It's a EU requirement AKAIK.
So you are saying that someone has to look the password up so they can log into the router to set it up, but they aren't recording it in a database (or ansible vault) that is part of your management system? That is what I would do.As it stands right now, it is impossible to mass configure end-user customer router devices and join them to our management system with any amount of speed, as someone needs to manually open up the little tab, get the password which is a scramble of letters and numbers, and then manually log into the router.
Further, if the end user manages to scratch or destroy that tab somehow we have no record of the original password for the device.
The problem with that argument is that there are a lot of bad people on the internet. I agree that it will be a pain to automate, but an infected/compromised router does not only affect the home user, it makes a very powerful bot and it can be a powerful member of a DDOS. And even if only the LAN side has access to the management interface, an infected PC can easily carry out a brute force attack on a router.I agree. This is a product SKU for professionals. This is going to be a huge pain. We don't need a nanny. Let us manage our own passwords. Blank passwords don't hurt the internet, people do.
You don't harden the router by default. You let the person installing it harden it. If they fail, it's their problem. For example, access from the WAN can be disabled by default and only accessible via LAN, that's a good start. From there, if your router gets hacked because you used password 'admin', that's your problem.So you are saying that someone has to look the password up so they can log into the router to set it up, but they aren't recording it in a database (or ansible vault) that is part of your management system? That is what I would do.As it stands right now, it is impossible to mass configure end-user customer router devices and join them to our management system with any amount of speed, as someone needs to manually open up the little tab, get the password which is a scramble of letters and numbers, and then manually log into the router.
Further, if the end user manages to scratch or destroy that tab somehow we have no record of the original password for the device.
The problem with that argument is that there are a lot of bad people on the internet. I agree that it will be a pain to automate, but an infected/compromised router does not only affect the home user, it makes a very powerful bot and it can be a powerful member of a DDOS. And even if only the LAN side has access to the management interface, an infected PC can easily carry out a brute force attack on a router.I agree. This is a product SKU for professionals. This is going to be a huge pain. We don't need a nanny. Let us manage our own passwords. Blank passwords don't hurt the internet, people do.
These are being sold into the home/prosumer market.
What do you propose as an alternative that will encourage the use of a non-trivial password? What percentage of home routers that force the user to set a password in the initial setup have a password in the "top 100 worst password" list ? (and that doesn't even include the nil password).
Even "professionals" are quite lax when it comes to passwords. How do you propose that the problems described in https://routersecurity.org/RouterNews.php be avoided?
I remember as a kid (around 1966) that our car had seatbelts but I think they were only in the front seat, but there was no law requiring the use of seatbelts or any fines for not using them. There was no law enforcement requiring the use of seat belts until ~1985 (New Hampshire in the USA is the only state that still does not require adults to wear seat belts while operating a vehicle on a public highway), and after there were fines for non-compliance, then there was higher seat belt usage.
If these still had a piezo buzzer, one thing that could be done to make it more obvious there was something trying to brute force the router from the inside (rogue IoT device?) would be to have the router play distict sound on login failure, and anther on successful login (and these should be configurable on/off by the user) @rextended could probably write a script to do it.
But this is a serious question, how do you propose to harden the router by default? I see that others have noted that it may be a requirement in the EU, I won't be surprised if it becomes a requirement in the USA as well for routers that are targeted towards consumers.
How do you mass brand though when you have to lookup the password for each router individually?I don't see all these problems...
For the mass configuration the password is completely ignored, so I have to pick up the device to connect it to the ethernet cable,
when I'm there holding down reset takes a moment, and with the branding package I can set the default password that I like...
(I wrote default, not the one when the device remains "left to itself" in operation).
And if you lose the default password (of the device), who cares, the device is already yours and if it has the branding, in case of reset it puts back the one already known.
As far as private individuals are concerned, it's not a tragedy, it doesn't change anything...
It doesn't take much for a private individual to manage and save a few passwords...
I see a huge increase in security, indeed if it were up to me I would prevent using empty passwords, at least with "standard" users such as admin, root, superuser & co.
