In a last few years, MIkrotik's devices and ROS became more and more resistant to fools, from irritating mandatory password entry, to unnecessary default configurations and so on.
Before my question / plea, I will remind you only of the words of the man on whose back lies all this beauty around us, Linus Torvalds... he said: "If you think your users are idiots, only idiots will use it."
With that in mind, how about enabling us to boot the router as it used to be without a password, without configuration, WITHOUT ANYTHING.
Hide tzhis feture behind the two minute reset hold or something similar, just allow us that option
...or maybe it exists and I don't know???

greeting

Netinstall with option to use empty config.

As easier alternative to Netinstall, Flashfig can also be used (on first power up)

Hi guys,

I have to admit that I don't see how flashfig or netinstall can replace the "feature" I was talking about... but...O.K.

thanks

You're looking for a button press. I get it.

Ain't gonna happen.
ANYONE having physical access to the device can then simply press that button and goodbye network.
You want that ?
Didn't think so ...

So yes, if you think users are idiots, treat them like idiots. And make sure they can't simply break a network when doing idiot stuff. Done.

In a last few years, MIkrotik's devices and ROS became more and more resistant to fools, from irritating mandatory password entry, to unnecessary default configurations and so on.
"If you think your users are idiots, only idiots will use it."

I disagree with your premise as Mikrotik is making things more secure so that even the idiots are forced to practice some good network/router security. Perhaps you have forgotten about the 300,000 router botnets of recent past? Not even crappy Netgear/D-link etc routers have no passwords or no firewall config.

No one is assuming anyone is an idiot. Various government are making judgement about what's best for "users".

Get the default passwords threw a wrench in your current workflow. But I'd bet – even with sticker/password – someone can login and reset-configuration quicker than waiting 2 minutes. If your willing to wait that long, why use that time to re-format the disk at the same time for add'l safety/space/etc with net install.

I think @Guntis is just pointing out that by adjusting your workflow you might end up with a better approach. And flashfig as new units arrive is one idea – avoid needing some "long press to blank" later. Maybe that does not work in this case, but flashfig is not mentioned often as a potential solution.

If dealing with a sufficient number of them, netinstall is the way to go. Automation is good. Mikrotik offers a lot of tools to help. You can even create a branding kit to replace the default config, so future reset to default go to "blank" (or better include config and users YOU want) as third alternative here.

You're looking for a button press. I get it.

Ain't gonna happen.
ANYONE having physical access to the device can then simply press that button and goodbye network.
You want that ?
Didn't think so ...

So yes, if you think users are idiots, treat them like idiots. And make sure they can't simply break a network when doing idiot stuff. Done.

Excause me but you already have it! Anyone having physical access can simply press the buttonush and router is in default config.
What I want is ... no def config but clear router, so you missed the point...

True, lots of way to have a broken router with unauthorized physical access (e.g. a hammer also disable it).... But the requirement is it has a unique password, and after a reset, it still does.

It's also inconvenient that Wi-Fi antennas use RP-SMA, but that's also the law. e.g. US FCC did not want end-user replacing antennas that exceed power specs, so the "fix" was just to make it more difficult (at the time 10+ years ago before RP-SMA become the "standard" for Wi-Fi antennas).

Don't misquote Linus Torvalds for your winy "I want my reset button" agenda.

See full quote: https://mail.gnome.org/archives/usabili ... 00021.html

As easier alternative to Netinstall, Flashfig can also be used (on first power up)

System-Reset-No Default Config

Still requires an admin password, but many systems do now, law passed somewhere requires them to be set/changed.

What I want is ... no def config but clear router, so you missed the point...

The CCR products have this.

Don't misquote Linus Torvalds for your winy "I want my reset button" agenda.

See full quote: https://mail.gnome.org/archives/usabili ... 00021.html

Please tell me what exacly I misquoted???
the text from link is
This "users are idiots, and are confused by functionality" mentality of
Gnome is a disease. If you think your users are idiots, only idiots will
use it. I don't use Gnome, because in striving to be simple, it has long
since reached the point where it simply doesn't do what I need it to do.

and my qoute is:

If you think your users are idiots, only idiots will use it."

