681]: /system_usermanager.php: Tried to remove user but got user pw instead. Bailing.
Jan 19 22:15:24 php-fpm[51681]: /index.php: Successful login for user 'admin' from: 192.168.100.2
Jan 19 22:15:24 php-fpm[51681]: /index.php: Successful login for user 'admin' from: 192.168.100.2
Jan 19 22:15:18 php-fpm[51681]: /index.php: User logged out for user '879342fsd9898fds' from: 192.168.100.2
Jan 19 22:13:55 check_reload_status: Syncing firewall
Jan 19 21:54:53 php-fpm[62095]: /index.php: Successful login for user '879342fsd9898fds' from: 192.168.100.2
Jan 19 21:54:53 php-fpm[62095]: /index.php: Successful login for user '879342fsd9898fds' from: 192.168.100.2
Jan 19 21:54:37 php-fpm[62095]: /index.php: User logged out for user '879342fsd9898fds' from: 192.168.100.2
Jan 19 21:52:32 php-fpm[62095]: /index.php: Successful login for user '879342fsd9898fds' from: 192.168.100.2
Jan 19 21:52:32 php-fpm[62095]: /index.php: Successful login for user '879342fsd9898fds' from: 192.168.100.2
Jan 19 21:52:17 php-fpm[62095]: /index.php: User logged out for user 'admin' from: 192.168.100.2
Jan 19 21:51:37 php-fpm[30074]: /index.php: Successful login for user 'admin' from: 192.168.100.2
Jan 19 21:51:37 php-fpm[30074]: /index.php: Successful login for user 'admin' from: 192.168.100.2
Jan 19 21:51:22 php-fpm[30074]: /index.php: webConfigurator authentication error for '879342fsd9898fds£*#@' from 192.168.100.2
Jan 19 21:51:22 php-fpm[30074]: /index.php: webConfigurator authentication error for '879342fsd9898fds£*#@' from 192.168.100.2
Jan 19 21:51:08 php-fpm[30074]: /index.php: User logged out for user 'admin' from: 192.168.100.2

This is on the latest build
2.2-RC (amd64)
built on Fri Jan 16 11:53:08 CST 2015

EDit. pfsense lets you delete the user you have logged in with without throwing any errors which explains the blank user entry I saw earlier and the system log entry @ 22:16:52.

firewalluser · Jan 19, 2015, 10:56 PM

I now see this when I add a new user but can log in ok as the newly created user.

Jan 19 22:54:19 php-fpm[6634]: /system_usermanager.php: The command '/usr/sbin/pw groupmod admins -g 1999 -M '0,2003' 2>&1' returned exit code '67', the output was 'pw: user `2003' does not exist'
Jan 19 22:54:19 php-fpm[6634]: /system_usermanager.php: Tried to remove user but got user pw instead. Bailing.