Ask Slashdot: Advice On Building a Firewall With VPN Capabilities? 238
An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."
geek or not (Score:5, Informative)
This will let you connect to vpns and such http://www.buffalotech.com/products/wireless
or for a more geek solution https://www.pfsense.org/
Re:geek or not ~ pfSense (Score:5, Informative)
I love me some pfSense. We use it at the office and it handles everything we can throw at it (including VPN/IPSec between offices to backfeed high bandwidth security video). It is also light weight enough to work in a home environment on minimal hardware.
Their hardware is both overpriced and well-made. For our small branch offices their embedded devices (such as https://store.pfsense.org/VK-T... [pfsense.org]) are better than what we could create on our own in low volume and a lot less work. For larger branch offices we will stick pfSense in virtual machine with whatever else they have running. It does well as a VM, too.
Cheers,
Matt
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This indeed. I have pfSense running on one of these [amazon.com] with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.
The above is a rather nice little box. At half this price I would buy two.
I was going to reply to the original poster that if he had to ask
he could not get there from here. The above system has the
critical two Gig-E network ports. He would have to install
and learn how to administer a linux system or install a pile of odd
things on top of an IMO fragile WindowZ OS. Full blown Win-Server
software that can get the job done costs more than the hardware.
The best bet is to run the router that the ISP gives yo
Re: (Score:2)
Full blown Win-Server software that can get the job done costs more than the hardware.
No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...
The above is a rather nice little box. At half this price I would buy two.
I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)
Re: (Score:2)
Full blown Win-Server
software that can get the job done costs more than the hardware.
No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...
The above is a rather nice little box. At half this price I would buy two.
I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)
One caution is that Windows is not as secure an OS perhaps because
there is a rich set of stuff that is darn hard to replace or eliminate.
A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly
short list of services and binaries. I say this but most Linux system owners
do not do this.... but it is better facilitated if you want to do it.
You open up a good context to make the point that a user should use what
they know best. If the poster knows how to manage one system and not
the oth
Re: (Score:2)
One caution is that Windows is not as secure an OS perhaps because there is a rich set of stuff that is darn hard to replace or eliminate.
I haven't seen one single landline direct-connection to the internet since the dialup/adsl days. Most consumers will have a router. The only exception is 3G/4G adapters, but the topic is about firewalling. And unless you're running a DPI appliance to check for binary malware, you're getting those in your windows machines anyway.
A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly short list of services and binaries
As can Windows. And you can also take the easy approach of just closing any external port besides the VPN, leaving only potential attacks on the TCP stack and the VPN layer. I actual
Re: (Score:2)
Yup, pfSense is Good Stuff. On the hardware side it'll run on damn near anything. I run mine on an old Celeron machine with traffic shaping, no issues. I don't know that I'd want more than one or two simultaneous VPN users with that compute capacity, though.
Re: (Score:2)
or smoothwall or moonwall.
Re: geek or not ~ pfSense (Score:2)
Actually i would recommend m0n0wall. This is what pfsense is built upon - but without the kitchen sink its even lighter. And m0n0 does everything he asks excellently.
Re: (Score:2)
pfSense works well but Untangle is also worth mentioning (http://www.untangle.com/). It has all sorts of pluggable modules like VPN client/server, ad blocking, intrusion detection, etc. I've been using it for a few years on modest hardware (Intel Atom with 4G of RAM and a 1TB green disk) and it's always worked flawlessly.
Re:geek or not ~ pfSense (Score:5, Funny)
AskSlashdot is a joke. I mean all you get are jokes, or whatever comes up first in a basic Google search.
We are the Google algorithm...
Re: (Score:2)
well played sir!
Re: (Score:2)
+1 pfsense (Score:2)
pfsense is rock solid.
even on shitty hardware, you can do a LOT with pfsense.
the turnkey boxes from their store are pretty neat too.
Re: (Score:2)
I've had miserable experience with Buffalotech reliability, and would recommend Asus and the RT-AC-66U in a heartbeat. The custom firmware adds a lot of nice functionality including OpenVPN with GUI.
For non-paranoid, non-geeks, avoid OpenVPN in my book.
Re: (Score:2)
Re: (Score:2)
I'm fairly certain my pfSense box has no video card in it at all to generate heat. It also has 6 ethernet interfaces, all in a nice mini-itx package.
pfSense is a winner (Score:2)
I have pfSense running on a Soekris net6501 for my home network firewall. I have set up OpenVPN - configuration took only a few minutes and it has worked perfectly.
