Community discussions

MikroTik App
 
nordex
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Fri Mar 23, 2007 7:46 pm
Location: Croatia

Default password Frustration

Mon Dec 18, 2023 6:38 pm

I've never sad this, but God, please send to hell directly the person who wrote such small and unreadable default password.
Thanks.




hap ax2. no other stickers with password btw.
 
msatter
Forum Guru
Forum Guru
Posts: 2929
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Default password Frustration

Mon Dec 18, 2023 6:44 pm

Is there a hell for labelprinters?
 
optio
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Dec 26, 2022 2:57 pm

Re: Default password Frustration

Mon Dec 18, 2023 6:47 pm

It's security feature against hackers with bad vision :)
 
User avatar
goscickiw
newbie
Posts: 34
Joined: Fri Feb 17, 2023 8:56 am
Location: Poland

Re: Default password Frustration

Wed Dec 20, 2023 9:31 am

All of the Mikrotik devices I ever dealt with (hEX, RB5009, hAP ac2, CRS125, LDF 2) had no default password. Did something change? Is your router provided by ISP?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Wed Dec 20, 2023 9:35 am

New models come with default password which is on the cardboard box and also on the router itself.
ALSO it is available from your distributor in a digital document / CSV.

Newer batches have improved label print quality and do not have ambiguous characters (0/O etc)
 
User avatar
goscickiw
newbie
Posts: 34
Joined: Fri Feb 17, 2023 8:56 am
Location: Poland

Re: Default password Frustration

Wed Dec 20, 2023 9:42 am

Thanks. When has this change been made? Does it apply to all newly produced devices or just specific new models?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Wed Dec 20, 2023 9:43 am

During this year it has been slowly rolling out for home user type of models. Home users often never connect to their devices, leaving them without protection and open for Trojan software from the LAN side.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Wed Dec 20, 2023 2:24 pm

During this year it has been slowly rolling out for home user type of models. Home users often never connect to their devices, leaving them without protection and open for Trojan software from the LAN side.
Not that it actually matters[1], but earlier (in other threads) it was mentioned that the change was prompted by the need for compliance with this (or that) EU regulation (possibly the GDPR or more strictly one of the possible interpretation of its vague requirements).

Now you put the blame on the (stupid) home/hobby users.

Still it would be nice to know if it is a new, own, Mikrotik initiative to protect the (stupid) home/hobby users from themselves and their lack of security protocols implementation or if it is the EU that is "protecting" us.

[1] though I would like to know, whenever a little bit of freedom is removed, who does that and what reason there is behind that - even tiny - removal
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Wed Dec 20, 2023 2:27 pm

It is one and the same. Many country regulators are working towards such requirements, not just the EU. And they are doing this because of the users. Did you think it was just baseless regulation to annoy people?
 
User avatar
goscickiw
newbie
Posts: 34
Joined: Fri Feb 17, 2023 8:56 am
Location: Poland

Re: Default password Frustration

Wed Dec 20, 2023 2:55 pm

I don't think it's a removal of freedom. It would be for example if the password couldn't be changed.

I think the default password is actually a good idea, as I know from experience how common it is for people people to not care about configuring their equipment and just want it to work out of the box. I don't mean networking hobbyists, but rather an average Joe who just wants Internet, or an electrician who has to install a network connection for collecting production data from a PV power plant.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Wed Dec 20, 2023 3:10 pm

It is one and the same. Many country regulators are working towards such requirements, not just the EU. And they are doing this because of the users. Did you think it was just baseless regulation to annoy people?
I know I do sound picky, basically because I am actually picky (besides being old and grumpy, and cheap, but this latter is not relevant here), but what the EU (and other regulators) often do is
1) do something (that usually means some added regulation, often causing lots of headaches in the population that must comply)
2) communicate some (usually bogus) reasons[1] why they did that (while patting themselves on the shoulders for how clever they have been)

Of course there is nothing that we (stupid) home/hobby users can do about the regulation or the decision by the manufacturer but I still would like to know if I have to thank for this (tiny in the specific) annoyance the EU or Mikrotik.

