I have two Wi-Fi enabled printers in my network and both have a web server for configuration. So far, I didn't set a password on neither of them but I thought it might be a good idea to do so lately, with interesting results:
As I like long passwords for security reasons I chose a 20 digit password, which at first seemed to work. No error messages when setting the password. But when accessing the printers again, neither would allow me to log on with my 20 digit password!? After some trial and error I established that I could access my HP Photosmart C7280 when only using 16 digits of the initial 20. The same with my brand new Samsung ML-2525W which only let me back into the menu when I only used 18 digits of the original password. Now there are four things that are very wrong with this:
- The password length is too short.
- It seems the passwords themselves are stored and not a hash value, thus creating the problem. Very unsave to store the password and not a hash value by the way...
- Why was there no error message that the password was too long?
- There is no delay between two login events, so a brute force attack is possible.
If I were daring, I'd try special characters in the passwords now... But I spare myself the trouble.
Have you ever try Elsteronline with your long password? :-)
Posted by: Markus Michelt | September 01, 2011 at 07:27 PM