Correct, this is what should have happened... you log in and it asks you to set a password the first time..... that can be automated to set our default user-router password then, or whatever the end user wanted to use. As it stands right now, this has suddenly become a show stopper for us to continue to deploy these products.Not saying the "admin" / no password thing shouldn't have been improved. This change is going to affect a LOT of people's workflow/processes/training/etc. While perhaps solvable with netinstall – even that only be clear with testing since there are no other docs on what should/shouldnt happen with this built-in password under what cases.
While ship already sailed. These "stickers" seem like a backwards looking way to solve "no password' problem. If you look at Starlink, you plug-in cables, and it has an open Wi-Fi, and asks for a password to be set. There is no "sticker" but certainly there "no password'. And, I don't think they're stopping starlink sales in EU because of that.
I guess I would have preferred an actual forced password change, before allowing any configuration. Instead of this "sticker" approach is going to be annoying for all concerned. e.g. an end-user who not find it, then may not be able to read it, and an ISP/OEM who now has to track this & develop new processes around it.
Indeed. But not on consumer market. If devices are sold on consumer market, they should come hardened from factory. Recently we've had an user who never changed any configuration because his RB worked as he wanted simply by plugging in.You don't harden the router by default. You let the person installing it harden it.
Again, if device is sold on consumer market, it should be assumed that LAN devices are (mis)managed to the same level. Many malwares running on a client PC will try to infect routers they can find. And mismanaged routers are then easy targets, specially so if admin password is weak.From there, if your router gets hacked because you used password 'admin', that's your problem.
Why?How do you mass brand though when you have to lookup the password for each router individually?
Will net install remove the default password and set it to something known by us?Why?How do you mass brand though when you have to lookup the password for each router individually?
As I have already wrote, I must unpack and plug the device to the ethernet cable, what does it take to hold down reset?
I don't care what password it has.
At this point I'm wondering how do you mass configure... You enter them one by one, without password, etc., or if you just netinstall them all with the default script...
Push and hold reset also use the "sticker" password. But correct that a longer press gets you waiting for netinstall. @rextended deduced in another thread that netinstall maybe built-in to RouterOS at some point, so the process for that may become easier. And the linux versions of netinstall are a much improved way of doing netinstall even today.what does it take to hold down reset?
This may be a different method than you're using, but I'm pretty sure the combo of netinstall and a branding kit applying a new default config file would likely workaround this. I need to test this myself, as result of this change, so not 100% sure. But if you look at /system/default-configuration/script, they do seem to have variables with both the Wi-Fi password ($defconfWifiPassword) and "admin" password ($defconfPassword) as variables to the /system/default-configuration e.g.As it stands right now, this has suddenly become a show stopper for us to continue to deploy these products.
/interface wifiwave2 {
set $ifcId security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=$defconfWifiPassword
}
:if (!($defconfPassword = "" || $defconfPassword = nil)) do={
/user set admin password=$defconfPassword
:delay 0.5
/user expire-password admin
}
These questions surprise me, it seemed to me that you were an expert in mass configuration...Will net install remove the default password and set it to something known by us?
/sys id set name=$defconfPassword
Shell script that SSHes into the device and applies the configuration.Why?How do you mass brand though when you have to lookup the password for each router individually?
As I have already wrote, I must unpack and plug the device to the ethernet cable, what does it take to hold down reset?
I don't care what password it has.
At this point I'm wondering how do you mass configure... You enter them one by one, without password, etc., or if you just netinstall them all with the default script...
Please, Please, Please, NEVER activate protected-routerboot on default batch!!!So ... better safe than sorry.
Is not easy as "press the button until netinstall start"... (And not all devices are CAP clients....)Btw you can boot into cap mode and work as usual.
I know, but is better for the installer the concept "press until not appear" than count exactly 10 seconds (or check if LED turns solid on brighter environment)...any router can be booted into cap mode, especially the ones that have defconf with a password.
That's okay, it's the right way to do it.The password is unique and random, but we do have it in a database in readable form (I mean, this is still better than blank). You can't guess it, but you will need to change it anyway.
some people manage to lock their device irreversibly (referred to protected-routerboot - N.D.R)
As a matter of fact, it is also mentioned in Quick guide on the website.There will be videos coming up on this "feature". As a note, thanks to a post here I would never have gotten into my AX3. I normally thrown away any silly paperwork in the box and just access the router and start working on it. Hence I had no clue about a pull-out tab LOL.
