Not that it actually matters[1], but earlier (in other threads) it was mentioned that the change was prompted by the need for compliance with this (or that) EU regulation (possibly the GDPR or more strictly one of the possible interpretation of its vague requirements).During this year it has been slowly rolling out for home user type of models. Home users often never connect to their devices, leaving them without protection and open for Trojan software from the LAN side.
I know I do sound picky, basically because I am actually picky (besides being old and grumpy, and cheap, but this latter is not relevant here), but what the EU (and other regulators) often do isIt is one and the same. Many country regulators are working towards such requirements, not just the EU. And they are doing this because of the users. Did you think it was just baseless regulation to annoy people?
Imho,New models come with default password which is on the cardboard box and also on the router itself.
ALSO it is available from your distributor in a digital document / CSV.
Newer batches have improved label print quality and do not have ambiguous characters (0/O etc)
Or just throw separate piece of paper into the box, with that password, with properly sized font like 10 or 12.Imho,New models come with default password which is on the cardboard box and also on the router itself.
ALSO it is available from your distributor in a digital document / CSV.
Newer batches have improved label print quality and do not have ambiguous characters (0/O etc)
Why we need to depends on distributor for that as already mentioned in the yt vídeo about this, they are not Required to provide that file.
Why Mikrotik don't provide a tool in Mikrotik account that by informing the serial number it shows the serial..
This is a cleaner and better user experience...
My hap ax2 I had to basically guess if was a K or R I have used Google lens to help me out now I have this written in my password manager...
It sounds more like when you order online a framed picture and you get instead a 1000 pieces puzzle of that picture, it is actually fun but somehow unexpected.Oh, the joys of a new toy, eh ?
The regulatory Channel Availability Check (CAC) time before an AP is allowed to broadcast beacons on a DFS channel is 1 min.What does it mean "skip 10 min CAC" , if choosing a wheater radar channel is exactly what the device then does on its own
Just bought a brand new hAP ax lite and neither of the label passwords work.
I don't want to manually configure everything from command line ..
I've never sad this, but God, please send to hell directly the person who wrote such small and unreadable default password.
Thanks.
You're sending wrong people to hell.
small and unreadable default password
Well, should be changed. Mikrotik didn't even ask users to change the password until about 2 years ago. And even since then, they implemented a completely useless "please set a password for admin but you can still skip and click me away and keep the empty password..." Regardless of whether it was EU legislation, RFC, or whoever brought Mikrotik to ship secure devices from the factory: they have my big thanks.forced MikroTik (and most likely other network equipment manufacturers) to change their default policies (in this case admin user account with no password that should be changed immediately after powering it on for the first time and before connecting it to anything else than PC you're using to configure the basics).
And people still arguing for empty admin password should really go to hell. That's like lobbying for cars without seatbelts...
I still haven't got an answer how Ubiquiti, TP-Link, etc get away with it?I've never sad this, but God, please send to hell directly the person who wrote such small and unreadable default password.
Thanks.
You're sending wrong people to hell. Direct your anger to insanely bored, absurdly overpaid and generally unreasonable EU bureaucrats who forced MikroTik (and most likely other network equipment manufacturers) to change their default policies (in this case admin user account with no password that should be changed immediately after powering it on for the first time and before connecting it to anything else than PC you're using to configure the basics).
Mikrotik didn't even ask users to change the password until about 2 years ago. And even since then, they implemented a completely useless "please set a password for admin but you can still skip and click me away and keep the empty password..."
And people still arguing for empty admin password should really go to hell. That's like lobbying for cars without seatbelts...
There's nothing wrong with it, vast majority of MikroTik's devices will be used by professionals not clueless users without even the most basic networking knowledge.
This is disgusting. You literally should have issues (and probably get hacked) if you're too lazy to set your own password yourself. As in real life, every action (or lack of) has its consequences. Pay someone to do it if you can't do something as basic as setting password to your own device when it literally asks you to do it on first boot!
What's so wrong with just reading a password from a sticker? We're talking about the ability to read, which you learn as a schoolchild. Just type it in and done. The fact that Mikrotik didn't do their homework here and used inappropriate characters – that can be very well debated and criticized.
But most likely everyone has a phone with a camera and thus zoomable photos on hand. This has been mentioned at least three times in this thread.not everyone has eyesight of a military sniper
Does this mean that products are now shipped with sticker readable without a microscope?1) Yes, there were ambiguous character in the first batches, now new products are manufactured without chars that can be mixed up
2) Yes, initial stickers were low print quality, that has been improved
3) You can always get the password from the distributor or mikrotik, as the default password is known to mikrotik and distributor
The good news are that at nearly 60 you still have hairs to pull.But given the situation, as I am closer to 60 than 50, I am pulling my hair regarding these stickers that probably are designed by some 18 year old.
No way I can read them without strong light and a magnifying glass.
among all other tasks we now have to also keep a record of all RBs deployed
IMNSHO I consider the task of securing devices should be left to the engineers.
Well, if some fella is sloppy and does not secure his devices, or his customer's, it is still not MT's responsibilty...The thing is, we tried that for a few decades, and the data are now in: there are millions of easily broken-into MT boxes out there. Unless your argument is that you should have to present a Practicing Engineer’s license at purchase time, I don’t accept your alternative as solving the problem.
Well, if some fella is sloppy…
it is still not MT's responsibilty...
But, if I recall correctly, the 250,000 of Meris were connected to a router os bug/vulnerability, not to 250,000 compromised passwords.
The last part of the sentence is "captain obvious" speaking, and it is not entirely accurate, an attacker needs to know the credentials AND have a way to remotely log in.While the vulnerability was patched after its detection back in 2018, it’s still being exploited in compromised devices that do not use the patched RouterOS versions, or that use the default usernames and passwords.