The Soekris Net6501 is more than sufficient for my needs but pfSense scales well and will run on many types of hardware. When I was testing it I ran pfSense as a VM without any problems - in retrospect I should have left it that way permanently.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Personally, I went with a full blown CentOS with Shorewall / OpenVPN on top, but it was definitely not the easiest thing to setup. Next time around I'm strongly considering a firewall distro.
Tinkering not required for simples cases (Score:2)
I agree. If you don't mind tinkering, pfSense is the way to go
I agree that pfSense is a great solution but I disagree about the tinkering . pfSense fits well in the mantra of "simple things can be done simply but complex things are possible". It needs little tinkering if you have a reasonably standard setup - say an internet connection plus a local network. It has decent defaults.
If you have a more complex setup (I have a LAN interface, a DMZ, a guest network, and a VPN interface as well as several additional software packages) then some tinkering will be needed.
Re: (Score:2)
An old CPU that has to manage two usb ethernet devices on a single usb port? That'll be great performance. It will totally handle VPN and torrenting.
Linux or not (Re:geek or not) (Score:2)
Dare I raise the suspicion, that the underlying Linux is to blame? pfSense [pfsense.org], on contrast, is based on FreeBSD and is — as mentioned by numerous people here — quite usable even on old celerons...
Re: (Score:2)
It's probably more to do with the CPU in the raspberry pi being a very old arm architecure and only a single usb port that needs to handle multiple ethernet devices with the under powered cpu running both ethernet -> usb drivers.
Re: (Score:2)
Re: (Score:2)
Apparently it does work well as a media player running xbmc. It actually has a half decent GPU with hardware 1080p h264 decoding. Doesn't really do much else well though.
Why VPN? (Score:1)
Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.
As for software, one of:
- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend).
- pfSense if you’ve got a decent box and want bells and/or
Re: (Score:2)
One big reason is to avoid all the "cloudy" ways to allow remote access to things like cameras, storage, security. Another incentive might be to route all (say) netflix traffic to a VPN so that it doesn't get throttled by your ISP.
Re: (Score:2)
Another incentive might be to route all (say) netflix traffic to a VPN so that it doesn't get throttled by your ISP.
Or routes out through a country that doesn't have shit for selection.
Re: (Score:2)
Do you regularly remote in to your home network? Do you connect out to a server somewhere?
Have you ever met anyone considering a VPN who does neither? But anyway, there are many other good reasons for using a VPN.
Re: (Score:2)
Have you ever met anyone considering a VPN who does neither?
Honestly, some people will hear these kind of terms referenced a lot in relation to security and decide they should have them without any understanding of what they actually provide (beyond security of course, which is what they want!).
Re: (Score:2)
Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.
As for software, one of:
- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend). - pfSense if you’ve got a decent box and want bells and/or whistles - m0n0wall if you want something light but functional
You might also want to consider routerboard, it’s cool shit and reasonably priced.
I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years. The most important part is hardening the kernel, stripping out unneeded software and having a sane set of IPTables rules. Works like a champ!
Re: (Score:2)
> I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years.
--Dude, how high is your electric bill? o_O
--If you hook up a kill-a-watt to that beast, you might want to consider replacing that ancient machine with something like a Raspberry Pi / Cubietruck / Atom box - it will likely pay for itself within a year due to the power savings...
TS-836A Plug Power Meter = ~$16 on Amazon
Re: (Score:2)
> I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years.
--Dude, how high is your electric bill? o_O
--If you hook up a kill-a-watt to that beast, you might want to consider replacing that ancient machine with something like a Raspberry Pi / Cubietruck / Atom box - it will likely pay for itself within a year due to the power savings...
TS-836A Plug Power Meter = ~$16 on Amazon
Just to clarify, it's actually a Pentium Pro-200, not a PIII-100.
My electric bill is between me and the electric company. Thanks for your concern, though.
That said, I appreciate the suggestion, but my bill is already bit lower since I got rid of the Dell PowerEdge 6400 [dell.com] I was running for many years. What is more, when it's hot in the summer, my AC unit uses more power than all the other electric devices in my house. If I was really concerned, I'd sweat more. :)
Compared to the AC and the other systems I ru
Re: (Score:2)
Except a PIII-100 did not exist. at 100mhz you would have been talking about a 486dx4 or a Pentium 100mhz machine. PIII ran from 450mhz-1.4ghz IIRC. However, if you are talking about bus speed, then yes, P3 did use a 100mhz-133mhz bus speed. However, when talking about a P3 (or even Pentium 1), a 200mb hard drive would have been tiny. When I bought my Pentium 166mhz machine it came with a (pricey) 4.3gb scsi drive. I believe I even had a 500MB drive hooked up to my 386. And I sure did not have 96MB of RAM, more like 4MB. Those were the days, just not quite like how you remember them...
