This immediately set off alarm bells in my mind. Changing my password shouldn’t break the UI. I found out that the length limit is 16 chars, which my password manager happily ignored. Turns out that the only way they’re enforcing the limit is the HTML
maxlength attribute, which is super easy to change from the Chrome dev tools.
I couldn’t get to the password change page, so I had to use SSH that I had enabled. I tried to change my password using the popular *nix utility,
passwd. This isn’t a thing in the stripped down version of Linux on the router, so I took to Google.
In my searches, I found a video from last year, showing that you get the password in plaintext simply by entering a short command. I figured that they must’ve nerfed that to encrypt the password, but again, NOPE! The router happily spit out my password in plaintext right into the console.
Seeing as this was some NVRAM variable thing, I was able to change it super easily too. This let me back into the (now fixed) admin page and I was able to continue editing settings.
While this may not be that big of an issue (you need to have SSH access which requires knowing the password in the first place), it pisses me off because it’s so easy to hash the password and get a decently secure system going. ASUS is a multi-billion dollar company, they can totally afford to do that.
I also would’ve emailed this issue to ASUS privately, however they apparently have a team of “independent security testers” that conduct “full audits of [the] router’s firmware,” so they should be just fine.