Writing secure software is hard. At the same time, some things are so fundamental that failing to implement them is just inexcusable. One of these is that you must not limit the password length. (At least below some crazy limit like a thousand characters. Long before that your password is no longer the weakest link in even the most secure systems in the world.) Enter my new router, ironically named the Orcon Genius. It's a bog standard consumer router, and like most routers it came with an insecure admin password. I promptly replaced it with a long, generated password, but afterwards I could no longer log in. I suspected a shoddy implementation, so I cobbled together a script to try logging in using every substring of the password. After about half a second it spat out the correct password, verifying that this router only saves the first 15 characters of the password. The script is very simple:


 password='your_secure_password' # the line starts with a space

password_length=${#password}
for start in $(seq 0 $password_length)
do
    for length in $(seq 1 $(($password_length - start)))
    do
        substring="${password:$start:$length}"
        if curl --basic --fail --silent --user "admin:${substring}" http://192.168.1.1 > /dev/null
        then
            echo "$substring"
            break 2
        fi
    done
done

The space before the variable assignment is to avoid storing the password in the shell history. Your shell may not support this feature, in which case you need to figure out how to securely erase the password from your history. Consider yourself warned.

I've reported this issue to Orcon. Hopefully they will fix the firmware.