With a good magnifying glass and adequate lighting I did manage to decrypt the password on the label of some just arrived hap AX lite's, probably this is one of the new batches that do not have "ambiguous" characters (or I was lucky and the password did not contain them by pure chance), so not a real problem, only an annoyance, and there are two levels in it, one is the regulation or decision by Mikrotik, the other one is the way it has been implemented, the OP is venting about the latter only and I have to concur with him.

[1] mind you, very often there are good reasons, only the stated ones are different
 
phascogale
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Oct 17, 2023 11:25 am

Re: Default password Frustration

Thu Dec 21, 2023 1:06 am

I grab my phone to photograph the label on each one on unboxing.
  • I have a permanent record on hand (including MAC addresses, serial) in case of need.
  • I can easily expand the view for readability, no separate magnifier involved.
  • I can see the passwords on or adjacent to my computer when using them, rather than peering at the router.
 
User avatar
goscickiw
newbie
Posts: 34
Joined: Fri Feb 17, 2023 8:56 am
Location: Poland

Re: Default password Frustration

Thu Dec 21, 2023 3:52 pm

An SXT LTE6 kit 2023 that I bought yesterday has just arrived, and indeed it has a default password. I can read it clearly, presumably it's one of the newer labels but I don't have any of the old ones to compare.
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1038
Joined: Sun Jun 28, 2015 7:36 pm

Re: Default password Frustration

Thu Dec 21, 2023 8:16 pm

Thanks for the info. No idea of that.

Regards.
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: Default password Frustration

Thu Dec 21, 2023 8:26 pm

New models come with default password which is on the cardboard box and also on the router itself.
ALSO it is available from your distributor in a digital document / CSV.

Newer batches have improved label print quality and do not have ambiguous characters (0/O etc)
Imho,
Why we need to depends on distributor for that as already mentioned in the yt vídeo about this, they are not Required to provide that file.
Why Mikrotik don't provide a tool in Mikrotik account that by informing the serial number it shows the serial..
This is a cleaner and better user experience...
My hap ax2 I had to basically guess if was a K or R I have used Google lens to help me out now I have this written in my password manager...
 
User avatar
Etz
Member Candidate
Member Candidate
Posts: 178
Joined: Thu Mar 27, 2014 10:09 am
Location: Estonia

Re: Default password Frustration

Fri Dec 22, 2023 2:08 pm

New models come with default password which is on the cardboard box and also on the router itself.
ALSO it is available from your distributor in a digital document / CSV.

Newer batches have improved label print quality and do not have ambiguous characters (0/O etc)
Imho,
Why we need to depends on distributor for that as already mentioned in the yt vídeo about this, they are not Required to provide that file.
Why Mikrotik don't provide a tool in Mikrotik account that by informing the serial number it shows the serial..
This is a cleaner and better user experience...
My hap ax2 I had to basically guess if was a K or R I have used Google lens to help me out now I have this written in my password manager...
Or just throw separate piece of paper into the box, with that password, with properly sized font like 10 or 12.
I bought 3 new RB devices lately and it was a real pain to get these up and running,
since that password was pretty much unreadable and my eyes literally bleeded 2 days in a row afterwards from attempts to decipher these.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6019
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Default password Frustration

Fri Dec 22, 2023 2:25 pm

I do have my comments as well on the implementation (not the fact it's being done, that's legislation):
- Labels only being used for 2/3 of the available space (still saw it on the latest AX Lite I bought)
- ambiguous characters (ok, that's been handled so it seems)
- passwd only on device (latest devices I've seen had a separate paper in the box, still way too small though ...)

But let's not complain over it more then needed.

Camera x3 zoom, picture and done.
All those pictures go in my note taking app so I always have them available (can even search on MAC address there so quite easy to find one back if needed).

It is a problem, certainly, but not one which can not be solved.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Default password Frustration

Fri Dec 22, 2023 7:01 pm

I still don't understand how other vendors get away (legally speaking) with forcing users to change the default password on first login and MikroTik had to resolve to this random password nonsense...

