MikroTik need to keep it for EU compliance, frustrating as hell and should not apply to products sent outside the EU but whatever… the main issue is make the password readable!
Stop using characters like O/0/I/l/1/8/B as trying to decipher what they are gets really old really fast after repeated failed attempts on every device. I don’t want to play a game of chance on every mikrotik device I have to set up
And for gods sake make the font readable, change both the font and the size, It’s utterly horrible on a hAP AX2
And add a barcode so it can just be scanned, doing this process manually over and over and over again in bulk is a nightmare
Good ideas.
If you find it hard to distinguish between B and 8, what about Z and 2, or S and 5 ?
I particularly like the suggestion about the bar code.
Did you have a specific recommendation for the barcode type?
Oh yes, those are known letters to make almost anyone trip.
1, i, l, L, I ?
o and O or 0 ?
Presents nicely here but use another font and you’re started for a guessing game …
AX2 is bad (I’ve got that one too) but have a look at AX Lite. A lot worse (and what makes it even more worse, there is almost 30% blank space on that label so they could EASILY have made the font larger)
I come from a time where I, O and X where forbidden characters for product codes or passwords (X was a wildcard character).
I like the suggestion about barcode. But what are you going to use to read it ? Not everyone has a barcode scanner (ok, most smartphones can handle it too but that may be the wrong medium when you’re in front of your computer, so extra steps to be taken).
Solution could be to combine part of a serial number or MAC address which are unique and eg. 4 random letters printed in CAPITAL on a sticker.
These 4 letters could be quite BIG on a sticker and MAC could be read from the rest of a sticker or from WinBox
Just found this with google
Characters to avoid in automatically generated passwords
A good font makes a big difference. OCR B used to be my favorite, but Consolas (the default in Windows Notepad) is much better (as the zero has a slash).
But it is still best to avoid things that can be easily confused (especially when having to read them in poor orientation and lighting conditions).
There should be something obvious in the packing/box that tells users they should copy it into their password manager before deploying to an inconvenient location.
That’s not a very large set to brute force. Especially for a local user that can see the mac address and knows the “algorithm”. 4 random capital letters is 26^4 possibilities, or just under 1/2 million 456,976. That’s much better than no password, but a pretty low bar from a security standpoint.
But remember:
It’s JUST a DEFAULT password needed to obey EU rules.
Add the 5th letter to the “suffix” to make it stronger.
Convenience is the worst enemy of security.
Do it properly or not at all.
This goes way beyond ‘convenience’, these sorts of random passwords absolutely will result in a lot of pointless e-waste, financial waste and needless man-hours solely because the device got factory reset and can no longer be accessed due to credentials being inaccessible (company out of business, stickers faded/lost/removed etc)
There are a lot of better ways to handle this. But regardless this is beyond the scope of MikroTik as it’s an actual regulation requirement
What is in MikroTiks control is what I’m referring to in my initial post. The way they’ve done it is horrible and needs to be rectified
‘Bring a magnifying glass and keep trying combinations of 1/I/l/8/B/0/O until it works’ is not a better security mechanism
I hear you (loud and clear) and something definitely needs to be done.
But lowering the standards towards something which can partly be extracted from existing info is not the correct reaction.
That was the mean intent of my response.
And remember that we’re at this stage because of the various clueless “installers” that contributed with customer devices to botnets over the years, leaving them with no passwords and management exposed to the wild internet.
I’m sure that if you convince “The one and only Kevin Myers” (as MikroTik likes to call him, some celebrity for some reason) that there’s something wrong with the quality of the printed passwords and that he has to tell MikroTik about it, MikroTik will do something about it.
BTW … what if I reset configuration to factory settings. Is that password set to the printed one?
If yes than it has to be stored somewhere in ROM or it is generated by an algorithm and based on … who knows what on … but the algoirithm could be reversed so the level of security falls down like a crashing plane 
If we netinstall what happens then? Same question arise.
Yes it does (so I understood) but that would already require physical access to the device.
As it was in the past (no password) anyone could potentially gain remote access if device was accessible from outside.
And then the botnets had their fun …
Same with a key of your house.
You can copy it but you first need to have physical access which is already more difficult.
(don’t get me started on those electronic key fobs for key-less cars…)
Someone REALLY putting in the effort, will ALWAYS be able to gain access to your house, your car, your router, … whatever. Some way or the other.
