Good afternoon everyone,
Currently running RouterOS 5.19, we are planning to do some API operations over Internet, and our boss is worried about passwords, if they are sent in plaintext and/or it is secure enough to do it.
We don’t want people sniff our passwords and do unwanted operations to our devices 
Thank you everyone for your help and time.
Use ssh port forwarding in order to access local (or even remote) API interface. It should help with your security concerns.
Thanks for your reply 
Do you mean to use API over a SSH tunnel?
Well, I forgot to say that API commands are going to run on a PHP Server.
Regards
Exactly. SSH allows to forward connections both ways. You can always use following scenario:
MikroTik API
a. ip service enable api
b. ip service set api address=127.0.0.1/32
PHP Server
a. ssh -L 28728:127.0.0.1:8728
b. connect to api on: 127.0.0.1:28728
That way you are fully secure. No additional configuration required 
There’s always option to make secure VPN network (you have sstp, l2tp, pptp, ovpn) and connect to central VPN server…
Hi sir
that configuration was really helpful! thanks avlot for sharing t with us
have a nice day
Note that even without an SSH tunnel, the RouterOS password is never sent in plain text. The whole procedure is a CHAP challenge, similarly to the one in hotspot. Without a tunnel, all other data is sent and received without any form of encryption though.
Whole process uses md5 and someone may try to bruteforce password.
True, but at least it’s not clear text, and it still requires brute force, without rainbow tables and the like.
(Using an SSH tunnel is still better than no tunnel. I’m just saying that without a tunnel, the situation is one notch less dangerous than “everything is clear text”.)
Excuse me to take this long to reply.
Actualy we are doing tests and considering the best option to secure our Mikrotik devices. I would gladly thank everyone for their replies and time. 
Also, one of our options is to use an Ubuntu Server as PPTP Server, and all Mikrotik connect to it using PPTP Client, forcing all devices to use MS-CHAPv2 as encryption protocol, to enseure secure communications.
Thank you everyone again.
ms-chap is not encryption, it’s authentication. encryption in PPTP is MPPE*, which is less secure than ssh tunnel
In light of recent work against MS-CHAPv2, and the fact that even Microsoft has deprecated PPTP (in favor of SSTP which is a little more sane from a protocol design standpoint), I’d be very wary of using PPTP in production for anything actually sensitive.
MS-CHAP was weak the day it was announced, which is why MS-CHAPv2 happened in the first place. PPTP is, well, PPTP. It’s byzantine from the perspective of protocol design, and when one works through the actual entropy involved in the keyspace, it’s ridiculously small.
If you want to read more about the current success against these, I’d suggest looking here.
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
For the horse’s mouth, you might look here:
http://blogs.technet.com/b/srd/archive/2012/08/20/weaknesses-in-ms-chapv2-authentication.aspx
Sorry for late reply; you’re right, I confused terms here. Thanks for correcting me
Interesting, thank you very much; I’m going to look at this to improve the security of our communications.