Community discussions

MikroTik App
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Routers Coming with Default Passwords

Wed Mar 15, 2023 4:05 am

It seems the newer routers (such as the Hap AC3 and AX3) are coming with random passwords out of the box. I would like to start a request that this be removed as it is not a feature and that the default admin password be set to either admin or blank as it used to be.

As it stands right now, it is impossible to mass configure end-user customer router devices and join them to our management system with any amount of speed, as someone needs to manually open up the little tab, get the password which is a scramble of letters and numbers, and then manually log into the router.

Further, if the end user manages to scratch or destroy that tab somehow we have no record of the original password for the device.

This is a very bad move for MikroTik.

What are our options here?
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 4:19 am

I agree. This is a product SKU for professionals. This is going to be a huge pain. We don't need a nanny. Let us manage our own passwords. Blank passwords don't hurt the internet, people do.
 
HighTechLab
just joined
Posts: 5
Joined: Wed Mar 15, 2023 4:42 am
Location: Las Vegas
Contact:

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 4:53 am

My Hap AC3 I received from Amazon 2 days ago had no default password, as is the same with the rest of the MT I've ever used.
 
harley
just joined
Posts: 1
Joined: Wed Mar 15, 2023 5:09 am

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 5:12 am

+1
This function stops us mass configuring devices.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 5:56 am

It's a EU requirement AKAIK. Not sure it's required in US, but perhaps it in export regs, dunno. So in fairness, their hand may have been forced here. I'm still trying unwind how this work myself on a couple test hAPax3 we got.

But the NOT a word of documentation about any of this.

We normally apply a default configuration using Branding Kit package – so very unclear how that going to work here. /system/default-configuration shown does NOT seem to set the Wi-Fi password in code, but clear it gets set someplace. And doing a /system/reset-configuration also seems to restore the admin and Wi-Fi password from the sticker, so they are some-what sticky. For me, if the branding kit at least work with this scheme, it might be workable.

Haven't tried a netinstall, but guess that should clear these password. Forever? I dunno. There are no docs. So right now it unclear as to what process folks should be deal with this change.

Anyway, some documention how this works be VERY helpful. Since I'd imagine it will be a recurring thing that new device will come with random passwords.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1043
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 6:55 am

It's a EU requirement AKAIK.

Just for consumer devices I believe (afaik). Docs with a list of device affected would be very helpful though (MT!)
 
liviu2004
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 7:08 am

Is there any product restricted to be sold to businesses only? No.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 7:20 am

@mhoppes

I agree with u completely, no need password at all!
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 7:28 am

As it stands right now, it is impossible to mass configure end-user customer router devices and join them to our management system with any amount of speed, as someone needs to manually open up the little tab, get the password which is a scramble of letters and numbers, and then manually log into the router.

Further, if the end user manages to scratch or destroy that tab somehow we have no record of the original password for the device.
So you are saying that someone has to look the password up so they can log into the router to set it up, but they aren't recording it in a database (or ansible vault) that is part of your management system? That is what I would do.
I agree. This is a product SKU for professionals. This is going to be a huge pain. We don't need a nanny. Let us manage our own passwords. Blank passwords don't hurt the internet, people do.
The problem with that argument is that there are a lot of bad people on the internet. I agree that it will be a pain to automate, but an infected/compromised router does not only affect the home user, it makes a very powerful bot and it can be a powerful member of a DDOS. And even if only the LAN side has access to the management interface, an infected PC can easily carry out a brute force attack on a router.

These are being sold into the home/prosumer market.

What do you propose as an alternative that will encourage the use of a non-trivial password? What percentage of home routers that force the user to set a password in the initial setup have a password in the "top 100 worst password" list ? (and that doesn't even include the nil password).

Even "professionals" are quite lax when it comes to passwords. How do you propose that the problems described in https://routersecurity.org/RouterNews.php be avoided?

I remember as a kid (around 1966) that our car had seatbelts but I think they were only in the front seat, but there was no law requiring the use of seatbelts or any fines for not using them. There was no law enforcement requiring the use of seat belts until ~1985 (New Hampshire in the USA is the only state that still does not require adults to wear seat belts while operating a vehicle on a public highway), and after there were fines for non-compliance, then there was higher seat belt usage.

If these still had a piezo buzzer, one thing that could be done to make it more obvious there was something trying to brute force the router from the inside (rogue IoT device?) would be to have the router play distict sound on login failure, and anther on successful login (and these should be configurable on/off by the user) @rextended could probably write a script to do it.