It would seem that simply forcing users to change the password in order to use the device is enough (legally) if everyone else is doing it.

The only place where I've seen random passwords being forced is CPEs that ISPs give out to customers and AVM's hardware. No consumer product I've used so far has this random password policy.
 
foxfox69
just joined
Posts: 1
Joined: Fri Jan 05, 2024 6:04 pm

Re: Default password Frustration

Fri Jan 05, 2024 6:11 pm

Another potential label issue here.

Just bought a brand new hAP ax lite and neither of the label passwords work.

Tried resetting the device and when I RouterOS factory default it I can access it with winbox using MAC-address (obviously I've then lost all the nice configs)

Loading back the default settings gives me the correct IP and wifi functionality back but still the logins claim wrong passwords.

My label is readable but it has some ambigious characters (such as zeros) - tried various combinations.

Any change the label or wrong / swapped / corrupted ?

Also what to do? I don't want to manually configure everything from command line ...
 
holvoetn
Forum Guru
Forum Guru
Posts: 6019
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Default password Frustration

Fri Jan 05, 2024 8:57 pm

Make sure to really use all possible combinations of those ambiguous characters.
Also, camera zoom x3 helps !

Your distributor should be able to get the password based on mac address.
And otherwise, have it replaced !
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 3046
Joined: Mon Apr 08, 2019 1:16 am

Re: Default password Frustration

Wed Jan 10, 2024 3:55 pm

It is a frustration, that could have been avoided.
Just received brand new hAP ax2, my first device in the ax series.
And I needed quite some tricks to get it started.
How can you sell a device like that in Europe, with so many traps for the end-user ???
Finally got in, thanks to quite some MT ROS experience.

New box, (not sealed but device seems untouched)

Could not get in, so following steps are taken.

- 5GHz wifi does not appear
- using cable in port ether2
- wrong password
- printed on the bottom of the device, and yes it is 1O and not 10 as password character
- once the base plate mounted, it might be hidden
- no other document with that information
- Didn't want to type in that wifi password. So changed wifi security to my default
- Added my own support user with admin rights

Disconnect cable, go via wifi
- No wifi 5 GHz seen
- back to cable, wifi1 is on 5860MHz , for europe ???? Not usable here. OK take wifi2 (2GHz)
- Windows starts with popups about WPA3
- Cannot log in. Winbox makes no connection, not with IP not with MAC. Nothing in discover. No Webfig connection.
- No Telnet, no MAC Telnet
- back to cable (using a mAP Lite to reach the device via ether2)
- hmmmm ... bridge is not on interface LAN list. Why is only ether2 on that list ?
- only way to connect is via ether2
- OK, lets open some paths ... Romon password set, bridge added on LAN interface list
- Many things open up with bridge on interface LAN list
- adding ether1 to bridge. (Well I need PoE in my LAN)
- Changed country in wifi1, switches to DFS freq 5680MHz
- wifi2 on 2GHz now uses 2427MHz, channel 4+8 , 40MHz wide, damn 2GHz jammer!
- set to 20MHz. Crowded area, lots of IoT devices, and somebody around is using channel 6 for non 802.11 wifi. 100% transmit time.
- ETSI not one of the wifi regions, country used
- Ready to upgrade the 7.8 ROS to 7.12, maybe then even to 7.13 (with that packages change)

Fun can begin ... even as the connection is dropped from time to time, and the ROS wifi menu shows unwanted things
What does it mean "skip 10 min CAC" , if choosing a wheater radar channel is exactly what the device then does on its own.
Klembord-2.jpg
And far from stable yet.
Klembord-3.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by bpwl on Wed Jan 10, 2024 5:48 pm, edited 7 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6019
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Default password Frustration

Wed Jan 10, 2024 4:01 pm

Oh, the joys of a new toy, eh ? :lol:
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Wed Jan 10, 2024 4:04 pm

