Community discussions

MikroTik App
 
singh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Sat Apr 04, 2009 11:57 am

Forgot my password

Mon May 30, 2011 11:01 am

I am stuck with a very silly mistake.
I had a problem with my Mikrotik router OS, I simply did a restore for a backup I had done two months ago.
Now I am stuck as my password has also been restored and I cannot remember what my password was at that time.
Any help apart from re-installing the RouterOS again
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Mon May 30, 2011 1:18 pm

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Mon May 30, 2011 1:20 pm

i wouldn't give my passwords to some random webpage with very suspicious design :)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Mon May 30, 2011 1:23 pm

fully agree
but that password is old password from old backup - it will be changed to new one as soon as he will be able to login, I believe =)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Mon May 30, 2011 1:27 pm

just make sure your old password isn't something you use elsewhere, for example on paypal :)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Mon May 30, 2011 1:30 pm

there's always another, harder and safer, way: open-source software, http://manio.skyboo.net/mikrotik/
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Mon May 30, 2011 2:11 pm

Still using pretty weak encryption anno 2011? :( ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Mon May 30, 2011 2:12 pm

why make it stronger? don't give access to your router to other people, and keep your backup file safe.
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Mon May 30, 2011 2:46 pm

It is not always easy to prevent (physical) access.
I'm just saying, in general, it is good pratice to use strong encryption.

The question can easily be stated the other way around: why not use strong encryption?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Mon May 30, 2011 2:56 pm

any kind of encryption can be broken quite easily
 
singh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Sat Apr 04, 2009 11:57 am

Re: Forgot my password

Mon May 30, 2011 4:47 pm

Onother silly one,
The backup is still on the router PC, how can I get it out of there. Can I remove the harddisk and connect it externally to my laptop and be able to get it on a Windows machine?
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Mon May 30, 2011 4:50 pm

How so? I'm pretty confident you'll not break the current AES encryption any time soon. Current Linux password storing methods are considered quite safe. So I'm a bit surprised about your comment (and that any kind of encryption can be broken easily is just plain untrue, so you must mean something else I'm missing).
 
singh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Sat Apr 04, 2009 11:57 am

Re: Forgot my password

Mon May 30, 2011 5:58 pm

Ok, what I mean is that the backup I need to put in the link provided.
But the problem is that the backup is in the router OS and not in my computer.
So is there a way I can get the backup from the router OS then copy it into my laptop and extract the password.
The router PC is here with me and is working properly after the restore but I cannot log into winbox becoz of password change.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Mon May 30, 2011 6:00 pm

any kind of encryption can be broken quite easily
and the winner of RC5-32/12/9 is!..

[ ... drumming ... ]

Normis!!!

he receives $10'000!

p.s. http://www.rsa.com/rsalabs/node.asp?id=2103
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Mon May 30, 2011 6:02 pm

is there a way I can get the backup from the router OS then copy it into my laptop and extract the password.
you may boot from any Linux LiveCD and mount ROS partition to copy files from it
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 8:58 am

to encrypt something, we need a key. you would have to provide a password that you would have to remember.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Tue May 31, 2011 10:45 am

to encrypt something, we need a key. you would have to provide a password that you would have to remember.
http://en.wikipedia.org/wiki/Cryptograp ... h_function
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 10:53 am

so? this doesn't help, either the backup file wouldn't be transferible to other PC, or the potential cracker would just have to find where the key was taken from.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Tue May 31, 2011 11:04 am

Normis, don't feign foolishness. if you save only (machine-independent) hash for password - then you cannot just enter it into 'password' box (even if you got an access to the router files and read the hash value), you need initial non-hashed password to pass authentication. and if your password is not short - then you need bruteforce attack to restore password from hash. that's it, hash function is one-way

I'd like the cracker to restore my passwords in weeks, not in seconds
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 11:15 am

what is your request exactly? to encrypt passwords inside RouterOS, or to make better backup file encryption?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 11:17 am

about backup file:

The only thing that you can use for your hash generation is software-id.
Everything else can change. If we silently encrypt it with software-id, you
won't be able to recover from backup on another router.