But this is a serious question, how do you propose to harden the router by default? I see that others have noted that it may be a requirement in the EU, I won't be surprised if it becomes a requirement in the USA as well for routers that are targeted towards consumers.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 10:55 am

I don't see all these problems...
For the mass configuration the password is completely ignored, so I have to pick up the device to connect it to the ethernet cable,
when I'm there holding down reset takes a moment, and with the branding package I can set the default password that I like...
(I wrote default, not the one when the device remains "left to itself" in operation).

And if you lose the default password (of the device), who cares, the device is already yours and if it has the branding, in case of reset it puts back the one already known.

As far as private individuals are concerned, it's not a tragedy, it doesn't change anything...
It doesn't take much for a private individual to manage and save a few passwords...

I see a huge increase in security, indeed if it were up to me I would prevent using empty passwords, at least with "standard" users such as admin, root, superuser & co.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 3:42 pm

Not saying the "admin" / no password thing shouldn't have been improved. This change is going to affect a LOT of people's workflow/processes/training/etc. While perhaps solvable with netinstall – even that only be clear with testing since there are no other docs on what should/shouldnt happen with this built-in password under what cases.

While ship already sailed. These "stickers" seem like a backwards looking way to solve "no password' problem. If you look at Starlink, you plug-in cables, and it has an open Wi-Fi, and asks for a password to be set. There is no "sticker" but certainly there "no password'. And, I don't think they're stopping starlink sales in EU because of that.

I guess I would have preferred an actual forced password change, before allowing any configuration. Instead of this "sticker" approach is going to be annoying for all concerned. e.g. an end-user who not find it, then may not be able to read it, and an ISP/OEM who now has to track this & develop new processes around it.
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 3:48 pm

As it stands right now, it is impossible to mass configure end-user customer router devices and join them to our management system with any amount of speed, as someone needs to manually open up the little tab, get the password which is a scramble of letters and numbers, and then manually log into the router.

Further, if the end user manages to scratch or destroy that tab somehow we have no record of the original password for the device.
So you are saying that someone has to look the password up so they can log into the router to set it up, but they aren't recording it in a database (or ansible vault) that is part of your management system? That is what I would do.
I agree. This is a product SKU for professionals. This is going to be a huge pain. We don't need a nanny. Let us manage our own passwords. Blank passwords don't hurt the internet, people do.
The problem with that argument is that there are a lot of bad people on the internet. I agree that it will be a pain to automate, but an infected/compromised router does not only affect the home user, it makes a very powerful bot and it can be a powerful member of a DDOS. And even if only the LAN side has access to the management interface, an infected PC can easily carry out a brute force attack on a router.

These are being sold into the home/prosumer market.

What do you propose as an alternative that will encourage the use of a non-trivial password? What percentage of home routers that force the user to set a password in the initial setup have a password in the "top 100 worst password" list ? (and that doesn't even include the nil password).

Even "professionals" are quite lax when it comes to passwords. How do you propose that the problems described in https://routersecurity.org/RouterNews.php be avoided?

I remember as a kid (around 1966) that our car had seatbelts but I think they were only in the front seat, but there was no law requiring the use of seatbelts or any fines for not using them. There was no law enforcement requiring the use of seat belts until ~1985 (New Hampshire in the USA is the only state that still does not require adults to wear seat belts while operating a vehicle on a public highway), and after there were fines for non-compliance, then there was higher seat belt usage.

If these still had a piezo buzzer, one thing that could be done to make it more obvious there was something trying to brute force the router from the inside (rogue IoT device?) would be to have the router play distict sound on login failure, and anther on successful login (and these should be configurable on/off by the user) @rextended could probably write a script to do it.

But this is a serious question, how do you propose to harden the router by default? I see that others have noted that it may be a requirement in the EU, I won't be surprised if it becomes a requirement in the USA as well for routers that are targeted towards consumers.
You don't harden the router by default. You let the person installing it harden it. If they fail, it's their problem. For example, access from the WAN can be disabled by default and only accessible via LAN, that's a good start. From there, if your router gets hacked because you used password 'admin', that's your problem.
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 3:49 pm

I don't see all these problems...
For the mass configuration the password is completely ignored, so I have to pick up the device to connect it to the ethernet cable,
when I'm there holding down reset takes a moment, and with the branding package I can set the default password that I like...
(I wrote default, not the one when the device remains "left to itself" in operation).

And if you lose the default password (of the device), who cares, the device is already yours and if it has the branding, in case of reset it puts back the one already known.

As far as private individuals are concerned, it's not a tragedy, it doesn't change anything...
It doesn't take much for a private individual to manage and save a few passwords...

I see a huge increase in security, indeed if it were up to me I would prevent using empty passwords, at least with "standard" users such as admin, root, superuser & co.
How do you mass brand though when you have to lookup the password for each router individually?
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 3:50 pm

Not saying the "admin" / no password thing shouldn't have been improved. This change is going to affect a LOT of people's workflow/processes/training/etc. While perhaps solvable with netinstall – even that only be clear with testing since there are no other docs on what should/shouldnt happen with this built-in password under what cases.