Oh, the joys of a new toy, eh ? :lol:
It sounds more like when you order online a framed picture and you get instead a 1000 pieces puzzle of that picture, it is actually fun but somehow unexpected. :lol:
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 220
Joined: Sun Jun 21, 2020 12:58 pm

Re: Default password Frustration

Wed Jan 10, 2024 11:40 pm

What does it mean "skip 10 min CAC" , if choosing a wheater radar channel is exactly what the device then does on its own
The regulatory Channel Availability Check (CAC) time before an AP is allowed to broadcast beacons on a DFS channel is 1 min.
For 5'600 to 5'650 MHz (116 to 128), EU resp ETSI mandates 10min CAC.

Maybe "skip 10 min CAC" means skipping (not using) channels with 10min mandated CAC time?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 3046
Joined: Mon Apr 08, 2019 1:16 am

Re: Default password Frustration

Thu Jan 11, 2024 12:16 am

Did not skip it. That's the point.

Bizar thing is that so much was illogical. So bad that I did a reset with default config. They allow to keep the extra user configured.
Bridge ports where OK now !???!??? : ether2-ether5 to the bridge, and bridge (still?) in LAN interface list.
But again these odd frequencies. Maybe I need to update my understanding ... "/interface/wifiwave2/radio> print detail" gives a long list of new frequencies (SRD low power or not?)
Reading the default config script (under system), shows they insist on "indoor" installation.(in the comments). Why? IPX rating? There is even a sticker on the device "indoor use only". Only MT in some countries set used to block outdoor freq when it is set to installation=indoor. Based on what ?
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 220
Joined: Sun Jun 21, 2020 12:58 pm

Re: Default password Frustration

Thu Jan 11, 2024 3:14 pm

The whole MT country specific WIFI regulation thing is currently in a bad state. 7.13.1 just broke it again in a new way. At least they are working on it.
It seems confusing to have country settings for VAPs. It makes no sense for VAPs sharing the same channel and radio HW to broadcast different country IDs. Especially Apple devices taking their local country setting from the first beacon the receive will be confused.
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1565
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Default password Frustration

Thu Jan 11, 2024 4:58 pm

Just bought a brand new hAP ax lite and neither of the label passwords work.

Ditto, but with an ax³. Try "admin" and a blank password. That's what worked for me after a factory reset (one step shy of netinstall), not the default password claimed on the pull-out tab.

My explanation for why a reset didn't reset the password as well — pending confirmation by better sources — is that it was one of the first batch. Although I only bought it last month, it had RouterOS 7.8 on it, indicating that I got old stock somehow.

I don't want to manually configure everything from command line ..

One you get in, presumably with my blank password workaround, you can force it to reapply the default configuration, which will be easier to edit than starting from scratch.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Thu Jan 11, 2024 5:01 pm

Please always report any sticker/password problems to support@mikrotik.com so we can find, fix the issue and improve the situation.
 
sajgan
just joined
Posts: 10
Joined: Thu Nov 23, 2023 10:30 pm

Re: Default password Frustration

Thu Jan 11, 2024 10:05 pm

what's the problem - for me it's a plus for safety... and when I had to enter it, I took a photo and enlarged the photo on my phone :)
 
bihtori
just joined
Posts: 1
Joined: Mon Jul 15, 2024 5:43 pm

Re: Default password Frustration

Mon Jul 15, 2024 5:49 pm

I just received my hAP ax² in mail and I have to say deciphering the glyphs of the default password was a unique experience. Not only is the font smallest I've ever seen on any physical device, characters '8' and 'B' are second to impossible to tell apart. At least 0 and O could be told apart since there's a slash on the digit zero.

As a 40 years young person with average vision I could pull it off, but for senior citizens with visual impairments such as my parents it would have been completely impossible for them to figure out the password.