The point is to make it enough difficult so they loose interest.
So what is the problem with random 4 letters as a suffix to the part of serial number .. which is different as well each time … as a default password?
Is it random? Yes, it is.
Does it obey rules? Yes, it does.
Is it easy to print four big letters on a sticker ? Yes, it is.
Could you set better password? Yes, you can.
If somoeone has physical access to the router makes it difference how complex is the password printed on the sticker? No.it make no differnce.
If we limit letters to distinguishable enough we loose a lot of randomness and security.
https://www.lexology.com/library/detail.aspx?g=87b061bb-d01e-4a49-8554-5809983ab184
netinstall what happens then? Same question arise.
Well my intended workaround was …
Netinstall with custom script, that sets ‘my’ password, or adds an ‘admin enabled’ extra user ?
Extending the serial number might be okay, depending on how difficult it is to make the router give it up over a LAN link. The only measure I’m aware of is “/export”, at which point you’re logged in already, but I worry that I’m missing a side channel.
(Don’t tell me to restrict WinBox access to a super-special administration VLAN. This default password measure is clearly not for people who were already doing that.)
Appending it to the MAC, as I believe I have seen proposed, is a terrible idea, since the router announces that to anyone who asks. Even if you turn off MikroTik’s discovery protocol (CDP) it’s easy to nmap the subnet and check your ARP table for any of the 16 MAC prefixes currently assigned to “Routerboard.com.” At that point, your password-guessing attack devolves to the half-million case calculated above, at which point all that saves you is the router’s rate limiting features.
I’ve just had a hAP ax² through here for testing, and I’ve still got an “ax lite.” While I do support the inclusion of default passwords, I can tell you from direct experience that they are indeed currently printed too small, and in fuzzy text besides. This exacerbates the problem of ambiguous characters.
Someone brought up use of better fonts, but at these sizes and at these low printing resolutions, arguing over fonts is like holding a debate over whether the red or the blue crayon will produce more legible refrigerator art.
You have to purchase the add-on. The Llama MT Password Reading Magnifying Glass!!
All proceeds go to lobbying MT to add Zerotrust Cloudflare tunnel as an options package.
You joke, but while I do have solutions to that problem, they all suck:
- The benchtop illuminated magnifier with auxiliary lens I bought for micro-soldering works great for reading the new password labels, but only when I’m in my lab, it being clamped to a workbench several feet from the nearest computer that’ll run WinBox. It’s back-and-forth until I can transcribe the immemorable string of noise a few characters at a time.
- The Sherlock Holmes style magnifying glass I inherited from my grandmother solves the mobility problem, but only when I’m at home, and I look like a twit using it besides!
- My smartphone’s camera/magnifier app lets me take the pic at the router, then transport it to where I actually need to be to use it, but my hand shakes, blurring the already blurry text.
The final option is the one I’ll actually use, since it also gives me a backed-up record of what the default was should the device ever be factory-reset. I just want a better chance of a readable shot given my shaky hands and the low lighting where these routers get placed.
I reverted to x3 zoom using my smartphone and then take a picture at the moment of unpacking. Not even applied power to the device.
(and yes, might require some object to rest your arm/hand on to have an as stable as possible picture and adjusted lighting).
That picture then immediately goes into my password vault so I got the MAC address of the device and accompanying passwords with it.
AX Lite is the worst I have seen so far. That’s simply stupid how that is done (no disrespect meant to anyone but it is what it is).
I also don’t understand why it has to be a different format/printing/layout for each and every device type.
Barcodes would go a very long way to helping this situation. Not everyone has a barcode scanner, but it’s a pretty easy sell if you have to configure lots of them
For individual units and field techs at least they can use a phone to snap a pic and have it convert that to text. At least it would.be correct and not mix up ambiguous characters
If Mikrotik wants to go this route (I am highly in favor) then the barcode should be printed both on the device AND the box
The device only needs a single barcode for the password
The box should have 2 or 3
- password
- Mac address
- optionally the serial number
This way inventory can be easily and rapidly scanned as it comes in using a barcode scanner and saved into records. Box does not need to be opened it can go immediately into storage/shelf/van/whatever and will be ready for use
It’s very simple to open up records and do a search for MAC/Serial and find the corresponding password for the device. Importantly it will be accurate. The way it is now is highly error prone. Photos of text alone can (often are) blurry and unreadable, it needs to be a regular old barcode