While ship already sailed. These "stickers" seem like a backwards looking way to solve "no password' problem. If you look at Starlink, you plug-in cables, and it has an open Wi-Fi, and asks for a password to be set. There is no "sticker" but certainly there "no password'. And, I don't think they're stopping starlink sales in EU because of that.

I guess I would have preferred an actual forced password change, before allowing any configuration. Instead of this "sticker" approach is going to be annoying for all concerned. e.g. an end-user who not find it, then may not be able to read it, and an ISP/OEM who now has to track this & develop new processes around it.
Correct, this is what should have happened... you log in and it asks you to set a password the first time..... that can be automated to set our default user-router password then, or whatever the end user wanted to use. As it stands right now, this has suddenly become a show stopper for us to continue to deploy these products.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 4:22 pm

You don't harden the router by default. You let the person installing it harden it.
Indeed. But not on consumer market. If devices are sold on consumer market, they should come hardened from factory. Recently we've had an user who never changed any configuration because his RB worked as he wanted simply by plugging in.

And yes, low prices of MT devices are attracting non-knowledgeable consumers. The prosumer or professional gear comes with higher prices and thus people without any knowledge (a.k.a. dummies) tend to stay away from those devices.

From there, if your router gets hacked because you used password 'admin', that's your problem.
Again, if device is sold on consumer market, it should be assumed that LAN devices are (mis)managed to the same level. Many malwares running on a client PC will try to infect routers they can find. And mismanaged routers are then easy targets, specially so if admin password is weak.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 4:39 pm

How do you mass brand though when you have to lookup the password for each router individually?
Why?
As I have already wrote, I must unpack and plug the device to the ethernet cable, what does it take to hold down reset?
I don't care what password it has.

At this point I'm wondering how do you mass configure... You enter them one by one, without password, etc., or if you just netinstall them all with the default script...
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 4:58 pm

How do you mass brand though when you have to lookup the password for each router individually?
Why?
As I have already wrote, I must unpack and plug the device to the ethernet cable, what does it take to hold down reset?
I don't care what password it has.

At this point I'm wondering how do you mass configure... You enter them one by one, without password, etc., or if you just netinstall them all with the default script...
Will net install remove the default password and set it to something known by us?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 5:07 pm

what does it take to hold down reset?
Push and hold reset also use the "sticker" password. But correct that a longer press gets you waiting for netinstall. @rextended deduced in another thread that netinstall maybe built-in to RouterOS at some point, so the process for that may become easier. And the linux versions of netinstall are a much improved way of doing netinstall even today.


As it stands right now, this has suddenly become a show stopper for us to continue to deploy these products.
This may be a different method than you're using, but I'm pretty sure the combo of netinstall and a branding kit applying a new default config file would likely workaround this. I need to test this myself, as result of this change, so not 100% sure. But if you look at /system/default-configuration/script, they do seem to have variables with both the Wi-Fi password ($defconfWifiPassword) and "admin" password ($defconfPassword) as variables to the /system/default-configuration e.g.
 /interface wifiwave2 {
   set $ifcId security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=$defconfWifiPassword
 }

 :if (!($defconfPassword = "" || $defconfPassword = nil)) do={
   /user set admin password=$defconfPassword
   :delay 0.5
   /user expire-password admin 
 }
Maybe they're available to netinstall configure script, without the branding package, dunno. Or does netinstall just wipe the sticker password with the disk, also dunno.

But its not that hard to cut-and-paste a modified default config to a branding package, and deploy both the branding NPK with a routeros NPK. In someways netinstall offers some security benefits since it does wipe the (most of) disk.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 5:19 pm

Will net install remove the default password and set it to something known by us?
These questions surprise me, it seemed to me that you were an expert in mass configuration...
I have understand bad...

If you netinstall device without flag "Apply default config" (with -r on linux) or using "Configure script" int never run defconf
so password (on sticker) and other things are never set...

How to retrieve the default passsword if the label is damaged?
Use netinstall with this custom script... try to guess where you can read the password...

netinstall custom script code

/sys id set name=$defconfPassword
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 6:31 pm

Even my cat knows you can preconfigure netinstall............ (with script).

"When using the Configure script option, it is suggested to introduce a delay before configuration execution."
https://help.mikrotik.com/docs/display/ROS/Netinstall
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Wed Mar 15, 2023 6:34 pm

Yes, because if you want set wifi or other interface that appear later because driver must be loaded, the script fail.