He was talking about Gnome, I am talking about clean boot and what are you talking about is unclear....

What is the point of your comment ???

The point still remains that this new feature has not been implement because the programmers think the users are idiots, but because practice has shown that they are.
There have been too many MikroTik routers on the internet without a password, and never being updated either.
After several incidents (not only for MikroTik but also for other brands), finally the EU introduced the requirement to have these unique passwords, or else you cannot sell the device on the EU market.
And it is sensible, so probably other areas will follow and it was easier to change this for everyone than to have a EU-specific version.
(note that wireless devices DO have a US-specific version that is locked down so wireless parameters cannot be changed beyond US law limits)

Other than this unique password, there is really nothing in the way to accomplish what you want. It has already been explained to you that you can clear the config without defaults and that there are ways to do that in a "batch" mode if you need to.

satman1w, you can't just simply extract a single sentence from a whole mailing list reply. You reframe the statement/message in a totally different context.

Besides that, fully agree pe1chl.

how about enabling us to boot the router as it used to be without a password

see viewtopic.php?t=206196

After several incidents (not only for MikroTik but also for other brands), finally the EU introduced the requirement to have these unique passwords, or else you cannot sell the device on the EU market.
And it is sensible, so probably other areas will follow and it was easier to change this for everyone than to have a EU-specific version.


(note that wireless devices DO have a US-specific version that is locked down so wireless parameters cannot be changed beyond US law limits)

Other places have passed similar laws too. I was unaware that the EU had such guidelines.

Will this apply to Cisco, Juniper, Arista, etc. as well?

Are we talking about this? https://digital-strategy.ec.europa.eu/e ... lience-act

Excause me but you already have it! Anyone having physical access can simply press the buttonush and router is in default config.
What I want is ... no def config but clear router, so you missed the point...

You can use NetInstall one time to install the default-config script you want - which is blank (or whatever YOU want). And then anytime you hit the reset button it goes back to /that/ default, not the one it shipped with.

Will this apply to Cisco, Juniper, Arista, etc. as well?

Certainly for their products intended for, or likely to end up on, the consumer market.

All other brands I've used so far (from cheap Chinese ones to 50k Cisco ones - with the exception of Fritz), simply force you to set a password on first login.
And I mean really force you, not the silly implementation of MikroTik's before the random password stickers, where you can hit cancel (or ctrl+c on CLI) and start using the router with an empty admin password.

If others can do it and be compliant with the EU law, so can MikroTik.

But it won't happen. MikroTik are just stubborn in their ways. It might take years of complains in this forum before they even consider changing anything.

How many years before even v7 came out there were complaints about using 16MB flash on new models? Did they ever listen to anyone? No, they keep releasing Chateaus that cost 400-500€ with 16ΜΒ flash...

And I mean really force you, not the silly implementation of MikroTik's before the random password stickers, where you can hit cancel (or ctrl+c on CLI) and start using the router with an empty admin password.

Agree, this is really one of the silliest things I have ever seen. And it is still the case on devices without default password-sticker. Horrible.

But it won't happen. MikroTik are just stubborn in their ways.

It is very common on other consumer e.g. wifi access points to print the passphrase of the default pre-configured SSID on a label on the backside of the device. MT did it the other way: print admin password on the sticker -> but create a SSID without passphrase in default configuration script. ROFLMAO

And I mean really force you, not the silly implementation of MikroTik's before the random password stickers, where you can hit cancel (or ctrl+c on CLI) and start using the router with an empty admin password.

The password is set to 'Expired' which causes the prompt. I didn't know you could cancel it.. Neat.. First thing I do is remove the admin account anyways.

That is an oversight that will be corrected eventually, but very minor compared to other bugs that exist.. You are an idiot if you leave the admin password blank to begin with.

But if you know enough that you can 'cancel' the password change, you are not likely to be the user that this 'feature' is aimed at.

Well said @Cha0s.

