Pi-Hole accepts weak passwords for users and it is easy to crack by unauthorized users

sri786 · November 24, 2017, 9:23pm

In raising this issue, I confirm the following (please check boxes, eg [X]) Failure to fill the template will close your issue:

I have read and understood the contributors guide.
The issue I am reporting can be replicated
The issue I am reporting isn't a duplicate (see FAQs, closed issues, and open issues).

How familiar are you with the codebase?:

5

[BUG REPORT | OTHER]:

Please submit your feature request here, so it is votable by the community. It's also easier for us to track.

[BUG | ISSUE] Expected Behaviour:
Password for Pi-Hole admin should follow standard password guidelines and it should not accept weak passwords.

[BUG | ISSUE] Actual Behaviour:
Pi-Hole accepts (through Pi-Hole command line interface) any kind of password at least having single character

[BUG | ISSUE] Steps to reproduce:

go to terminal and enter the command pihole -a
once you enter pi-hole admin utility , view the option using pihole -a --help
now choose -p to set password, enter the command pihole - a -p
now try to enter any kind of password having atleast 1 character in it (even blank password for special case)
it accepts the password and gives the acknowledgement message

[BUG | ISSUE] Idea for implementation to achieve Expected Behavior:

Go to the program https://github.com/pi-hole/pi-hole/blob/master/advanced/Scripts/webpage.sh
go to line 94
add else condition to validate the entered password with a regular expression
use regular expression like [[ ${#s} -ge 6 && "$s" == [A-Z] && "$s" == [a-z] && "$s" == [0-9] ]]
this regex make sure that input string meet following conditions:
1. at least 6 characters long
2. has at least one digit
3. has at least one Upper case Alphabet
4. has at least one Lower case Alphabet
Following is the code snippet of this issue :

webpage572×368 29.9 KB

The main reason i have created this issue is, password option in any interface is provided to ensure minimum security for the application user. Since, pi-hole accepting any kind of password (like 1 character) password, i feel it is not suggestible and no way it becomes a secure and user friendly application.

I can create a pull request, if my suggestion or idea is approved by you !
Thanks

(Optional) Debug token generated by pihole -d:

<token>

This template was created based on the work of udemy-dl.

sri786 · November 24, 2017, 9:24pm

github.com/pi-hole/pi-hole

Pi-Hole accepts weak passwords for users and it is easy to crack by unauthorized users

opened 07:07PM - 23 Nov 17 UTC

closed 05:29AM - 10 Jul 18 UTC

sri786

**In raising this issue, I confirm the following (please check boxes, eg [X]) Fa…ilure to fill the template will close your issue:** - [yes] I have read and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [yes] The issue I am reporting can be *replicated* - [yes] The issue I am reporting isn't a duplicate (see [FAQs](https://github.com/pi-hole/pi-hole/wiki/FAQs), [closed issues](https://github.com/pi-hole/pi-hole/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), and [open issues](https://github.com/pi-hole/pi-hole/issues)). **How familiar are you with the codebase?:** _5_ --- **[BUG REPORT | OTHER]:** Please [submit your feature request here](https://discourse.pi-hole.net/c/feature-requests), so it is votable by the community. It's also easier for us to track. **[BUG | ISSUE] Expected Behaviour:** Password for Pi-Hole admin should follow standard password guidelines and it should not accept weak passwords. **[BUG | ISSUE] Actual Behaviour:** Pi-Hole accepts (through Pi-Hole command line interface) any kind of password at least having single character **[BUG | ISSUE] Steps to reproduce:** - go to terminal and enter the command pihole -a - once you enter pi-hole admin utility , view the option using pihole -a --help - now choose -p to set password, enter the command pihole - a -p - now try to enter any kind of password having atleast 1 character in it (even blank password for special case) - it accepts the password and gives the acknowledgement message **[BUG | ISSUE] Idea for implementation to achieve Expected Behavior:** - Go to the program https://github.com/pi-hole/pi-hole/blob/master/advanced/Scripts/webpage.sh - go to line 94 - add else condition to validate the entered password with a regular expression - use regular expression like [[ ${#s} -ge 6 && "$s" == *[A-Z]* && "$s" == *[a-z]* && "$s" == *[0-9]* ]] this regex make sure that input string meet following conditions: 1. at least 6 characters long 2. has at least one digit 3. has at least one Upper case Alphabet 4. has at least one Lower case Alphabet Following is the code snippet of this issue : ![webpage](https://user-images.githubusercontent.com/21104237/33108951-7d7bda7e-cf04-11e7-9f07-c398e5cb89fe.jpg) The main reason i have created this issue is, password option in any interface is provided to ensure minimum security for the application user. Since, pi-hole accepting any kind of password (like 1 character) password, i feel it is not suggestible and no way it becomes a secure and user friendly application. I can create a pull request, if my suggestion or idea is approved by you ! Kindly go through the details and advise/approve accordingly. Thanks **(Optional) Debug token generated by `pihole -d`:** `<token>` _This template was created based on the work of [`udemy-dl`](https://github.com/nishad/udemy-dl/blob/master/LICENSE)._

This is a link for the already created topic for feature request !