If you have to remember some password it's probably better if it is meaningful
to you and not some random digit sequence.

but passwords in the router - we need to have access to plain text password, otherwise secure authentication
over network is not possible, i.e. bandwidth-test, winbox, webfig, etc.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Tue May 31, 2011 11:24 am

we're talking about passwords
but passwords in the router - we need to have access to plain text password, otherwise secure authentication
over network is not possible, i.e. bandwidth-test, winbox, webfig, etc.
not possible? Normis, if you don't know - let the developers do their work. M$ Windows never stores plaintext passwords, but user authentication over network IS secure, plaintext passwords are NEVER sent over the network, even encrypted. look at MSCHAPv2 - it 1) does not store plaintext password anywhere, and 2) if server doesn't know user's password, it cannot even authenticate the user (by just saying "Okay, I'll pass you with that password") - because in that protocol user must ensure that server knows his password too

p.s. my 6000th post
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Forgot my password

Tue May 31, 2011 11:34 am

we're talking about passwords

not possible? Normis, if you don't know - let the developers do their work. M$ Windows never stores plaintext passwords, but user authentication over network IS secure, plaintext passwords are NEVER sent over the network, even encrypted. look at MSCHAPv2 - it 1) does not store plaintext password anywhere, and 2) if server doesn't know user's password, it cannot even authenticate the user (by just saying "Okay, I'll pass you with that password") - because in that protocol user must ensure that server knows his password too
Thing with Microsoft is - it is enough to know your "encrypted password" to successfully authenticate over MSCHAPv2 (there is no need to know plain text password at all), i.e., your encrypted password becomes real password. So looks kinda silly example to me.
p.s. my 6000th post
Now you can move from quantity to quality :) (joke)!
 
kazanova
Member
Member
Posts: 406
Joined: Tue Sep 06, 2005 11:52 am

Re: Forgot my password

Tue May 31, 2011 1:21 pm

Chupaka always talks with quality
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Tue May 31, 2011 2:02 pm

A lot of confusion about this so I'll bottom line it. It is possible. It is NOT overly hard to do. It is considered safe.

One thing is, we want the password stored securely (I.E. hashed) and authenticate against this hash. Authentication exists by hashing the password that the user inputs, if the hash of that inputted password matches the stored hash, you have access. Otherwise you are denied access.

Storing the hash won't reveal the password to the hacker (you can relatively easly obtain the hashed passwords Windows stores. Unfortunately, they are vulnerable to rainbow attacks but that's another story).
Last edited by Jeroen1000 on Tue May 31, 2011 2:06 pm, edited 1 time in total.
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: Forgot my password

Tue May 31, 2011 2:05 pm

Now you can move from quantity to quality :) (joke)!
Unlike many others, I think he has it both
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 2:11 pm

A lot of confusion about this so I'll bottom line it. It is possible. It is NOT overly hard to do. It is considered safe.

One thing is, we want the password stored securely (I.E. hashed) and authenticate against this hash. Authentication exists by hashing the password that the user inputs, if the hash of that inputted password matches the stored hash, you have access. Otherwise you are denied access.

Storing the hash won't reveal the password to the hacker (you can relatively easly obtain the hashed passwords Windows stores. Unfortunately, they are vulnerable to rainbow attacks but that's another story).
I don't understand your point. You are asking us to make this, but then you are saying that people can log in with the hash. OK, hacker can't "read" the password, but the security is compromised anyway.

if you have some idea how to overcome this limitation, we will be happy to make it.
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Tue May 31, 2011 2:27 pm

Chupaka can explain better I think. You can't log in with the hash. It is used for a different purpose.

Basically, say my password is 1234 and the hash is 0FBECDE5.
You store the hash.

Next time someone inputs, lets say 4567. If you hash 4567 you will never ever ever get 0FBECDE5 but for instance 0FABACDE.
So, in order to grant access you compare 0FBECDE5 with the HASHED version of 4567. They will not match.

I.E. 0FBECDE5 does not match 0FABACDE

The only way you will ever get 0FBECDE5 as a hash again, is when you input 1234 as a password. Ofcourse there is no way of converting 0FBECDE5 to 1234. It is only possible to create 0FBECDE5 by hashing 1234: you can not find out what the password is by looking at the hash.
I'm not expert either, just to make clear:). But a security enigeer should have little trouble cooking something like this up. It's very widely used.

