Bug 5594 – SSH login password font is ambiguous due to its use of mixed case among other things

Bug 5594 - SSH login password font is ambiguous due to its use of mixed case among other things

Summary:

SSH login password font is ambiguous due to its use of mixed case among other...

Status:	RESOLVED FIXED

Product:	SB Controller
Classification:	Unclassified
Component:	UI
Version:	unspecified
Platform:	PC Windows XP

Importance:	P2 normal (vote)
Target Milestone:	MP
Assigned To:	Richard Titmuss

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-28 09:23 UTC by Caleb Crome
Modified:	2007-11-09 09:24 UTC (History)
CC List:	1 user (show)

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Caleb Crome 2007-09-28 09:23:05 UTC

The ssh login password is difficult to read because it is ambiguous. 

The login password should be in a very readable font (maybe fixed width like courier?), and should exclude ambiguous characters, such as 1, I, l, 0, O, o.

It's probably better to use a longer password with a reduced character set.  

It could use just numbers perhaps, or just numbers & lower case letters (except 1 and l).

Comment 1 Richard Titmuss 2007-10-05 14:42:52 UTC

Or just change this back to passwd again. I think the random password is too difficult to use, and does not really add much value/security.

Comment 2 KDF 2007-10-05 17:52:56 UTC

it is rather annoying to have to keep making note of the variying random password with regular need todo factory reset.  it's not uncommon for devices to ship with a very simple default password, and it's not like ssh is enabled by default.  however, we do need an easy way to set up a custom password for general use.

Comment 3 Caleb Crome 2007-10-05 18:15:49 UTC

For security reasons, we should probably have some way to secure, say, the WPA passwords.  Are they stored in clear text on the Jive?  If so, you could grab it via anonymous SSH.  Of course, you'd have to already be on the network to do that, but perhaps it could be done when Jive is in promiscuous mode.  Dunno.

A 4 digit numeric string would provide enough security -- only give 10 attempts or something before requiring a factory reset to gain ssh access.

Comment 4 KDF 2007-10-05 22:05:31 UTC

the password in stored in wpa_supplicant.conf, plain text but I think users should generally be keeping ssh off unless they are doing dev work.  Being able to turn on and off easily with a persistent password would be a big step in taht simplicity.

however, it would seem that there should be some sort of standard security solution for wpa_supplicant.conf files as I'm sure many systems with ssh don't really have random passwords.

Comment 5 Chris Owens 2007-10-30 10:22:52 UTC

Richard suggests we select a default password that is simple and clear as a workaround.  Dean suggests 'squeezebox'

Comment 6 Chris Owens 2007-10-30 10:23:49 UTC

The end of the conversation settled on a password of '1234'

Comment 7 Richard Titmuss 2007-11-09 09:24:27 UTC

Changed to a fixed password of 1234 and added a motd file instructing the user how to modify the password when they login via ssh. All done in r853 + r854.