Please, make the font larger.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Tue Jul 16, 2024 10:06 am

I agree, first batches with passwords sometimes were hard to read. With newer products we are working to make the sticker and print higher quality. We have also removed ambiguous letters and numbers from the passwords.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12327
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default password Frustration

Tue Jul 16, 2024 11:18 am

I recommend hiring someone INDEPENDENT from the company to do quality control,
and someone who really knows how to do their job, so as to avoid these problems in the future.

Whoever controls or makes decisions now seems completely out of touch, without any experience...
It has been known for decades that password ambiguities such as 0/O 1/I/l (one, upper i and lower L) 8/B, etc. must be avoided,
even printing so small, and also with terrible quality...

Or like the DISC Lite5 chassis breaking...
We have ALL broken resulting in irreversible economic loss with free replacement for all customers that use the device...

Or in the not too distant past, the plague of "green capacitors"... (which being objective, perhaps this could not have been so easily predicted)

To be objective, however, compared to other competing companies, at least there is no "50 days bug" or other sh!77y stuff, even worse than DISC...
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Tue Jul 16, 2024 2:51 pm

rextended, yes. Anyone with serious computer science education knows about these ambiguous characters and to avoid them. When I print these passwords with complete insane absence of configured character-set on a sticker, something that does not happen in an overnight YOLO deployment of a single dude, is completely ridiculous. And truly a sign of either lack of knowledge or wrong people doing stuff they have no idea about. I am 100% sure that knowledge exists at Mikrotik staff, but is not used/ignored. Some smart manager creates "device sticker team", puts in random people and ship without internal QA. Can pretty good imagine a Mikrotik programmer first sight a brand new device with these labels by coincidence and instantly yell a "WTF" out loud. 😅
 
User avatar
dang21000
newbie
Posts: 30
Joined: Sat Feb 25, 2023 2:30 pm
Location: France

Re: Default password Frustration

Fri Jul 19, 2024 9:51 pm

For me, the worst features isn't a random default password, only used for device first init and can be stored in a CMDB.

I HATE the device mode settings why need to press a fucking button... can't be done remotely and easy !!! :oops: :evil:
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Fri Jul 19, 2024 11:15 pm

every intruder hates the device mode...
 
User avatar
ksx4system
newbie
Posts: 37
Joined: Sat Nov 13, 2010 7:08 pm
Location: Poland
Contact:

Re: Default password Frustration

Mon Jul 22, 2024 3:24 pm

I've never sad this, but God, please send to hell directly the person who wrote such small and unreadable default password.
Thanks.

You're sending wrong people to hell. Direct your anger to insanely bored, absurdly overpaid and generally unreasonable EU bureaucrats who forced MikroTik (and most likely other network equipment manufacturers) to change their default policies (in this case admin user account with no password that should be changed immediately after powering it on for the first time and before connecting it to anything else than PC you're using to configure the basics).
 
holvoetn
Forum Guru
Forum Guru
Posts: 6019
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Default password Frustration

Mon Jul 22, 2024 3:29 pm

Small observation...

What about UK then ? They're not EU anymore.
California ? Also to hell ?

This is a measurement to protect consumers because as we all know, 99% plug in a device and don't even open admin pages for the rest of the device's lifetime.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12327
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default password Frustration

Mon Jul 22, 2024 3:34 pm

You're sending wrong people to hell.

Exactly, anyone who accuses this or that person should go there, without even knowing what they are writing.

If everyone drove correctly, pretending that mechanical accidents don't exist, what's the point of spending BILLIONS on bollards and traffic islands???


This is the only problem:
small and unreadable default password
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Mon Jul 22, 2024 6:27 pm

forced MikroTik (and most likely other network equipment manufacturers) to change their default policies (in this case admin user account with no password that should be changed immediately after powering it on for the first time and before connecting it to anything else than PC you're using to configure the basics).
Well, should be changed. Mikrotik didn't even ask users to change the password until about 2 years ago. And even since then, they implemented a completely useless "please set a password for admin but you can still skip and click me away and keep the empty password..." Regardless of whether it was EU legislation, RFC, or whoever brought Mikrotik to ship secure devices from the factory: they have my big thanks.
And people still arguing for empty admin password should really go to hell. That's like lobbying for cars without seatbelts...
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1565
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Default password Frustration

Mon Jul 22, 2024 8:07 pm

And people still arguing for empty admin password should really go to hell. That's like lobbying for cars without seatbelts...