I'm just very in favour of strong security and privacy minded. You definetely require someone with more knowledge than myself to implement this securely but should not be very hard to so so.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 2:39 pm

you still can retrieve 0FBECDE5 from the router just like the second post of this page describes, and log in by using 0FBECDE5 directly. you don't need to know what password made this hash
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Tue May 31, 2011 2:50 pm

Thing with Microsoft is - it is enough to know your "encrypted password" to successfully authenticate over MSCHAPv2 (there is no need to know plain text password at all), i.e., your encrypted password becomes real password. So looks kinda silly example to me.
agree, I need a coffee... =)
You are asking us to make this, but then you are saying that people can log in with the hash. OK, hacker can't "read" the password, but the security is compromised anyway.
yes, in case of network login. but it's completely impossible when using local login
when somone is knocking to you via network - firewall is on stage; but you cannot know who's on COM port. so, protect your management IP network and don't give them possibility to get to know your plaintext password
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Tue May 31, 2011 2:52 pm

No, if you input 0FBECDE5 directly (if you use it as password instead of 1234), the hash algorithm will hash 0FBECDE5 and not 1234. This would yield, for instance, FBC3B9A2 and FBC3B9A2 does not equal 0FBECDE5.

You have the secure storing of a password on one side (by hashing it as I described), and secure authentication on the other side. Both are needed.

So you cannot log in by inputting the hash as a password because the hash you input will be hashed and transformed as I just said.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 2:54 pm

No, if you input 0FBECDE5 directly (if you use it as password instead of 1234), the hash algorithm will hash 0FBECDE5 and not 1234. This would yield, for instance, FBC3B9A2 and FBC3B9A2 does not equal 0FBECDE5.

You have the secure storing of a password on one side (by hashing it as I described), and secure authentication on the other side. Both are needed.

So you cannot log in by inputting the hash as a password because the hash you input will be hashed and transformed as I just said.
you can, see chupaka post above
 
yogii
Member Candidate
Member Candidate
Posts: 148
Joined: Wed Jun 16, 2010 5:38 am
Location: Batam, Indonesia

Re: Forgot my password

Tue May 31, 2011 3:31 pm

hi Mr. Normis,

how about file that format .backup, is it possible to unpacking that?

i think customer will feel safe for their router if mikrotik make strong encryption. now very easy how to know password just with .backup file. :(
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Tue May 31, 2011 3:33 pm

don't give that file to people you don't trust. just like any other file.
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Tue May 31, 2011 3:43 pm

Could you just please check with your engineers.
This kind of protection is as common as HTTPS websites. I can give you my Trurecrypt encrypted hard drive and you"ll never get access to my data when the drive is at rest (powered off). It also uses local login.

Chupaka is not saying at all this is not possible (but only he can set the misinterpretation straight). I think the best course of action is to just ask the engineers what they can implement. Or you could check out a how it is done on any Linux distro?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Forgot my password

Thu Jun 02, 2011 10:40 am

We all know that it is completely unacceptable to send password over network in plain text, so we want to send some kind of hash. But to verify that hash we need plain text password on the router. It is possible to store password as hash and send over network hash of that hash. But in this case your hash of the password becomes real password. Of course, you would have to crack winbox to feed in this hash instead of plain text password, but in case of API only hash would be sent, so it would be trivial to write simple script that knows only your hash from backup and connects to your router via API and changes password.

Windows stored passwords has MD4 hashes. Because of that MS could not support CHAP authentication. They invented MS-CHAP, that was using this hash as a real password. MS even extended PPP protocol so you can change password remotely. The end result? Lookup in the internet... It was enough to know this MD4 hash to dial-in into windows computer and change it's password.

Bottom line is - from security point of view gain of this feature request is close to none, as we all know that using same username/password on all the routers is plain stupid anyway.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Thu Jun 02, 2011 10:50 am

as we all know that using same username/password on all the routers is plain stupid anyway.
I agree, everybody must have unique long-and-hard-to-remember passwords for each of hundreds devices - then MikroTik won't even worry about your plaintext password comprimise
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Thu Jun 02, 2011 3:33 pm

I have been directed to this thread when I raised the issue of insecure passwords to support.

Here is my view: You cannot use "keep your backup file safe" as an excuse to a very poor security design. And using 400 different passwords is also not an option (we manage 400 nodes). We have users that manage their own nodes, so they have an admin user on their node, while we also have an admin user on their node.

The solution is quite simple:
Firstly, winbox should connect to the router via SSL, not via an unsecure link. Then sending plain text passwords is not a problem.

Secondly, the router has absolutely no business storing a local copy of the password. It should only ever store a hash. Yes, there are debates on how secure a hash really is, if I use the password "123" and it is hashed using md5 then sure, it is useless. But if I use "myUberseCretp@ssword!@##$%#$%^#$%^@#$^WHATEVA" and it uses SHA384 to hash, I am sure that it will be safe for a while.

So, Mikrotik, apart from not wanting to change things, why don't you implement this?

I would be happy if you started adding it to Ros 5.5 as an optional feature, and guess what? If I decide to rather hash my passwords then I cannot use The Dude, or Bandwidth test, or some such. Fine by me.