If is a simple thing, like set system identity, that not involve wait to load something, delay is not needed.
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Re: Routers Coming with Default Passwords

Wed Apr 05, 2023 9:56 pm

How do you mass brand though when you have to lookup the password for each router individually?
Why?
As I have already wrote, I must unpack and plug the device to the ethernet cable, what does it take to hold down reset?
I don't care what password it has.

At this point I'm wondering how do you mass configure... You enter them one by one, without password, etc., or if you just netinstall them all with the default script...
Shell script that SSHes into the device and applies the configuration.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 9:35 am

Your SSH script will simply have to be modified to use netinstall-cli command line interface that reinstalls the device and applies your custom config. It is a change, but not that drastic
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 10:58 am

@everyone
Please stop being hypocrites.
Better security helps everyone.
Those who complain probably don't know how to organize or do their job.

As long as the RouterBOARDs arrive from the distributors without the protected-routerboot active,
THOSE WHO WORK WITH IT can use NetInstall without problems to first do the software update to a consistent version,
and then set a default password that allows provisioning as before...
But if you're doing NetInstall it can already be fed Branding and/or Configuration Script in one pass.

SPOILER: And then it will soon be possible to use RouterOS 7.10 to use NetInstall directly on RouterOS (and with Container it can already be done)
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 11:13 am

"Convenience is the worst factor for securing systems"
<unknown>

I understand it may create some "friction" with the new way of doing but it is not such a big issue when you adapt the process (as indicated, netinstall or branding package).
And let's face it, most of the devices which are being complained about in this thread, ARE by far home-use devices.
Don't count on a home user to set a decent default password. Just don't.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 11:17 am

Better prepare in advance, than suffer when it's too late.
Imagine even if there is no legislation. How about just for sake of basic security?
A scenario where you purchase a device that has nice default config. You plug in your ISP and your internet works (because DHCP client and default NAT, you don't even need to log in once). So you plug it in and leave it. Then a malware in your Windows PC scans the LAN and supplies some malicious config on your router, as there is no password. And then imagine this on a million devices.

So ... better safe than sorry.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 11:19 am

So ... better safe than sorry.
Please, Please, Please, NEVER activate protected-routerboot on default batch!!!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 11:20 am

Btw you can boot into cap mode and work as usual.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 11:39 am

Btw you can boot into cap mode and work as usual.
Is not easy as "press the button until netinstall start"... (And not all devices are CAP clients....)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 12:11 pm

any router can be booted into cap mode, especially the ones that have defconf with a password.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 12:17 pm

any router can be booted into cap mode, especially the ones that have defconf with a password.
I know, but is better for the installer the concept "press until not appear" than count exactly 10 seconds (or check if LED turns solid on brighter environment)...

And in any case when connected to the capsman, the server do not change (or create) username and the "label" password and other needed parameters...
I am wrong?

Try to put one RB5009 as CAPsMAN client....
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 12:27 pm

I am quite happy that MikroTik finally does something about the "blank password", but I am a bit worried by the text in the newsletter:

Contact your MikroTik distributor if you lost access to the stickers and need help finding the default
password. We’ve provided tools for distributors to assist you in such a case.

Hopefully the default password is really a unique password stored in the device, and not something derived from e.g. the MAC address via some "super secret function".
Experience with many other manufacturers that implemented this before, the "super secret function" will invariably leak, and tools like what you supplied to the distributor will become available for everyone.

(of course it could be that the tool for distributors does a query at some service at MikroTik, and we can hope that access to that service will be well-secured)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 12:50 pm

3 considerations:

1) If you do protected-routerboot, no matter if you have or not "sticker" or ask distributor for password.

2) For sure end user can consider "sticker" password sure, and do not change it, and if (can happen) the database (or algorythm) of passwords are steal....

3) Probably the password is based on NAND / Flash serial number (is not the device serial number). Impossible to obtain directly wih standard way.
For retrieve password from the distributor probably you must provide device serial number, and the password is with the serial number...............
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 1:53 pm

The password is unique and random, but we do have it in a database in readable form (I mean, this is still better than blank). You can't guess it, but you will need to change it anyway.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 1:56 pm

The password is unique and random, but we do have it in a database in readable form (I mean, this is still better than blank). You can't guess it, but you will need to change it anyway.
That's okay, it's the right way to do it.
Surely it's more secure than a blank password...
And then, if the protected-routerboot is not active by default, it is easy for those who have to develop a network to configure the devices...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 2:02 pm

There is no way it will be default. We might even remove this funcion, since some people manage to lock their device irreversibly
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 2:08 pm

some people manage to lock their device irreversibly (referred to protected-routerboot - N.D.R)

Why not restore that function as in the initial version?:
When you press the button for the exact right number of seconds, wipe the config (except licence) and you can do netinstall for restore damaged OS,
or keeping it pressed for 10 minutes format all NAND/Flash (wipe the config except licence) and require netinstall....
The differencies between the X seconds and the 10 minute timeout is just for prevent the accidetal (...???...) reset of the router config by end user...