You're right. I was incorrect. It's a Pentium Pro-200, not a PIII-100. And it's not about *remembering* It's right here, under my desk. Purchased new (Dell Dimension XPS) in 1995, IIRC.
/proc/meminfo
$ cat cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 1
model name : Pentium Pro
stepping : 9
cpu MHz : 199.434
$ cat
total: used: free: shared: buffers: cached:
Mem: 96964608 94928896 2035712 0 3387392 1329152
Re: (Score:2)
That's awesome! I think my 386 came with a really large 40MB drive and I wanted so badly get a CDROM until I found out you still needed drive space to run the games on them. I only remember because that was really when I started to get into computers on my own. I was quite a hardware geek back in those days. I bought that p166 back in 1996 I think, and it was a really expensive rig looking at hardware nowadays.
Yeah. The leaps in performance and capacity have been so huge. I remember back in the late 80s (before IDE/ATA) how awesome it was to get an 80MB (RLL format vs 40MB MFM) disk for my PC XT. Ahh, the joys of INT13 calls under DOS 3.3 :)
Re: (Score:2)
Yes, you've forgotten your fucking manners. No reason to be a doooooooosh.
I assume that's meant to be humor. If not, I'm guessing you didn't take your medication today. Oh, and it's spelled 'douche'. Have a wonderful day, my rude, spelling-challenged friend.
DD-wrt (Score:5, Insightful)
That was easy.
Re:DD-wrt (Score:5, Informative)
You realize that DD-WRT runs on far more hardware than the WRT-54x series of routers, right? In fact, I'm running it on a Netgear WNDR3700 V4 (a *far* more capable router than the WRT-54G). I'm barely using any of its features, however, it's interface is far more responsive than the Netgear "genie" interface, and it no longer randomly resets its network connections.
In this case, I'd say a little *research* into a particular topic, before you comment, goes a long way... ;)
Re: (Score:2)
I'm pretty sure that I never mentioned anything about how old / new DD-WRT's software is. That said, the current version I'm running was released in June of this year.
You were saying?
OpenWRT (Score:1)
Get a router compatible with OpenWRT (Netgear WNDR3800 is a good choice) and install OpenVPN.
OpenWRT (Score:2)
Just as a heads up, I measured 18Mbps (that is 1.8MB/s) with my OpenWRT TP-link WDR4300 (with AR9344 @ 560MHz) . I don't think off-the-shelf routers have any openVPN support, so no HW encryption engines.
If you need higher speeds, forget off-the-self routers (at least for the VPN end-points).
What are you trying to do? (Score:5, Interesting)
A VPN? To connect to where, from where? Are you doing this for something to do, or because you want to implement the best solution? Do you just want better router software?
Install Tomato [tomatousb.org] or DD [dd-wrt.com] or OpenWRT [openwrt.org] or any one of their variants on your existing router.
Building your own in the name of security isn't going to work unless you really know what you're doing, which you said you don't in your summary. That sounds like a dick thing to say, but it's not. Security is difficult for people that know what they're doing, when people who don't try to DIY it, it's almost universally bad.
Re: (Score:2)
I can second going the Tomato route. I've used this for nearly 10 years now and have been very happy with the results. Heard good things about DD and OpenWRT, but haven't tried them myself.
New hardware capable of running Tomato can be had on Amazon for less than $50 and are very low in power consumption. Tomato is a small enough sandbox that you're less likely to screw up security, but has enough options and add-ons to do whatever you are likely to want to do with it. There is also an active community t
Re: (Score:2)
I've got an Asus RT-N16 with Shibby's mod of Tomato Firmware. OpenVPN is available in certain builds thereof and I've used it successfully, though it takes a bit of setting up (and trial & error in my case).
Re: (Score:3)
Exactly. "Firewall" is somewhat of an overused word at this point that can mean so many different things. And the capabilities of said firewall will vary highly from product to product.
A stateful firewall will keep track of all connections going through it. A good one can help detect malformed packets and drop those. It can also detect some fun attacks people use to fake initiating a TCP connection.
Beyond the basics of looking at port/ip/protocol data, you can start getting into more packet analysis to
Buy a Ubiquiti EdgeRouter Lite. (Score:4, Informative)
Buy a Ubiquiti EdgeRouter Lite.
