Complexity rules for BIOS password? Why? (Moved)

Matt_Hartley · November 20, 2023, 8:33pm

Moving a non-support topic to general.

ksimuk · November 10, 2023, 4:55pm

First time I see someone introduced complexity rules for BIOS password. Why framework thinks that I need “a symbol” or “a number” in the BIOS password? Framework could you please read decade old research and US/UK/EU governments recommendations on password complexity rules, and get rid of this in the next BIOS update.

flovo · November 10, 2023, 5:01pm

abittner · November 12, 2023, 11:10am

(screenshot, from the frame work 13 laptop AMD edition)

unfortunately this requirement also kind of broke my neck a little while ago when trying to reconstruct my forgotton bios password (other thread) too bad. i couldnt find any documentation about what these exact requirements were and I was completely oblivious and couldnt come up with any combination of my usual base password i tend to use for such situation and no variation i tried worked. meanwhile, i have reset the bios password with special help from f.w. support help that was not documented (yet?) and now I have set a bios password again and i am kind of sure by now that i actually have now the very same password variation that i couldnt come up with to begin with when trying to access the bios back then when following those rules of complexity given.

kirelagin · November 19, 2023, 1:04pm

The bios complexity rules are super annoying, but what completely got me is that TEN character limit. This is a super weird limitation and I don’t really use any passwords that short…

This really needs to be the other way around: make the length limit sensible – like, 256, I don’t know, or, at least, something like 60 (the longest password I currently use is close to 50, but there needs to be some buffer for the future!) – and remove these complexity rules.

Framework is a U.S. company, so I’ll quote from NIST Digital Identity Guidelines (Section 5.1.1.2):

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.

Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret.

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

Ceremony · November 19, 2023, 1:52pm

This is the weirdest part: Why would anyone on any system impose a password limit? This makes no sense to me. Every time I encounter such a limitation, it makes me think the system is actually saving the pw as a plain string in a database or so. at least that would explain the stupid limit…

instead, a password should be hashed countless times (e.g. pbkdf2, argon2), making it really expensive to reconstruct a single password from the resulting hash (+salt). Plus it makes the character limitation a thing of the past, as the hashed and salted pw should always result in a string of identical length.

ksimuk · November 23, 2023, 6:59am

Yes, the 10 symbols limit is super bizarre, I think this is the limit of drawing stars in the control, they have space for 10 symbols, I’ve automatically typed my 20+ long password, not even realizing it was truncated. Framework, please fix both issues, no need for complexity rules or length limit (OK you can have the limit if you want but around 1024 symbols )

Matthew_Quarisa · November 23, 2023, 9:29am

What annoys me even more is the other day I got a message saying my BIOS password has expired and needs to be changed.

Is there a setting I have missed to disable this?

bits · November 27, 2023, 11:31pm

Just hit this issue myself and am frustrated to say the least. It’s like the BIOS enforces poor security. Frequent password changes make passwords easy to forget and there’s no passoword manager autofill in the BIOS, so I guess I’ll just write the password on a piece of paper. Not to mention the flawed complexity rules and length limit already mentioned above. And to top it all off, the BIOS remembers historical passwords for who knows how far back, so not only can you not reuse a password you’ve ever used before, you also have a nice password list saved in the flash for anyone skilled enough to extract and (hopefully) crack (hopefully because, with the length limit, it could also just be plaintext).

All this nonsense is making me reluctant to even set a BIOS password because of all the hoops I have to jump through. Is that the goal here?

Ansley_Barnes · November 28, 2023, 1:33am

The password history is the worst. I set up the machine, had a couple of issues, within an hour I’d reset BIOS to defaults. Tried to set the same password again, no dice. Super mad about that. If you’re going to enforce a 10 character limit you don’t get to enforce password history.

0xc0ffee · November 28, 2023, 11:16am

My understanding is that Framework has not developed the BIOS from scratch. Instead, it has been licenced (?) and adapted - feel free to correct me if wrong. Perhaps this came with the base version and they haven’t made changes to the password policy as not a major priority.

Regardless, the whole password situation is utter nonsense and should ultimately be addressed, hopefully soon.

Adrian_Joachim · November 28, 2023, 12:42pm

This does seem like a low effort/high impact kind of issue so i hope they get that into the next bios release.

kirelagin · November 30, 2023, 2:01pm

Oh my god. Hasn’t happened to me yet, but this is absolutely insane.

I’ll quote from the NIST Guidelines again:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

I think you are right, and my understanding is that they actually licensed the source code, so they are able to make any changes they want.

Fingers crossed. I hope they understand that it is actually a high impact issue. Once the passwords start expiring for everyone, people start adding some random bs and then forgetting them…

MJ1 · November 30, 2023, 2:51pm

Does it say InsydeH2O or Insyde at the top of your BIOS screen?
Last I read, the BIOS firmware is licensed from Insyde Software - Wikipedia. I don’t know if it’s different on newer boards.

~edit~
Looks like the 13th gen intel and AMD boards are still using Insyde.
https://nitter.net/insydesw/status/1639393614148296705

Insyde Software @insydesw Mar 24

Congratulations to @FrameworkPuter for their exciting launch event yesterday, including the unveiling of the latest InsydeH2O-powered Framework 13 laptops featuring the AMD Ryzen 7000 series and 13th Gen Intel Core CPUs!

Matthew_Quarisa · December 1, 2023, 3:21am

YES

2023-12-01 14_20_43-bE3T9C.gif (480×270)

But seriously, never have more truer words been spoken/typed/copied&pasted.

jhoff80 · December 3, 2023, 2:13am

Agreed, this is absolutely ridiculous and bad practice. Combined with the 10 character max length this stuff is ass-backwards.