If you can make it a per user option it would be even better, as then I can create a readonly user for bw tests, dude etc, and keep my management user password safe.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Thu Jun 02, 2011 3:35 pm

didn't you read what macgaiver posted above?
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Thu Jun 02, 2011 3:43 pm

I did read.
But to verify that hash we need plain text password on the router.
Bullshit.

You do not need to have the plaintext password so that you can hash it and compare the hash. What the hell?

Procedure:
I type password "secret" into winbox and click login.
winbox creates a secure connection to my rb.
rb receives password "secret".
rb hashes the password using whatever cool function you guys decided to use, and the result is "alskdfjlkasdjflkjfjwelksadjfklavnqewruoihtjnbpagdfhajoksehfaoierufhhasjdfnanseruthsdgufhnsadfgu"
rb loads the local copy of the password hash (also "alskdfjlkasdjflkjfjwelksadjfklavnqewruoihtjnbpagdfhajoksehfaoierufhhasjdfnanseruthsdgufhnsadfgu")
they match, user can continue.

Another user types "blabla" into their winbox.
winbox creates a secure connection to my rb.
rb receives password "blabla".
rb hashes the password using whatever cool function you guys decided to use, and the result is "pwermasdofqwoiefjvnmanwerpoitjokiamscvknawoeirjoiwefaklosnfoaiwefjasoifj"
rb loads the local copy of the password hash: "alskdfjlkasdjflkjfjwelksadjfklavnqewruoihtjnbpagdfhajoksehfaoierufhhasjdfnanseruthsdgufhnsadfgu"
hey, what do you know, they don't match!
user may NOT continue.

Tell me again why the rb needs to store the plain text password?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Thu Jun 02, 2011 3:46 pm

as we all know that using same username/password on all the routers is plain stupid anyway.
I agree, everybody must have unique long-and-hard-to-remember passwords for each of hundreds devices - then MikroTik won't even worry about your plaintext password comprimise
btw, if we elaborate that thought, everybody should use other vendors' equipment, not to bother MikroTik =)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Thu Jun 02, 2011 3:50 pm

Tell me again why the rb needs to store the plain text password?
because API protocol does not support encryption %(
p.s. that's not true, they can store pre-calculated not finished MD5("\x00" + PWD) value for API logins
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Thu Jun 02, 2011 3:51 pm

Normis,

I think you guys completely misunderstands how password hashing works.

Simple Hashing would be:
password_hash = algorithm(password)

This has a problem in itself that one could use a lookup hash table to easily get the password.

However this can be overcome by using a salt:
X must be constant
salt = X number of random characters (printable + non-printable)
password_hash = salt + algorightm(salt+password)

To check a password that the user enters, you take the first X characters from the stored hash and just use the same function again. If the hashes match, voila, your password is correct.

If you feel this is still insecure, one could look at public/private key auth the way SSH does :)
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Thu Jun 02, 2011 3:52 pm

Tell me again why the rb needs to store the plain text password?
because API protocol does not support encryption %(
p.s. that's not true, they can store pre-calculated not finished MD5("\x00" + PWD) value for API logins
So should the API not be update to take the text given, hash it, then compare that with what is stored on file?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Thu Jun 02, 2011 4:04 pm

API does not send plaintext password, it sends MD5("\x00" + password + challenge) - so the result is different every time

in spite of that, it's possible to save MD5 registers after hashing ("\x00" + password) - and then server will be able to construct MD5("\x00" + password + challenge) without plaintext password
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Thu Jun 02, 2011 4:33 pm

API does not send plaintext password, it sends MD5("\x00" + password + challenge) - so the result is different every time

in spite of that, it's possible to save MD5 registers after hashing ("\x00" + password) - and then server will be able to construct MD5("\x00" + password + challenge) without plaintext password

They could send MD5("\x00" + saved_hash + challenge), the client can hash the password and compare. The router still does not need to store the original password.

And if you use a very good hash algorithm (not MD5) and your user uses a proper password, then it will be secure.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Thu Jun 02, 2011 11:28 pm

They could send
it's too late - API is on stage, nobody will rewrite all software that uses another authentication. I just say that it will be still possible to support API authentication w/o plaintext passwords on the router
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Fri Jun 03, 2011 10:14 am

Normis,

I think you guys completely misunderstands how password hashing works.

Simple Hashing would be:
password_hash = algorithm(password)

This has a problem in itself that one could use a lookup hash table to easily get the password.