I have no reason to question your numbers.Well, if some fella is sloppy…
That's the thing: it isn't "some fella." There were around 250k compromised MT boxes in the 2021 Meris attack alone, creating enough traffic to nearly double Cloudflare's normal load.
This isn't a problem for "some fella," it's a problem for everyone on the Internet.
Thus why countries are passing laws requiring strong default passwords. This is the type of pro-social thing we have governments for.
it is still not MT's responsibilty...
Okay, let's take your legal theory as given. Should Cloudflare go file 250k separate lawsuits for negligent configuration against those bot owners? There isn't such a thing as a reverse class-action, as far as I'm aware.
But as you probably understand: It is the responsibility of the customer or the customer's representative (the tech) to config the devices properly.
"Password after reset that is printed on the device."
- Devices are sometimes in public area's, like CUBE 60 are.
- Password versus box table is stored in distributed databases.
Yes, and - again - the insecurity is mainly the fact that *somehow* there is access to the device files from the outside, the Meris that has been cited was a bug that allowed to download the database with user/password credentials AND that info was relatively easily decryptable.After all, most exploits are done over network without physical access to device being compromised.
I often like to cite the checklist on the original instruction manual of the Volkswagen T1:
Always drive defensively. Expect the unexpected.
Yeap. Even Cisco started to force users to set secure passwords on first start-up, even though the device wasn't even accessible remotely without setting a password (and thus it was actually secure from remote intruders).The way Mikrotik implemented the EU norm is different from what other manufacturers do (AFAIK they keep the default admin/admin or admin/blank but the first thing when you boot the device for the first time or after a reset is that you MUST change the password), in this sense Mikrotik was more catholic than the Pope in choosing this procedure.
Possibly because it is not at all clear which specific directive/norm/law they are attempting to be compliant to.I haven't actually read the EU law regarding the passwords, but if every other vendor did it by forcing a password change, instead of random passwords per device, then I am inclined to believe that 'random passwords' wasn't a requirement by law.
Maybe ETSI TS 103 645?
I don't know where you live, but I never ever received a credit/bank card shipped with PIN code in same envelope ever in my whole life.Not unlike what happens now with credit/debit cards (the PIN cannot be shipped in the same envelope as the card), the password should be delivered to the customer through a separate shipment or different channel.
Exactly, as I said, the PIN cannot be shipped in the same envelope as the card, to avoid the possibility that if the card is stolen "in transit" it can be used by the thief if also the PIN is present.I don't know where you live, but I never ever received a credit/bank card shipped with PIN code in same envelope ever in my whole life.
Paragraph 3:1. SECURITY REQUIREMENTS RELATING TO THE PROPERTIES OF PRODUCTS WITH DIGITAL ELEMENTS
(3) On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:
(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state;
(b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;
,,,
To be fair: you said "now" like it is something new.Not unlike what happens now with credit/debit cards
Well, I wrote now meaning now, as in now, would already have been better?To be fair: you said "now" like it is something new.
Yep.Do you know the scene from Spaceballs movie?
... which makes a nice round two of us.... as a non native speaker ...
Excactly.
It still is a stupid thing to do,
"Password after reset that is printed on the device."
Excactly.That should have been the only fix to the password problem, by making the change mandatory if the current password is empty or "admin" or some other common value.
Excactly.To me, it is the "running" or active password that matters the most.
Not something initial or after some "reset".
There is no "initial connection" to change password. They never connect to it.
You could add an "provision-initial-password" endpoint to REST API. As I already said, device is listening on e.g. eth1 and open wifi for connections. Regular users use the APPs or use webfig to go through a guided wizard. Experts or professional users could use the "provision-initial-password" API endpoint (which is at this state the only accessible/enabled endpoint and available without authentication) to set an admin password by some scripting or part of provisioning process. This functionality could also be added to Winbox as well. In the neighbor listing these dumb unprovisioned devices could be listed as "waiting for initial setup". Then there is a "adopt device" button, click it, enter password. Done.And the best: as there is no default config that does anything useful there are also no concerns. You could leave first Ethernet port open for provisioning - like holding reset button 2sec on boot - so all professionals are happy again.
This is what MIkrotik is IMHO already doing.(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state;
most likely this depends on the country.user should not be able to change config
I meant that the IMHO most users of Mikrotik, in the sense those that choose a Mikrotik, do so because Mikrotik routers/devices can be (though not so easily) configured, those that expect plug and play and/or a simple configuration will likely choose an easier/simpler device.Sorry I did not understand the comment directed at me. Can you clarify the point you are making?
Unfortunately MikroTik is popular with two very very different groups. Home users that plug and play (or mobile operator that just gives them a router). and professional installers. We have to make both groups happy and secure.
Maybe not obvious, but since most of our devices have a default configuration, all it takes to make them work is plugging in the ISP cable and connecting to the default wireless SSID.
If the device doesn't work until a secure password is set, then problem solved.Something like, the router doesn't even route traffic (in case the user keeps the default config) if the admin password isn't set to something secure, and you cannot set any config (if you start with a clean config) unless you first set a secure password (meaning requiring sensible password complexity and don't allow "12345" and stuff like that).
JFYI:... unless you first set a secure password (meaning requiring sensible password complexity ...
So I'm a white fly compared to everyone else? The basics, like blocking spoofing and blocking incoming connections on standard ports, for me is the a-b-c of civilization...
crappy reality.
Korean things as well (I've got a Samsung smart TV which is constantly trying to call home). And probably things conceived elsewhere as well (I don't believe that American SW designers are any better with regards to consumer privacy than the rest), calling home (probably called something "cloud") is mainstream these days.OT: You can't imagine what happens when you have to block DNS by law and use your own... Do you know how many Chinese things call home?...