IPFire (Score:1)
Re: (Score:2)
A straight linux server running openswan can connect to almost anything but it takes a bit of doing. I haven't used it in the last few years but it worked last time I tried. Multiple NICs are helpful and considering negligible cost (if you don't have a pile, I have a drawerful around somewhere) easy to justify.
Re: (Score:2)
IPTables and OpenVPN (Score:3)
I build these critters all the time. Our entire multioffice infrastructure is based on Debian-based routers with OpenVPN. OpenVPN is pretty simple to get running, and I use Webmin to build my iptables rules.
Re: (Score:2)
Do you use OpenVPN from iPhone/iPads in your environment? Can't stand the client I have from OpenVPN.com.
Re: (Score:2)
The client isn't great, but it does work. We have a few Android and iOS devices that use the apps, and it works once you get it configured.
Re: (Score:2)
Ironically, it is the licensing of openvpn (not that open) that makes the problem.
That's old school... (Score:2)
Get a better router? (Score:4, Informative)
Just have an extra page on the GUI to allow you to generate an openVPN cert and account privs. Pretty useful as means when I'm travelling I can just seamlessly add my phone to the home network.
I'd thought about buying something dedicated (well was more a NAS project, I thought I could add this to) - but unless you've got some complex needs or high volume - I strongly suspect I'd make more of a mess (both function and security) trying to set it up myself.
I don't think so - although never tried (Score:2)
http://event.asus.com/2012/nw/... [asus.com]
Mikrotik (Score:4, Informative)
Re: (Score:3)
I have deployed about 30 mikrotiks and I disagree with "feature rich, supported and easy to use"
feature-rich: so many features are half baked. Like openVPN only supports TCP for transport, so you end up running TCP on TCP, which is bad.
supported: the documentation is poor (although getting better now that they have a wiki), working examples are hard to come by since there are so many versions of RouterOS and each introduces different bugs and breaks different bits of functionality. The mikrotik people on th
Re: (Score:2)
Some of the issue is that there are so many things you can change, unless you're very knowledgeable you're not going to know what to do (or refrain from doing) in a bunch of areas. You can go down the path of "I have a recipe and I will follow it exactly!" and basically copy/paste commands while c
Software answer (Score:4, Insightful)
The hardware is easy:
Either get a router that you can add DD-WRT/tomato to or build your own PC.
Software answer:
OS = OpenBSD
VPN = OpenVPN
BUT you are not asking the right questions.
VPN's only work when 2 ends connect. So what VPN server/client will the other end of your connection use? What are you actually trying to do? Does your work have a fat-connection that they will let you use? Are you planning on paying for VPN service from a 3rd party? Do you want to create a VPN between your home and your laptop while you travel?
If you want to build yourself a solid, dependable, 'solution' follow this guide:
http://www.bsdnow.tv/tutorials... [bsdnow.tv]
Consumer routers suck (Score:2)
Buy a good switch and a low power PC with some ram. Virtualize it all.
Smoothwall is a good choice, there are lots out there.
Makes it easy to do other things like IDS as well later.
eBay a Cisco ASA 5505 (Score:2)
Get a small premade solution and skip the DIY thing. It's minimal power and unless you happen to like pain and suffering, a simple SSL VPN with a decent Web UI is much nicer than spend in half your life building one.
Re: (Score:2)
I love our work ASA5505, but it is a bear to configure properly unless you know what you are doing. High point with me is the ease of connecting on the client end.
Re: (Score:2)
Got to agree. We use a cyberoam appliance and ssl VPN. Does all firewall and av duties as well as VPN.
pfense (Score:2)
Zyxel Zywall USG line (Score:2)
Since your question was not clear as to whether you wanted to connect to a vpn for outgoing traffic encryption, or to provide secure access to your home network, I will assume that you want both. I've got a zyxel usg50 at home and a usg100 at my office and they have been able to handle everything I have thrown at them. http://www.amazon.com/dp/B0042... [amazon.com]. I was also pleased that when the whole Heartbleed fiasco appeared, the zywall firmware was not vulnerable at all. Dual WAN connections are supported whi
Re: (Score:2)
A few options (Score:2)
There are a few affordable solutions out there. Here are 3 options with support for IPSec, OpenVPN and PPTP.
1. Ubiquiti Edge Router, The Lite model retails around $99. The gui is intuitive and easy to use. The latest update makes setting up site to site IPSec tunnels pretty simple. Don't like the GUI? No problem, It has ssh and serial support and is based on the excellent vyatta fork VyOS.
