The Vigor 130, and I assume other current Draytek products, arbitrarily limits admin passwords in both length and complexity. Max password length is 23 characters which is tiny by current standards. In addition a large number of fairly innocuous special characters including underscore, hyphen (-), dollar($), forward slash (/) etc. are not allowed.

This makes no sense.

In implementation terms any password entered should be stored in a fixed-length hashed+salted form only, so the length and makeup of the plaintext password have no reason to be limited.

In security terms, given the risks on the 'net these days the last thing we need is to restrict networking equipment to low complexity (and therefore easier to attack) passwords.

This limitation needs to be sent back to the '80s where it belongs. Unlimited length (or at least 128 character) passwords please, and they should allow any character that's safe to type into a web password field.

I can't see a need for more than 23 characters but agree all keyboard characters should be possible.

The other thing that is truly stupid .......... you can't change the username from "admin" . The ability to have a random , user choice name increases security dramatically.