I use passutils.exe to generate random 8-character passwords to secure my Routerboards.
Initially I used the utility to generate a list of passwords which I kept, copying and pasting them to RouterOS as required, but recently pasted a password direct from the utility’s output via clipboard to RouterOS, also pasting it to my list. However RouterOS won’t accept it. As an experiment I repeated the exercise on another RB with the same effect - whatever gets pasted to the RB direct from the utility seems NOT to be the same as gets pasted to notepad or into Winbox.
Is there any way of repeating the exercise, but before logging out getting RouterOS to reveal the password that’s been set - which might reveal any additional characters being adding to the password in the pasting process? ie perhaps get RouterOS to reveal the Old Password as part of the password setting process?
Normally via Winbox to configure the RB, using the default ether IP.
Having configured the RB to work as a station I bring up the ‘password’ window, leave the ‘Old Password’ blank and past the new one in the appropriate spaces. This worked well when I copy/pasted the password from a Notepad list but Passutils.exe offers the option of copying the newly-generated password direct to Windows clipboard. I pasted this into the Winbox Window AND into the .txt list before closing Winbox, but neither pasting the password back into the Winbox loader window nor typing it in provides a recognised password so I’m guessing that pasting the Passutils.exe ‘copied to clipboard’ entry directly into Winbox changes it in a way that pasting it into a word-processsing application doesn’t.
For reasons known only to Mikrotik this function doesn’t work with the RB’s own user passwords.
Once I’m in RouterOS either via Winbox or Telnet I don’t see why I shouldn’t be able to see what the current password is, as I couldn’t get in without having known it, or just having set it. But it seems you can’t.
Heh. Yes, you’re right. Never noticed that. Same applies to the password when accessed from the user list.
Hmmm. That’s not good. I am reasonably sure that ‘/user export’ or ‘/user print detail’ should show the passwords (if they’re not meant to, then what is the point of ‘/user export hide-sensitive’?). Damn.
In the meantime, if you use ‘/user set admin password=“xxxxxxx”’ (where ‘xxxxxxx’ is the password you want to use) from the command line (instead of the GUI), you will be able to see the password when you set it. Not ideal though.
I can’t help but think that there are two bugs here:
1 - ‘Hide passwords’ not being implemented properly
2 - ‘/user export’ not showing all the information it should
sentitive in this case is ppp passwords and such. user password is encrypted and can’t be shown, it’s for security purposes. same reason why it’s not in export.
I think including it was also reported as a bug a while back, that’s why it is like that
The password doesn’t seem to be reported in supout.rif, which is fair enough, or in the export configuration file which is rather more annoying as I’d expect importing the configuration to reset the same passwords instead of leaving the system unprotected.
I can understand password protection being a sensitive matter, but it does appear Mikrotik are being a bit anal in this case when any password you have stored in Winbox loader is easily accessible in plain text in the addresses.wbx file!
In these two cases I’m only going to have to re-set the configuration to default and re-do them which is no more than a minor irritation - but I don’t like understanding the reasons when something doesn’t work the way it should. Had I wanted to reset the passwords of CPEs in the field remotely using this method I would now be faced with inaccessible Mikrotik devices for no good reason.
Hi Normis - but it seems that at least in this particular situation, where one uses the ‘save to clipboard’ utility of the Passutils.exe application (www.pctools.com/guides/password) and then pastes it directly into the Winbox password setup utility, the encryption gets it wrong.
Good theory. If I can assign the ASCII code for ‘new line’ (decimal 10) to a special character and then include it in the Winbox .wbx file as text it should get passed to the Router simply as a character with value 10 and encrypted as that for password matching.
Now, how do I create a special character and allocate decimal 10 to it?