Tend to agree the lack of a real force password change (e.g. you can Ctrl-C or "Cancel", when prompted) was likely the actual compliance issue. The "sticker" scheme is a pretty tedious affair, see @kevinds post above. But if it's your only router and a newbie, likely not the hardest hurtle to getting something working given RouterOS's general complexity.

They do have config variables for scripted deployment... so there are workflows for mass deployment with netinstall, flashfig, or branding kit to deal with the password however some likes. But certainly there were a lot more deployment options with admin/no password, but those workflows still be broken if a "real" password change was enforced before config too – which they are required to do beyond just EU.

I'm just against further changes. To keep changing the scheme is also problematic. Or adding "no password" boot, as requested here... changing stuff introduces potential bugs or changes to workflow/upgrades/etc.

It is very common on other consumer e.g. wifi access points to print the passphrase of the default pre-configured SSID on a label on the backside of the device. MT did it the other way: print admin password on the sticker -> but create a SSID without passphrase in default configuration script. ROFLMAO

I suspect in a future update, for units with the pre-set admin password, that they will use that admin password as the default WiFi password too.

But this minor though. There is very little harm that can be done by having open WiFi.. Having routers without secure passwords creates bot-nets and those are bad.

Edit: From the quick guide of one model

The user name: admin, by default there is no password (or, for some models, check user and wireless
passwords on the sticker);

So sounds like it might already be in place for new units.

All other brands I've used so far (from cheap Chinese ones to 50k Cisco ones - with the exception of Fritz), simply force you to set a password on first login.

This is not sufficient for devices that work by default without you ever having to log in.
50k Cisco devices do absolutely nothing when you power them up first time, you need to do a lot of configuration.
But a MikroTik router connected to a line with DHCP will often work with the default config, and the user never has to log in.

Imagine you have to try to find the shipping box a year later for your $25k Cisco-switch to able to set ut up....

This should really only be target to consumer/home-usage equipment.

Imagine you have to try to find the shipping box a year later for your $25k Cisco-switch to able to set ut up....

Or like all companies do, it is printed on the product, usually near the serial number.

All other brands I've used so far (from cheap Chinese ones to 50k Cisco ones - with the exception of Fritz), simply force you to set a password on first login.

This is not sufficient for devices that work by default without you ever having to log in.
50k Cisco devices do absolutely nothing when you power them up first time, you need to do a lot of configuration.
But a MikroTik router connected to a line with DHCP will often work with the default config, and the user never has to log in.

Easy, just apply the default "WAN" config only after you set your initial password. Problem solved.
If someone goes out of their way to buy a MikroTik router just to plug it in without ever logging in, then they probably don't even need a MikroTik router and can just use whatever CPE the ISP gave them. There's no benefit to use a MikroTik router without actually doing any configuration on it.

Obviously MikroTik is for power users. They don't have to dumb everything down to appeal to those who don't care to learn how to use it.

Easy, just apply the default "WAN" config only after you set your initial password. Problem solved.

And how would you code such a task to fit with the existing processes?

The default admin password and WiFi password printed on the device is sufficient.

This is not sufficient for devices that work by default without you ever having to log in.
50k Cisco devices do absolutely nothing when you power them up first time, you need to do a lot of configuration.
But a MikroTik router connected to a line with DHCP will often work with the default config, and the user never has to log in.

Easy, just apply the default "WAN" config only after you set your initial password. Problem solved.
If someone goes out of their way to buy a MikroTik router just to plug it in without ever logging in, then they probably don't even need a MikroTik router and can just use whatever CPE the ISP gave them.

Apparently there are ISPs that give a MikroTik as a CPE to their customers.
That appears to be a big market that MikroTik has prioritized in the additions they make to RouterOS these days.
I don't know how many of these customers know anything about the router, and how the ISP distributes them.
(with default config, with a custom default config, with or without unique password)

Of course when a MikroTik router is delivered with a more or less recent RouterOS and default config is applied, it there may be no password but it will also not be accessible from the internet side (default firewall prohibits this).
However, that does not make it completely safe, because the user may have malware or even may visit websites that use javascript or similar to access the router from the LAN side, and reconfigure it to remove the firewall and install some botnet facility.