username and password ?

ahang · July 30, 2011, 8:52pm

Where are username and password saved in mikrotik cache, I’m not talking about username/passwords that have already created by admin like hotspot users or pppoe users, I’m saying that if somebody use wrong username/password, how do I know what credentials he is trying to use to login ?

Thanks,

sergejs · August 1, 2011, 12:44pm

Such information is not saved.

JP_Wireless · August 1, 2011, 1:27pm

Why is it that an Administrator of Mikrotik cannot see the user password?
For example, I have MT user’s login as admin1, with full right, admin2, with limited privilage. admin2 forgot or change his password and i need to know it, how do i findout apart from changing it after I login as admin1?

ahang · August 1, 2011, 8:11pm

Why not possible, I think it can be, because there’s login page and there’s username Form and password Form when you write user/pass into Form and submit these credentials send to Server for checking But I think they’re encrypted they’re not in clear text, although encrypted text must be reveal to admin.

MCT · August 1, 2011, 8:38pm

It’s generally not a common practice, and actually a rather stupid one, to store a user password in plain text. The most common method is the user password is hashed with a salted MD5 and compared to the stored hash in the system.

It seems most systems are going to SHA-256 now instead of MD5 because it increases the difficulty of bruteforcing hashes if someone happens to get the database. It still doesn’t solve the problem of weak passwords but the increased computation time slows down the process.

An administrator should never be able to see a user password. They should be able to reset it or change it, but never see the value. The human creature is a lazy animal, they’ll reuse passwords rather than create new ones for each site. The hashing system protects the users from dishonest administrators.

sergejs · August 2, 2011, 8:30am

Short note, such information is not available too (in plain text).

ahang · August 2, 2011, 8:23pm

Any way user and passwords can be sniffed during users login, I got many user/pass by this method remotely I’m doing a hacking techniques to got user/pass in clear text, even you are not Admin you are normal user you can figure the users credentials, that’s why I always say Mikrotik is hackable !

sergejs · August 3, 2011, 7:11am

I doubt you can get SSH and encrypted Winbox passwords easily.
Anyway for paranoid security, it is always possible to setup IPSec/other tunnel access to router and block everything is possible in firewall to protect from guys like ahang

ahang · August 3, 2011, 8:09pm

Thanks for being aware from guys like me ! lol