@yuxin.zou and @alzhao can you please add something like this to prevent brute force attacks to main admin panel and LuCi.
Can you consider doing this?
The topic was discussed already multiple times:
Since luci is a 3rd party plugin the luci devs must come up with a protection. And they don't want.
So my advice: Disable luci if you feel like it might get exploited.
It’s not about Luci…
It is about web server basic auth. Even before web page loaded.
Read link carefully please.
It should set up something like this ABOVE Luci AND GL panel:
This feature ALREADY built in NGNIX, so devs just have to add GUI to activate it.
After this successfuly authenticated, Luci or GL login page will appear.
Here is more information
But why should you need it? I mean, I can understand why you want to have it - but don't you think that most people don't care about it? And it will break GL App, of course.
So all in all, you can add it yourself, if you need it.
Open system comes with endless possibilities 
1 Like
How? And why? Isn’t it API based?
Added. But it seems to be a little buggy. It should be configured more carefully. Better have toggle
And how do you think the API talks to the web interface?
Of course we can now think about some advanced nginx configuration where the API isn't protected by basic auth, etc. etc. - but yeah... I doubt it's useful for most people.
Yes very easy to do! The GLINET uses the Linux passwd/shadow to login and LuCi uses the same files in addition to one additional file. Once you add new Linux account you can login using another account🤓
Hmm ive some doubts on the security aspects of this.
I know this type of auth dialog is a very old way for authenticating, back in the days of Apache, of course this is about NGINX.
But when i read a little bit further i think it does not encrypt it, apache docs state it as a http window, on stackoverflow i read people can use https but nothing points to that there, i use apache as example because i think they had it first, on nginx i only read that it rewrites the url to https but for sending this is out of the window the dialogue does this different.
Then i look into the encryption: md5, SHA-256 and SHA-512 the first one is for sure a no go, the other two make me meh and i think it does that only on the htpasswd file not inside the packets in transit... the last two aren't super bad encryptions, but certificates seen in https is a much better way, key cryptographic is alot better in general.
it would be better to have 2FA , though on OpenWrt side of things there is a attempt to add 2FA to OpenWrt, here.
Though, my final thought is to avoid having the web interface visible at all if it was for a setting like access from wan, simply because luci still can have api calls or exploits, ive used a few to so i can flash OpenWrt on my AX6S (ancient firmware) 
I think I misunderstood you from the topic's title! If you mean by "second password" a 2FA, then ignore my answer totally!