What If someone get a password ? Even if it's hashed in mikrotik system. What is secure in this kind of method ?Want to change a secure method to an insecure method to add another insecure layer?
Thanks
I didn't know that was possible. That's a little cleaner than adding a container. And theoretically cover all methods of router access.
True, not quite easy setup, still easier than writing webfig wrapperThat's a little cleaner than adding a container. And theoretically cover all methods of router access.
Preventing authentication even if password is compromised - which should not be placed aside.Serious question, I'm not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,
what is two-factor authentication for?
I'd like, if possible, to get answers that don't involve what I've already ruled out: username and password being stolen (no matter how or why)Preventing authentication even if password is compromised.
Just because not all devices have SIMs.Btw. you are missing some hypothesis using sms codes and setting dynamic passwords combining them (if OP owns MT device with GSM/LTE modem)
:cmd Vq70980q script chgpass mynesSPERScurPXEAWRD
Ruled out, but it is concern imho.I'd like, if possible, to get answers that don't involve what I've already ruled out: username and password being stolen (no matter how or why)Preventing authentication even if password is compromised.
I'm using sms commands for enabling/disabling VPN access, quite useful and I think safer than port knocking. Ah yes... hypothesis to use port knocking to trigger sending 2fa code to emailJust because not all devices have SIMs.
But yeah, just send an SMS to that device which set the password specified in the SMS and the problem is already solved...
(and on SMS must be also present the SMS commands password)
:cmd Vq70980q script chgpass KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======
Why not just simple:Or for paranoid encode also the password on SMS the script chgpass decode it and apply the correct password.
Since the encoding can be arbitrary and not necessarly baseXX, is strong enough for detect failed try.Code: Select all:cmd Vq70980q script chgpass KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======
Encoding the password on that way allow the user to use also special characters not allowed on GSM7 alphabet...
viewtopic.php?p=411358#p411358
:cmd Vq70980q 2fa-script
If is not careful when creating backups, yes, but for example, I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.Script must not store passwords...
At least the first part of the password should be plain text in the script, and an "export" or accidentally unencrypted backup might reveal that part...
Why you do not use the MAC of one or more ethernet interface as seed for encrypt the password?I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.
Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?)Actually I have the main network on The Dude, rigth click and open with winbox launch one program that ask for PIN.
If PIN is correct*** decode the passed username and password from The Dude and use it as parameters to launch Winbox.
(obviously on the RouterBOARDs winbox is authorized only or from local management ether port or only from specific remote IPs)
On this way if for some reason my PC is stolen, is useless, because also the read-only monitoring functions on The Dude accept only some IPs...
*** the PIN is part of the decode, is not memorized inside the program, wrong PIN cause winbox to fail authentication, not program error, because do not know what is the right PIN...
Obviously keylogger & co. bring the question to another level...
For do that someone must come to my office, break the port lock, hack my PC, and remove all the trace of the passage...
I'd give him the emergency PIN, which if entered still allows decoding and access, but also call the police without notification...Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?)
I think now OP has quite enough solutions how to implement 2fa or dynamic credentials...I'd give him the emergency PIN, which if entered still allows decoding and access, but also call the police without notification...Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?)
I missed this one... true, it can be done like that, by using some value(s) unique to router, since it is for my home router and only I have access to it I did not bother, but good idea.Why you do not use the MAC of one or more ethernet interface as seed for encrypt the password?I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.
If the script is runned on same device can restore the right password to send for dyndns...
If the export/unencrypted backup is stolen, is useless, because on export or backup are stored only manually changed MAC...
and the script on new device can not generate again correct username or password...
What If someone get a password ? Even if it's hashed in mikrotik system. What is secure in this kind of method ?
In winbox or the web interface type your password and append the 6 digit OTP in your authenticator to the end of the password. Make sure the OTP you enter is within the 30 second windows or you will fail authentication.
.Serious question,
I'm not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,
what is two-factor authentication for?
For various factor combination term is MFA if multiple factors are involved, 2FA is part of MFA scope.Serious question,
I'm not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,
what is two-factor authentication for?
If we were talking about hardware 2FA token devices (e.g. RSA SecureID), it was a check that physical held something. Since semi-temper resitance and cannot backup/copy them, so if lost/missing you really are screwed – that adds a quite a bit of a layer from 2FA. When your just switch to another app like Google Authenticator (or Authy or whatever TOTP-enabled app) on the same device that may have your password saved in the keychain/browser... I'm not sure that add the same level of security...so not all 2FA isn't the same. Does user-manager add something with TOTP... sure. How much, harder to quantify.
If you ignore the "dumb admin" case, sure complete unneeded. But not everyone is smart.@Amm0
Excuse me, but I was sincerely asking about another practical use, except the above, not about the technology to use,
because I can't think of anything else...
I've used PPP secret to store apikeys. Not great but works to avoid them being in an export without show-sensitive. See:can be some key-value storage unlocked with logged in user or running script user. Not exportable if not show-sensitive.
What dumb request is this? Tell me how, how tf do you 2FA on Juniper or Cisco?Hello, I wannt to authenticate winbox or ssh with second factor. The problem is with password, which mikrotik sends this mschapv2, so its hasched. Authenticator cannot recognize it and I get blank pass field. Is there any option to change mschapv2 to pap for example or whatever .
What's about dot1x, there is a few options eap methods. Can I authorize by this way ?