That is of course the way to do it.The password is unique and random, but we do have it in a database in readable form (I mean, this is still better than blank).
any router can be booted into cap mode, especially the ones that have defconf with a password.
Well, that be a possible feature at any point...since they have the passwords1) Create one account to mikrotik.com, regster own device, access back to the account if you lost the default password, and read it again.
2) Register TikApp on Google and add the pasword directly to google keychain
3) etc.
That's bad... but that's the user's problem, not mine and not yours.Better prepare in advance, than suffer when it's too late.
Imagine even if there is no legislation. How about just for sake of basic security?
A scenario where you purchase a device that has nice default config. You plug in your ISP and your internet works (because DHCP client and default NAT, you don't even need to log in once). So you plug it in and leave it. Then a malware in your Windows PC scans the LAN and supplies some malicious config on your router, as there is no password. And then imagine this on a million devices.
So ... better safe than sorry.
When MikroTik routers get a bad reputation "because they are so insecure" and then nobody sells them or they become forbidden by law, it becomes our problem as well.That's bad... but that's the user's problem, not mine and not yours.
Could be but I have never seen them on those devices I had in my hands yet requiring the sticker password.Apparently there already is a sticker on the "quick start leaflet" but I do not know if it can easily be peeled off and put somewhere else, and also not if these leaflets are still so ridiculously small that you immediately lose them...
Or, not understanding a long press is how you get PXE boot mode (for netinstall). And that Mikrotik is not going to reverse course on the passwords.You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
You mean Woobm ?Now Mikrotik does sell some USB serial-to-WiFi things..
There are two parts of "serial support": RouterBOOT and RouterOS. For RouterOS, if using USB as serial console isn't set, then that not going to work in an "normal mode".The only reference I could find is about the hex:
viewtopic.php?t=182498#p939154
According to it both FTDI and Prolific (common) USB-serial converters work.
But seemingly you need to configure the console on the USB port, the kind of thing that typically you won't do until it's too late and you already lost access via the other ways.
agreed, that is not what i was suggesting or asking for.You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
thanks for the suggestion / info - I do agree that currently the only solution for now involves netinstall , however Net install does not address what I described with remote configs of new microtiks or remote hands type troubleshooting scenarios. (unless you keep stock of MTs, and directly ship them out yourself) - also i do have a few Woobm 's - it too am quite sad to see them discontinued as I did go to buy another one a few months ago and couldn't find it in-stock. However there have been a few more than a handful of times I tried to use a Woobm and for whatever reason it could not get me serial , (or any) access (usually when used on newer , more recent routerboard hw or rOS).Or, not understanding a long press is how you get PXE boot mode (for netinstall). And that Mikrotik is not going to reverse course on the passwords.You are not to be taken seriously when you claim that a router should be accessible for admins from the internet side by default.
To me it seems @jo2jo's problem could be solve with a branding package with a replaced default config (with his preferred no/limited config) – that be 7 second button press to trigger. And if you control the default config...well... there should be less of need for serial.
Now on #3 (serial support)... I'm not sure of the serial support via USB on RouterBOOT on RB5009... USB serial is always a PITA. But it's fair to say Mikroitk has no docs some "known working" USB-to-serial chipset. Now Mikrotik does sell some USB serial-to-WiFi things – never used them myself, since I use my own branding with a default-configuration... so reset to defaults get me something I know thus never used serial in 10 years to mikrotik.
Do you disagree (or not like / not-favor) a solution where if you were to hold the reset button for a long period of time (ie 30s, so past the default-config or netinstall holds) - it wiped the mikrotik fully (ie like /sys reset no-defaults=yes) ?@jo2jo ... we all (or almost all) feel your pain and understand you. How about a group hug?
Now, get over it and accept the new reality.
As I wrote a year ago, normis was also active in the topic at that time, that requirement makes things a bit complicated. It would be better if it were dropped (i.e. no longer supported).From a convenience point of view this might be helpful but from a security point of view you may not want this if you want to be sure your hardware is not going to be "reused" by others.