2. Mikrotik, I recommend the RB2011 series as they have 10 ports ( 5GigE and 5 FastE ), plus the $129 model has wifi and
Vyattat (Score:3)
Just download and install VyOS (fork of Vyatta) if you're building your own firewall.
http://vyos.net/wiki/Main_Page [vyos.net]
+1 for parent Re:Vyatta (Score:2)
Just download and install VyOS (fork of Vyatta) if you're building your own firewall.
http://vyos.net/wiki/Main_Page [vyos.net]
Re: (Score:2)
Or, buy a box that already runs vyatta. The Ubiquiti EdgeRouter
http://www.ubnt.com/edgemax/ed... [ubnt.com]
At less than $100, with build in switching, embedded linux and apt-get support, you can't go wrong.
http://www.newegg.com/Product/... [newegg.com]
Oh, and it's quiet. (No fans)
And wait, there's more! Their $175 version the Edgemax Pro has 5 ports and 24/48v poe. (You'll need to buy a third party power brick for 48v poe, but it's worth it)
hmmm (Score:2)
somehow i think he is just trying to hide behind a VPN to do some "torrenting"
Re: (Score:2)
somehow i think he is just trying to hide behind a VPN to do some "torrenting"
So... what's he really doing behind the VPN if he's not torrenting?
*cough* [purdue.edu]
Cisco Rv042 (Score:2)
Hands down the most reliable and easy to use dual wan, VPN enabled Router for quick deployments, silent, low power consumption, handles PPTP, ipsec, etc...
I am no fan of their quickVPN software (a third VPN option included with this router), but it works as well if you dont like pptp or if you find IPSEC too much of a pain to setup.
Plus it has DUAL WAN connections, so you can use a hotspot or DSL, or the neighbors connection as a failover (or you can load balence them, or bind stuff, etc...).
Im blown away n
Cisco ASA (Score:2)
Smoothwall (Score:2)
Sophos UTM - Turn Key - Free for Home Use (Score:2)
By far the best solution I've come across. It's a enterprise class product you can use at home for free. All you need is a PC with a couple NICs. I use a cheap fanless Dual Core 2GHZ Atom machine with a couple gig of RAM. It's a turn key solution with a lot of options.
It has all the whiz bang VPN and firewall features you'd want. Plus a bunch of intrusion detection, malware and virus features. Really the list feature list is huge. The only limit is the home edition is limited to 50 active devices.
Out of the question (Score:2)
sophos utm (Score:2)
Untangle? (Score:2)
What do you think about Untangle? (untangle.com) You can buy appliance version of it too.
Options (Score:2)
Hardware:
Software:
O'Reilly to the Rescue (Score:2)
Why a full PC? (Score:2)
Why not get just a router (I've been contemplating a Netgear WNDR-4300) and load it with OpenWRT or even DD-WRT?
If OP wanted to do video transcoding/HTPC duties I could see the use for a full PC but otherwise it is just a nuisence compared to a small, efficient, embedded system.
The main advantage of OpenWRT over $OTHER is it's packaging system and ability to install updates without reflashing. It has good documentation and a great community too.
Re: (Score:2)
Re: (Score:2)
I too liked the look of Untangle, but I couldn't bring myself to use it after I discovered a probably-never-happens-in-real-life bug that causes emails to be dropped without a trace. I'd always be wondering...
Re: (Score:2)
Probably not an issue for 99.99% of the population, but last time I checked, Untangle does not support IPv6 and has no plans on doing so. Also, Most of the interesting modules require a monthly subscription. I ran Untangle as a vm on an vsphere 5 hypervisor for a couple of years and it did the job ok. However, it is a cpu and memory hog which is surprising for being a firewall/security appliance. And probably the most annoying is the horrible user interface. They tried to make it look like a rack which
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This. I have one at home, and install them for clients who need to replace SonicWalls and the like. Very hackable, very stable, very fast.
Re: (Score:2)
I've been using since it was a German Company called Astaro. Good stuff.
Re: (Score:2)
I'll second this - currently running OpenWRT flashed on to a TP-Link WDR-4300. It replaced a very old beige-box PC running IPCop and has been doing very well for the past year.
Re: (Score:2)
A "Full Computer" isn't what it used to be. We like this kind of thing [logicsupply.com].
Re: (Score:2)
Only reason my 15 year old m0n0wall setup was replaced recently was how hard it became to find modern DSL PPPoE modems in retail outlets and the hard drive just stopped spinning. Still, 15 years out of one router (was a VIA integrated CPU + MB with a few gig of ram) is fairly good.
One downside I noticed recently is the silly change that makes the WAN (in my case DSL) password blank out once entered. I really don't see a point in that.