On this old way it was perfect...

protected-routerboot feature are used for WISP not for protect from physical stealing the device but:
1) Hide the config (keys, cert, etc.) from the other competitors or to the end user...
2) Prevent the user from resetting the router like the crap competitors.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 4:06 pm

There will be videos coming up on this "feature". As a note, thanks to a post here I would never have gotten into my AX3. I normally thrown away any silly paperwork in the box and just access the router and start working on it. Hence I had no clue about a pull-out tab LOL.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 4:12 pm

The problem is that this protection feature has too many goals:
- to protect against viewing of the configuration that includes secrets
- to protect against reset of the configuration by a customer, losing the connection and requiring technician visit to fix it
- to protect against stealing of the device and re-use for another purpose

The first two are "easy" to achieve using the timed button press tricks, but when the last one is also included it will lead to inadvertent permanent locks...
Maybe that function could be optional and be part of a branding package. Normal users would not be able to lock their device but those WISPs that are in an environment where this is an issue could still enable it via their branding package.
Of course that assumes that normal users are not going to play with branding packages...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 4:13 pm

There will be videos coming up on this "feature". As a note, thanks to a post here I would never have gotten into my AX3. I normally thrown away any silly paperwork in the box and just access the router and start working on it. Hence I had no clue about a pull-out tab LOL.
As a matter of fact, it is also mentioned in Quick guide on the website.
Even with a picture where the tab is with the sticker.
https://help.mikrotik.com/docs/pages/vi ... =110362626

I guess you don't read those guides either ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 4:17 pm

The password is unique and random, but we do have it in a database in readable form (I mean, this is still better than blank).
That is of course the way to do it.
It may be helpful to pack another copy of the sticker, still on its backing, with each device.
That way those that are afraid of losing access to the sticker could put those on a device documentation page in a binder.
Or maybe have some QR code with the relevant information (device type, serial number, MAC address, password) so that one could scan it and put it in the asset tracking system.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 4:28 pm

One copy is on the device, another password is on a sticker on the quick guide paper, third copy is in the distributor database - if you call them, they could get it. And like I said, if all else fails, Netinstall will remove it.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 4:34 pm

What's that second copy ? Never seen it. Not on AC3, not on AX3, not on AX2.
As a matter of fact, just happen to have AX Lite lying here next to me on my desk with the box it came in.
The quick guide paper says there is "no default password" ?!?!
But I know there is. I had to get it from the sticker. That same sticker which has plenty of space to make the font larger.

Oddly enough: the quick guide on the product page DOES mention that on some models there is a password on the label.
Not on the leaflet which was in the box.
BTW 2 steps before the section I highlighted is already a first problem. You can't connect to the wireless network without a password.

So somewhere there is a leak in that documentation quality assurance process ...
2023-04-06_15-16-44.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 6:38 pm

Yeah documentation is a lacking/not updated, in few places. e.g. it should be clear what models this applies too – or if it's going to be all new routers...that also be good to know so folk can prepare... e.g. I was caught off guard since I thought it was just the EU models, not the US model that had default passwords...

But do agree the admin/(no password) needed to be fixed. While UX/docs aren't great, MT does seem to pick the least invasive way to do this. In my case, we use a branding package, so same netinstall, or just a few steps to use a "sticker password" to login to copy package+reset. And since variables in the default/netinstall script, you can still replace the defconf and not break the scheme, which was my initial concern.

It's folks that use SSH/etc where this is going to be annoying... But @mrz suggestion to put into cAP mode to might allow that model to still work... dunno
any router can be booted into cap mode, especially the ones that have defconf with a password.
Last edited by Amm0 on Thu Apr 06, 2023 6:45 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 6:44 pm

Why waste paper?
Write a link / qr code directly on the box where the site to visit for the guide is written...
In this way, any errors in the guide can already be resolved even for devices that are already distributed and not selled.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:15 pm

I think the reason why people worry about the sticker is that it may end up in a physically inaccessible place e.g. on a roof, in some equipment room, etc.
Also those people do not consider themselves able to archive the password in some asset tracking system, a general password store app, etc.
That is why I suggested putting an extra sticker in the package so they will be able to stick it in some notebook.
Apparently there already is a sticker on the "quick start leaflet" but I do not know if it can easily be peeled off and put somewhere else, and also not if these leaflets are still so ridiculously small that you immediately lose them...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:17 pm

Ok, right, but....

