Don't reject "weak" passwords during setup

mikesmith · April 19, 2025 at 2:10 AM

From here: https://github.com/LibreELEC/LibreELEC.tv/issues/8727

Describe the bug

During setup of a new libreelec installation, I enabled remote ssh access. I was informed of the default password, and the setup recommended that I change it from the default. Fine, that's a great idea! Unfortunately the password that I wanted to use was too "weak", and was rejected. The other two passwords that I tried were also considered too weak, and were rejected. So I left the password as the default ("libreelec").

Context

What's weaker than a weak password? A default password. In trying to encourage a more secure libreelec installation, this actually makes security worse, as it incentivizes users to just use the default password.

In setting a root password for libreelec, I don't have the convenience of a browser password manager, so I'm not going to use an autogenerated password. My plan was to set a commonly used home appliance password (since I'm behind a NAT, it's not a big deal), and then later on disable ssh password logins and install an ssh key.

I think this person describes the issue fairly succinctly. You can keep the current behaviour but it would be nice if there was a workaround for those who require it.

**chewitt** · April 19, 2025 at 7:58 AM

Over time we received more abuse from people demanding we require stronger passwords than people demaning the ability to set weaker passwords. So the current status quo is intentional and we have no plan to change that. Just skip ahead to the point where you've installed an SSH key and disabled passwords and the entire issue is moot.

mikesmith · April 20, 2025 at 1:19 AM

Understood, well I found a workaround.

Log into the LibreELEC machine and type:

cryptpw

Then enter the password. It will output a crypt script.

Then edit the Shadow password file and substitute what was generated.

Code

LibreELEC:/etc # vi /etc/shadow
systemd-timesync:*:::::::
systemd-network:*:::::::
dbus:*:::::::
root:[the password generated]::::::
nobody:*:::::::
system:*:::::::
avahi:*:::::::
LibreELEC:~ #

Save it and then before you logout, try logging in again with SSH and the new password and it should work.

Sorry you received any abuse, appreciate the work you do.