Password anomaly with the WiFi

[TimO]

I managed to lock myself out of my DigiX on WiFi yesterday, and it's taken me a while to sort out why.

When the password (and presumably other strings, such as username) are passed to the software, it's Percent Encoded, as are all strings passed to web servers.  This results in most non-alphanumeric characters being encoded with a preceding percent symbol.  Generally this would be fine, but it looks like the sequence is not then unencoded, so you end up with a strange sequence in the middle of your password.

I had an "&" symbol in my password, and that was encoded as %26 (ie "abc&def" ends up as "abc%26def").  I ended up having to send an AT command to the module, with the WEBU command, so it returned the username and password, which was then clearly buggered up.

So, if you want to avoid this, stick to number and letters only, in password and username strings passed to the WiFi software via the web interface.  This is a bit contrary to the normal suggestions about passwords, but will make your life a lot easier!

[dougal]

For those who haven't already seen it, this xkcd comic illustrates that when it comes to passwords, length is a better protection factor than the mix of characters:

  http://xkcd.com/936/

Security systems that enforce policies like "You must include at least one capital letter, one numeral, and one special character, and the length must be between 8 and 12 characters" tick me off, because they are actually reducing the security keyspace.

So in this case, where we have a reason to avoid special characters, the best security advice is to just make your password really long, even if it's just several words in all lowercase.