1) Create one account to mikrotik.com, regster own device, access back to the account if you lost the default password, and read it again.
2) Register TikApp on Google and add the pasword directly to google keychain
3) etc.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:18 pm

Small pieces of paper are usually nauseating copywright FCC crap that goes direct into garbage, Dont put important sticker on crap paper, put it on the router like a pull tab, router will not work unless you pull this tab from the crack LOL.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:19 pm

1) Create one account to mikrotik.com, regster own device, access back to the account if you lost the default password, and read it again.
2) Register TikApp on Google and add the pasword directly to google keychain
3) etc.
Well, that be a possible feature at any point...since they have the passwords ;)

With @pe1chl here... it the small details that got missed in this change...

The 2nd set of stickers is a good idea – the RB9xx etc used to do that actually.
 
mhoppes
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Thu Jul 29, 2010 9:33 pm

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:27 pm

Better prepare in advance, than suffer when it's too late.
Imagine even if there is no legislation. How about just for sake of basic security?
A scenario where you purchase a device that has nice default config. You plug in your ISP and your internet works (because DHCP client and default NAT, you don't even need to log in once). So you plug it in and leave it. Then a malware in your Windows PC scans the LAN and supplies some malicious config on your router, as there is no password. And then imagine this on a million devices.

So ... better safe than sorry.
That's bad... but that's the user's problem, not mine and not yours.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:51 pm

And in your opinion, after that, where the user go at break balls?
I don't think you work with the public...
Last edited by rextended on Thu Apr 06, 2023 7:53 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 7:52 pm

That's bad... but that's the user's problem, not mine and not yours.
When MikroTik routers get a bad reputation "because they are so insecure" and then nobody sells them or they become forbidden by law, it becomes our problem as well.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 8:12 pm

Apparently there already is a sticker on the "quick start leaflet" but I do not know if it can easily be peeled off and put somewhere else, and also not if these leaflets are still so ridiculously small that you immediately lose them...
Could be but I have never seen them on those devices I had in my hands yet requiring the sticker password.
AC3, AX Lite, AX2, AX3
Never seen it.
And I unfold all papers in the box.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 8:22 pm

Password Manager. Although the hAP ac3 I recently received still had the old default blank password, if I receive anything new that has the "new" unique password, that will immediately go into my password manager. Yea, I'm an individual, not trying to deploy large numbers of devices.

OK, as soon as I powered the hAP up, I used the NetInstall procedure to put an amateur radio network called AREDN into it...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 8:26 pm

Oh, but I also use a password manager since that new mechanism came into place.
But I can imagine for someone having to handle multiple devices a day, some typos will happen.
Unless they netinstall as first action...
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Routers Coming with Default Passwords

Thu Apr 06, 2023 9:20 pm

if you are using a password manager, you should create new user and set password with password manager, then log into new user using password stored in password manager, and from the new username, delete the admin username. If you do that you shouldn't get locked out because of typo.
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Posts: 702
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Routers Coming with Default Passwords

Fri Apr 21, 2023 2:38 am

Chiming in here, I added this to the newsletter post but I felt it needed included here.
Like several others here, we do automated deployment of devices, the process is we plug in 20 routers at a time into our bench PoE switch on ether1, then we load up our in-house deployment tool, and plug in a 2nd cable into ether 2-4 (this is for hAP routers btw), the deployment tool tries every 15 seconds to connect to 192.168.88.1 with admin and a blank password, once connected it then checks the OS version, upgrading or downgrading as necessary from the factory software to have it running v6.49.7, then when that's complete it automatically loads the branding package dpk with the rest of our deployment config and reboots. After it's gone through all 20 routers, it then monitors and alerts the technician when they all are completed. After that they are boxed and labeled.

This onboarding process also automatically records the device serial number, MAC address, and installation date for later reference. We typically program and ship a case of 20 routers in a little over 30 minutes from start to finish if someone is quick about getting them unboxed and labeled / re-boxed. We don't even pull the routers fully out of the plastic bag to try to avoid getting fingerprints on the soft touch black plastic cases.

Commercial users like myself require an automatable process to onboard and program routers, Your biggest customers do NOT have time to read the stickers on the routers to log into them, we've invested a huge amount in MikroTik, and based on what our distributor tells me I'm one of the largest purchasers of various hAP models of router in North America. It would be tragic to throw it away because we can no longer onboard new devices.

IF there was a way to trigger netinstall without logging into the device first, that might be an option, however that would still be *far* slower process then we are using right now, and time costs money. Our deployment tool (which uses the API to connect to the router, is web based, and is being opened from a web browser of a smart TV mounted on the wall) does not need to go through the slow reformatting process every time, nor does it even load a new OS version if the device shipped from the factory with the correct OS version (which is about 50% of the time).

