RouterOS Devs:
The default user creation doesn't require a password, and defaults to blank, which means if someone simply does a:
/user add name=fred group=full
Then you can immediately login as fred with no password. This creates a significant security issue that isn't immediately obvious. Furthermore, there is no way to tell if a password is set without SSH'ing to the host to see if it lets you on. So auditing this is difficult to do.
I propose the following to fix this:
1. Make password a required attribute to the /user add command. Then if you forgot a password, it will prompt you, and then if leave it blank, at least it kind of warned you.
or
2. Like above, but force the user to choose a password, so that you can't have blank passwords other than the default admin password before it's changed.
or
3. /user aaa set use-blank-passwords=no and if that's set, then just don't allow blank passwords in the web interface or ssh.
Thanks,
schu