Hello All.

Since Mikrotik removed Winbox from Dude packages , and add the command in tools menu and copy file into dude folder. by mistake the Winbox.exe name was Winbox64.exe and I found big surprise.

YOU CAN SHOW ADMIN OR ANY USER PASSWORD STORED IN DUDE.

just add any wrong command using tools with ip + user + password.

then see below attached.


please Mikrotik there is some request.
use encryption for tools or any other password API request.
add winbox on dude setup folder and update it automatically from host machine.

Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.

Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.

Hello Normis.
Thanks for replay.

I have multiple admins and each on different password but same access level , this show password of Device in Dude not the user pass.

for example I use dudeuser/XXXX password for all routers and we put it one time when device added.
other users (admins) they are only for Dude server but they need access tools to ping Winbox ssh etc.




what I request to improve Dude
1-Encrypt any stored password.
2-Make user list (when we add new device or auto discovery) use specific user or from list just for devices. like SNMP profile.
3-add Winbox to dude tools.

Thanks

Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.

Famous last words.

Even if the password would be encrypted, looks like we may have an issue if one of the administrators, which added one of the devices, will change their password.

In that case, we may consider to use a generic user for devices credentials.

If passwords would be encrypted, you still would have to give all your admins the decryption password. For all devices.
So you should maybe use a password manager app with different access levels for different people.