However this can be overcome by using a salt:
X must be constant
salt = X number of random characters (printable + non-printable)
password_hash = salt + algorightm(salt+password)

To check a password that the user enters, you take the first X characters from the stored hash and just use the same function again. If the hashes match, voila, your password is correct.

If you feel this is still insecure, one could look at public/private key auth the way SSH does :)
I see what you mean. But it looks like Mikrotik have too much baggage code/programs and changing their authentication scheme now will be very hard.

The sad thing is that this completely breaks our admin model on our network. We cannot prevent nodes from creating backups that contain the core admin team password, nor can we run with 400+ different password.

Mikrotik, any chance that you can start implementing the hashed passwords as an option on each username. That way we can secure the users that we want to secure, and if it means that user cannot be used by the API or by The Dude, then so be it. That would give you a great way to start moving over to the hashed auth model over the next few releases until it is fully supported.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Fri Jun 03, 2011 11:52 am

start implementing the hashed passwords as an option
by the way, don't know about other vendors, but on D-Link switches you can store either plaintext or encrypted passwords. config files will be like this:
create account admin admin
mymegapassword
mymegapassword
disable password encryption
or
create account admin admin
*@&5d86xdg6wvYoMp596eYmPiUkVXcQoIND
*@&5d86xdg6wvYoMp596eYmPiUkVXcQoIND
enable password encryption
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Sat Jun 04, 2011 1:15 am

No comment from mikrotik?? :-/
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

Re: Forgot my password

Sat Jun 04, 2011 1:40 am

This feature does seem to generate a lot of interest! Since ROS is basically Linux, the security mechanisms in Linux can be used? Am I seeing this wrong? Linux password are stored pretty secure since they contain a salt. Don't know the details like usual:)
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Mon Jun 06, 2011 1:50 pm

Any word from Mikrotik?

Or is it safe to assume that nothing is going to happen surrounding this issue?
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Mon Jun 20, 2011 8:10 pm

hmmm still no reply... thats sad :?

Can someone at mikrotik please look into this and give a proper explanation as to why this cannot be done?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Tue Jun 21, 2011 12:41 pm

Can someone at mikrotik please look into this and give a proper explanation as to why this cannot be done?
because it's not important =) you should just lock your router in the steel safe - and all those problems are gone away
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Tue Jun 21, 2011 12:51 pm

because it's not important =) you should just lock your router in the steel safe - and all those problems are gone away
LOL, sure if it was 1 rb... but on 600 nodes?!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Forgot my password

Tue Jun 21, 2011 12:58 pm

use unique password for each RB, as it was said =)
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Tue Jun 21, 2011 1:07 pm

use unique password for each RB, as it was said =)
perhaps ill just have to write my own winbox... download all the dll's off the rb's try & load them and see how it goes... If i have my own winbox password management system with filters & everything so I can display certain groups of nodes, I dont have a problem with 600 entries in my winbox db :) Right now, anyone can open up your winbox config file and see yet again your plain text passwords...
 
PietRetief
newbie
Posts: 34
Joined: Thu Mar 19, 2009 10:58 am

Re: Forgot my password

Tue Jun 21, 2011 1:56 pm

Wow. I must say, the complete lack of response from Mikrotik on this issue is getting to me.

@Mikrotik: How hard would it be to start supporting hashed passwords, as an optional setting by the user. I am happy if this breaks The Dude, BW monitor, API, etc, because what I want is to create a "root" user on the router that I can use in the even that Radius is down.

I will create a Radius user to use with The Dude, API, BW test, etc. At least that way nobody can steal my root password, and I can still use all the features (when using the Radius user).

And no, the sick and stupid responses of "use 400 different passwords" and "keep your backup safe" are not helping.
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Thu Jul 14, 2011 10:42 am

*Bump* Any updates?
 
User avatar
TFyre
just joined
Posts: 16
Joined: Wed Jan 13, 2010 3:37 pm
Contact:

Re: Forgot my password

Mon Aug 01, 2011 1:46 pm

Can mikrotik please sort this problem? Im even willing to put in development time just to get this security hole fixed!! Please let me know how I can help with this problem!!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Forgot my password

Mon Aug 01, 2011 2:18 pm

This is not a security hole. It's your own choice to use a more secure method to connect to your router.

Use SSH with Key authentication instead of Winbox or use IPsec (or SSTP) tunnel before connecting with Winbox if you don't want command line.

Who is online

Users browsing this forum: Ahrefs [Bot], andrep, GoogleOther [Bot], kolopeter, kub1x, menyarito, Speedyboat13 and 85 guests