Some time ago, I went through, as I do on a semi-regular basis, and updated passwords on everything I could remember. I have tools for this. The tools are very good at making things random and hard to guess or hack. They let me specify the types of characters that should appear in them, and how long they should be, and all kinds of funny rules to consider.

This time, I decided to also update the passwords on my DSL modem at home. The maker is Actiontec, although ultimately that isn’t relevant. On the password screen, they accept any character on the password screen, and entries of any length. Given that, I chose my 16 character mixed profile, which is pretty much the strongest one I generally use. A very few sites/apps accept longer ones, but not usually. The dialog accepted my new password, and saved it, and since I was also experiencing some port connection issues at the time, I decided to reset the modem. No problem, everything came right back up minutes later, and I was good to go.

I popped back onto the admin page for the modem, and was going to login to verify that the memory usage was back down to nominal levels. What’s this? An error??? Let’s see here… “Your password cannot exceed 15 characters in length”. WHAT??? It let me enter 16 characters when it asked. How can the login screen only take 15? So then I think, ok… maybe it automatically chopped the final character off? Nope. Maybe it chopped the first character off? (Ok, I admit thats kind of out of the realm of reality, but I’m getting desperate here)… Nope. After trying many different further combinations, including my old password, ALL CAPS, no caps, etc, I decided to do a little more poking around. Fire up the firefox debugger, and look at the code evaluating on this page. Sure enough, there is a routine in the javascript there that is validating my input on that page, and checking to see that the input <= 15 characters. Ugh.

So, I realize at this point that I could reset the modem back to factory defaults, and go ahead and reconfigure my custom settings. I have some specific port maps setup and this is generally a big pain in the butt, so I decide to try contacting their support first. Hit the webpage, leave a message with my email address, and await my reply. A few days later, they do so, indicating that the login page should be able to accept any password length that the password reset script would have allowed, and that I should check to make sure I’m typing correctly.

o.O
O.o

Really? Um, ok. That is like asking me if the power cord is plugged in. They indicate there is no “backdoor” and that I need to reset the modem to defaults in order to resolve, thank you for playing, we’re considering this issue resolved, and please don’t ask us any more of your stupid questions. kthxbye.

Alright, so now I get back in and try all the things I did before, thinking…ok, maybe they’re right, I just typed it wrong, and went through all the usual logical steps that I could have accidentally done things incorrectly, and I get the same result. As a last ditch effort, I go in and check the code again, except this time, I’m going to try and play with the values. Once again in the debugger I enable a breakpoint in the javascript, and start stepping through the code, watching the values of several different variables I see defined to see how it manipulates things before it finally submits the form. This time, I leave off the final character (going back to a 15 character, allowed value), and step it past the check that was previously failing. It does some more manipulation of the username, password, the current ip address, etc, and then sets that big long string into a new variable just before submitting. So just before the exit, I go back into that variable, and add my character back, by hand, in the debugger console. Click “Run” and close my eyes a bit. Wait 5 seconds… open my eyes… I’m logged in!

Every once in awhile, all the crap I went to school for actually comes in handy. No, not the most elegant hack, but it got the job done.

Share