We currently do not have any computer at all in the building involved in the setup and deployment of routers, it's all ran from that webserver configured to access the API on new devices. We don't have trained technical people programming these routers, they are only trained on plugging in a cat 5 cable, waiting for a beep, wait ~20 seconds watching the screen for the instruction that it's time to move the cable to the next router, and then when done box and label the routers. Tomorrow we have 80 various routers scheduled to get programmed and shipped, and it's expected to take a total of 2.5 hours. I challenge ANYONE here to netinstall an OS and branding package on 80 routers, label the boxes and repack them, in under 3 hours. Most of these solutions being proposed above couldn't do 80 routers in a whole day.

I'm not against making changes to the deployment process, but they must be ones that are automatable, they cannot rely on someone having to read the small label or anything like that. We have built business processes around this workflow and invested lots of time and money into developing them, while some may sanctimoniously think this is no big deal and you can "just" do XXX instead, what those arguments fail to give any thought to is that XXX process takes a LOT more time and effort and training.

As for the labels themselves, I can't tell you the number of times I've had people report to me that the serial number on a device label is no longer readable after being deployed to end users for a couple of years. We track and issue all the devices by serial number so we have a lot of experience with this occurring.

In theory this was what the old flashfig tool was supposed to do, but I had never once gotten it to actually work, and recent versions of netinstall don't even include it, so I think it's been depreciated and discontinued.

@Normis, if you have these passwords stored in files somewhere, one acceptable solution would be to create an API to allow the default password to be looked up by authorized & vetted companies that do automated deployments, this would need to be searchable by MAC address. For example our deployment software could authenticate to your API, I pass you a MAC address and you reply with the default password. For additional security you could even limit a device password to only being accessed once this way without some additional verification step. This would allow a vendor like myself to auto program devices while still shipping the devices with a unique default password.
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Routers Coming with Default Passwords

Mon Mar 04, 2024 11:36 pm

@BrianHiggins
I agree totally. it's really gotten difficult and overly complicated to deploy mikrotiks as of past few years.
3x issues (in order):
1- default passwords (and no way to wipe that PW) - we can't be expected to retain these passwords for each device (or have to reach out to XYZ to get it, at 3am when equipment may be hard to reach - unless that is an automated 24/7 type of system, or better yet see solition to #3)

2- The default configuration overly locked-down (ie no way for legitimate admins to get into RB in a remote/remote-hands situation) (i know some will disagree with me on this one and their concerns may be valid) -My suggestion is that there be a compromise and for example holding the reset button for 30 or even 60 seconds fully wipes default config (ie same as /sys reset no-defaults=yes , if you include that the long press also wipes the factory password, then you have a solution to ALL 3x OF THESE!! :) )

3- remove / exclusion of serial ports - (and lack of clear documentation on this) - ie Last week was working on an RB5009, rumors (not docs) state that you can attach a USB serial adapter and thus get OOB access like before (could not get this to work and i use serial frequently) - thus am forced to wipe/default wipe, and deal with issues #1 and #2 above ( loop)

I feel several of these are an overreaction to bad press mikrotik has received over the past few years (In my opinion unfair PR against mikrotik re; security). I know in some cases legislation is involved, but only applies to default/fresh out of box experience for *consumers*.

I hope mikrotik changes one or more of these going forward.
thanks
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Tue Mar 05, 2024 12:05 pm

You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Tue Mar 05, 2024 4:31 pm

You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
Or, not understanding a long press is how you get PXE boot mode (for netinstall). And that Mikrotik is not going to reverse course on the passwords.

To me it seems @jo2jo's problem could be solve with a branding package with a replaced default config (with his preferred no/limited config) – that be 7 second button press to trigger. And if you control the default config...well... there should be less of need for serial.

Now on #3 (serial support)... I'm not sure of the serial support via USB on RouterBOOT on RB5009... USB serial is always a PITA. But it's fair to say Mikroitk has no docs some "known working" USB-to-serial chipset. Now Mikrotik does sell some USB serial-to-WiFi things – never used them myself, since I use my own branding with a default-configuration... so reset to defaults get me something I know thus never used serial in 10 years to mikrotik.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Tue Mar 05, 2024 4:41 pm

Now Mikrotik does sell some USB serial-to-WiFi things..
You mean Woobm ?
https://mikrotik.com/product/woobm

Discontinued, unfortunately.
 
jaclaz
Long time Member
Long time Member
Posts: 573
Joined: Tue Oct 03, 2023 4:21 pm

Re: Routers Coming with Default Passwords

Tue Mar 05, 2024 5:36 pm

The only reference I could find is about the hex:
viewtopic.php?t=182498#p939154
According to it both FTDI and Prolific (common) USB-serial converters work.

