It seems the newer routers (such as the Hap AC3 and AX3) are coming with random passwords out of the box. I would like to start a request that this be removed as it is not a feature and that the default admin password be set to either admin or blank as it used to be.
As it stands right now, it is impossible to mass configure end-user customer router devices and join them to our management system with any amount of speed, as someone needs to manually open up the little tab, get the password which is a scramble of letters and numbers, and then manually log into the router.
Further, if the end user manages to scratch or destroy that tab somehow we have no record of the original password for the device.
I agree. This is a product SKU for professionals. This is going to be a huge pain. We don’t need a nanny. Let us manage our own passwords. Blank passwords don’t hurt the internet, people do.
It’s a EU requirement AKAIK. Not sure it’s required in US, but perhaps it in export regs, dunno. So in fairness, their hand may have been forced here. I’m still trying unwind how this work myself on a couple test hAPax3 we got.
But the NOT a word of documentation about any of this.
We normally apply a default configuration using Branding Kit package – so very unclear how that going to work here. /system/default-configuration shown does NOT seem to set the Wi-Fi password in code, but clear it gets set someplace. And doing a /system/reset-configuration also seems to restore the admin and Wi-Fi password from the sticker, so they are some-what sticky. For me, if the branding kit at least work with this scheme, it might be workable.
Haven’t tried a netinstall, but guess that should clear these password. Forever? I dunno. There are no docs. So right now it unclear as to what process folks should be deal with this change.
Anyway, some documention how this works be VERY helpful. Since I’d imagine it will be a recurring thing that new device will come with random passwords.
So you are saying that someone has to look the password up so they can log into the router to set it up, but they aren’t recording it in a database (or ansible vault) that is part of your management system? That is what I would do.
The problem with that argument is that there are a lot of bad people on the internet. I agree that it will be a pain to automate, but an infected/compromised router does not only affect the home user, it makes a very powerful bot and it can be a powerful member of a DDOS. And even if only the LAN side has access to the management interface, an infected PC can easily carry out a brute force attack on a router.
These are being sold into the home/prosumer market.
What do you propose as an alternative that will encourage the use of a non-trivial password? What percentage of home routers that force the user to set a password in the initial setup have a password in the “top 100 worst password” list ? (and that doesn’t even include the nil password).
Even “professionals” are quite lax when it comes to passwords. How do you propose that the problems described in https://routersecurity.org/RouterNews.php be avoided?
I remember as a kid (around 1966) that our car had seatbelts but I think they were only in the front seat, but there was no law requiring the use of seatbelts or any fines for not using them. There was no law enforcement requiring the use of seat belts until ~1985 (New Hampshire in the USA is the only state that still does not require adults to wear seat belts while operating a vehicle on a public highway), and after there were fines for non-compliance, then there was higher seat belt usage.
If these still had a piezo buzzer, one thing that could be done to make it more obvious there was something trying to brute force the router from the inside (rogue IoT device?) would be to have the router play distict sound on login failure, and anther on successful login (and these should be configurable on/off by the user) @rextended could probably write a script to do it.
But this is a serious question, how do you propose to harden the router by default? I see that others have noted that it may be a requirement in the EU, I won’t be surprised if it becomes a requirement in the USA as well for routers that are targeted towards consumers.
I don’t see all these problems…
For the mass configuration the password is completely ignored, so I have to pick up the device to connect it to the ethernet cable,
when I’m there holding down reset takes a moment, and with the branding package I can set the default password that I like…
(I wrote default, not the one when the device remains “left to itself” in operation).
And if you lose the default password (of the device), who cares, the device is already yours and if it has the branding, in case of reset it puts back the one already known.
As far as private individuals are concerned, it’s not a tragedy, it doesn’t change anything…
It doesn’t take much for a private individual to manage and save a few passwords…
I see a huge increase in security, indeed if it were up to me I would prevent using empty passwords, at least with “standard” users such as admin, root, superuser & co.
Not saying the “admin” / no password thing shouldn’t have been improved. This change is going to affect a LOT of people’s workflow/processes/training/etc. While perhaps solvable with netinstall – even that only be clear with testing since there are no other docs on what should/shouldnt happen with this built-in password under what cases.
While ship already sailed. These “stickers” seem like a backwards looking way to solve "no password’ problem. If you look at Starlink, you plug-in cables, and it has an open Wi-Fi, and asks for a password to be set. There is no “sticker” but certainly there "no password’. And, I don’t think they’re stopping starlink sales in EU because of that.
I guess I would have preferred an actual forced password change, before allowing any configuration. Instead of this “sticker” approach is going to be annoying for all concerned. e.g. an end-user who not find it, then may not be able to read it, and an ISP/OEM who now has to track this & develop new processes around it.
You don’t harden the router by default. You let the person installing it harden it. If they fail, it’s their problem. For example, access from the WAN can be disabled by default and only accessible via LAN, that’s a good start. From there, if your router gets hacked because you used password ‘admin’, that’s your problem.
Correct, this is what should have happened… you log in and it asks you to set a password the first time… that can be automated to set our default user-router password then, or whatever the end user wanted to use. As it stands right now, this has suddenly become a show stopper for us to continue to deploy these products.
Indeed. But not on consumer market. If devices are sold on consumer market, they should come hardened from factory. Recently we’ve had an user who never changed any configuration because his RB worked as he wanted simply by plugging in.
And yes, low prices of MT devices are attracting non-knowledgeable consumers. The prosumer or professional gear comes with higher prices and thus people without any knowledge (a.k.a. dummies) tend to stay away from those devices.
Again, if device is sold on consumer market, it should be assumed that LAN devices are (mis)managed to the same level. Many malwares running on a client PC will try to infect routers they can find. And mismanaged routers are then easy targets, specially so if admin password is weak.
Why?
As I have already wrote, I must unpack and plug the device to the ethernet cable, what does it take to hold down reset?
I don’t care what password it has.
At this point I’m wondering how do you mass configure… You enter them one by one, without password, etc., or if you just netinstall them all with the default script…
Push and hold reset also use the "sticker" password. But correct that a longer press gets you waiting for netinstall. @rextended deduced in another thread that netinstall maybe built-in to RouterOS at some point, so the process for that may become easier. And the linux versions of netinstall are a much improved way of doing netinstall even today.
This may be a different method than you're using, but I'm pretty sure the combo of netinstall and a branding kit applying a new default config file would likely workaround this. I need to test this myself, as result of this change, so not 100% sure. But if you look at /system/default-configuration/script, they do seem to have variables with both the Wi-Fi password ($defconfWifiPassword) and "admin" password ($defconfPassword) as variables to the /system/default-configuration e.g.
/interface wifiwave2 {
set $ifcId security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=$defconfWifiPassword
}
Maybe they're available to netinstall configure script, without the branding package, dunno. Or does netinstall just wipe the sticker password with the disk, also dunno.
But its not that hard to cut-and-paste a modified default config to a branding package, and deploy both the branding NPK with a routeros NPK. In someways netinstall offers some security benefits since it does wipe the (most of) disk.
These questions surprise me, it seemed to me that you were an expert in mass configuration…
I have understand bad…
If you netinstall device without flag “Apply default config” (with -r on linux) or using “Configure script” int never run defconf
so password (on sticker) and other things are never set…
How to retrieve the default passsword if the label is damaged?
Use netinstall with this custom script… try to guess where you can read the password…
/sys id set name=$defconfPassword