Easy passwords are better than default passwords.

pryelluw · on Dec 28, 2016

True, but not when the easy password is 12345abc. :(

cm2187 · on Dec 28, 2016

If there is an efficient brute force protection, 12345abc isn't that bad.

The problem is if you let people try as many passwords as they want.

pryelluw · on Dec 29, 2016

They do have a 5 tries limit before a 10 minute lockout.

jMyles · on Dec 29, 2016

Isn't that asking for DOS?

Groxx · on Dec 29, 2016

sure, but then you know something's up, and you can go unplug it / investigate. better than allowing infinite attempts.

kedean · on Jan 1, 2017

I think the modern consensus is that reasonable rate-limiting is a superior option. It doesn't allow for DOS, but still prevents brute-forcing attack. You can even set things up such that too many attempts triggers a notification that something is probably wrong, but users can't be locked out of their own accounts.

Groxx · on Jan 5, 2017

"Allow 5 tries, then lock everyone out for 10 minutes" is a rate limiter. If you're talking about an arbitrarily complex one: either you're able to be locked out too, or a botnet allows near-arbitrary retries. A botnet of insecure cameras, perhaps.

It's all a tradeoff. But a smart rate limiter is complex, and rarely necessary when you can be expected to have physical access to the device. Plus, these things haven't even managed basic security, why should we expect them to implement a good rate limiter?