But seemingly you need to configure the console on the USB port, the kind of thing that typically you won't do until it's too late and you already lost access via the other ways.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Routers Coming with Default Passwords

Tue Mar 05, 2024 6:06 pm

The only reference I could find is about the hex:
viewtopic.php?t=182498#p939154
According to it both FTDI and Prolific (common) USB-serial converters work.

But seemingly you need to configure the console on the USB port, the kind of thing that typically you won't do until it's too late and you already lost access via the other ways.
There are two parts of "serial support": RouterBOOT and RouterOS. For RouterOS, if using USB as serial console isn't set, then that not going to work in an "normal mode".

It's the RouterBOOT part that I have no idea if it even supports USB serial adapters... And RouterBOOT may be where a serial console be more useful — since if your RouterOS is running enough to map serial to USB, winbox via MAC likely works...
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Routers Coming with Default Passwords

Wed Mar 06, 2024 9:33 pm

You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
agreed, that is not what i was suggesting or asking for.
(also /sys reset no-defaults=yes does not equal accessible for admins from the internet side by default)
Last edited by jo2jo on Wed Mar 06, 2024 9:49 pm, edited 1 time in total.
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Routers Coming with Default Passwords

Wed Mar 06, 2024 9:49 pm

You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
Or, not understanding a long press is how you get PXE boot mode (for netinstall). And that Mikrotik is not going to reverse course on the passwords.

To me it seems @jo2jo's problem could be solve with a branding package with a replaced default config (with his preferred no/limited config) – that be 7 second button press to trigger. And if you control the default config...well... there should be less of need for serial.

Now on #3 (serial support)... I'm not sure of the serial support via USB on RouterBOOT on RB5009... USB serial is always a PITA. But it's fair to say Mikroitk has no docs some "known working" USB-to-serial chipset. Now Mikrotik does sell some USB serial-to-WiFi things – never used them myself, since I use my own branding with a default-configuration... so reset to defaults get me something I know thus never used serial in 10 years to mikrotik.
thanks for the suggestion / info - I do agree that currently the only solution for now involves netinstall , however Net install does not address what I described with remote configs of new microtiks or remote hands type troubleshooting scenarios. (unless you keep stock of MTs, and directly ship them out yourself) - also i do have a few Woobm 's - it too am quite sad to see them discontinued as I did go to buy another one a few months ago and couldn't find it in-stock. However there have been a few more than a handful of times I tried to use a Woobm and for whatever reason it could not get me serial , (or any) access (usually when used on newer , more recent routerboard hw or rOS).

(Of course there were also times the Woobm *did* help to get me out-of-band management access)

Do you all disagree (or not like / not-favor) a solution where if you were to hold the reset button for a long period of time it wiped the mikrotik fully (ie just like /sys reset no-defaults=yes) - im talking about even 30s + of hold button on after power applied. (and to pe1chl's point- in the case of a very long button press forces a full wipe: ie /sys reset no-defaults=yes , this does *not* equal a router accessible for admins from the internet).

Also i should note- in one of my (many) mt use cases - im very frequently remotely walking a client through resetting a brand new MT so that I can get access to it to configure it for them. Maybe my use case is unique, but in this scenario, it has gotten much more difficult over the past few years to get to that point of access.
tks
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routers Coming with Default Passwords

Wed Mar 06, 2024 10:02 pm

@jo2jo ... we all (or almost all) feel your pain and understand you. How about a group hug?

Now, get over it and accept the new reality.
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Routers Coming with Default Passwords

Thu Mar 07, 2024 8:33 am

@jo2jo ... we all (or almost all) feel your pain and understand you. How about a group hug?

Now, get over it and accept the new reality.
Do you disagree (or not like / not-favor) a solution where if you were to hold the reset button for a long period of time (ie 30s, so past the default-config or netinstall holds) - it wiped the mikrotik fully (ie like /sys reset no-defaults=yes) ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routers Coming with Default Passwords

Thu Mar 07, 2024 8:40 am

From a convenience point of view this might be helpful but from a security point of view you may not want this if you want to be sure your hardware is not going to be "reused" by others.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routers Coming with Default Passwords

Thu Mar 07, 2024 9:11 am

If @holvoetn didn't write the preceeding post, I would. I couldn't agree more.

@jo2jo ... how about teaching your customers to find the dreaded sticker and send you a photograph of it?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routers Coming with Default Passwords

Thu Mar 07, 2024 11:28 am

From a convenience point of view this might be helpful but from a security point of view you may not want this if you want to be sure your hardware is not going to be "reused" by others.
As I wrote a year ago, normis was also active in the topic at that time, that requirement makes things a bit complicated. It would be better if it were dropped (i.e. no longer supported).
The secure boot would then only guard against access to the config by someone with access to the device.
Their option would still be to reset the device and wipe the config, but they would not have access to config "intellectual property", secret passwords, certificates etc.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot] and 27 guests