Difference being, these MikroTik "cars" drive over global-scale highways and can "crash" into thousands of other "cars" per minute.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Mon Jul 22, 2024 9:12 pm

 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Default password Frustration

Tue Jul 23, 2024 8:39 pm

I've never sad this, but God, please send to hell directly the person who wrote such small and unreadable default password.
Thanks.

You're sending wrong people to hell. Direct your anger to insanely bored, absurdly overpaid and generally unreasonable EU bureaucrats who forced MikroTik (and most likely other network equipment manufacturers) to change their default policies (in this case admin user account with no password that should be changed immediately after powering it on for the first time and before connecting it to anything else than PC you're using to configure the basics).
I still haven't got an answer how Ubiquiti, TP-Link, etc get away with it?
They do NOT ship with random passwords. They simply force you to change the default password on first login.
If they can do it that way, why MikroTik can't?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12327
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default password Frustration

Wed Jul 24, 2024 10:35 am

C*mb*um do not force anything, and is still shipped on EU...
 
User avatar
ksx4system
newbie
Posts: 37
Joined: Sat Nov 13, 2010 7:08 pm
Location: Poland
Contact:

Re: Default password Frustration

Wed Jul 24, 2024 10:56 pm

Mikrotik didn't even ask users to change the password until about 2 years ago. And even since then, they implemented a completely useless "please set a password for admin but you can still skip and click me away and keep the empty password..."

There's nothing wrong with it, vast majority of MikroTik's devices will be used by professionals not clueless users without even the most basic networking knowledge.

And people still arguing for empty admin password should really go to hell. That's like lobbying for cars without seatbelts...

This is disgusting. You literally should have issues (and probably get hacked) if you're too lazy to set your own password yourself. As in real life, every action (or lack of) has its consequences. Pay someone to do it if you can't do something as basic as setting password to your own device when it literally asks you to do it on first boot!
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Thu Jul 25, 2024 10:16 am

There's nothing wrong with it, vast majority of MikroTik's devices will be used by professionals not clueless users without even the most basic networking knowledge.

Do you have numbers to support this claim? Mikrotik devices are freely available, and the sheer number of topics posted daily in this forum clearly shows that a significant number of people neither work professionally with ROS nor have knowledge of ROS or networking in general.

This is disgusting. You literally should have issues (and probably get hacked) if you're too lazy to set your own password yourself. As in real life, every action (or lack of) has its consequences. Pay someone to do it if you can't do something as basic as setting password to your own device when it literally asks you to do it on first boot!

Somewhat disgusting, yes, but don't point the finger at me. It was just an ironic, sarcastic response to the statement made by the OP or some post in between that no longer exists in its original form.

In any case, it's not so simple to say, "well, then you'll just get hacked. your fault." Considering that Mikrotik devices are part of botnets or become part of them, it's no longer an individual's problem. And it's not about paying someone to set a password. Just because someone does something professionally or gets paid for it doesn't imply that this person also wants to set a password. That is a completely false conclusion. Many people are simply too lazy to set a password if it's not necessary. And even if they do set a password, it's often a simple one that has already been leaked in a password breach a thousand times.

What's so wrong with just reading a password from a sticker? We're talking about the ability to read, which you learn as a schoolchild. Just type it in and done. The fact that Mikrotik didn't do their homework here and used inappropriate characters – that can be very well debated and criticized.
 
User avatar
ksx4system
newbie
Posts: 37
Joined: Sat Nov 13, 2010 7:08 pm
Location: Poland
Contact:

Re: Default password Frustration

Thu Jul 25, 2024 9:13 pm

What's so wrong with just reading a password from a sticker? We're talking about the ability to read, which you learn as a schoolchild. Just type it in and done. The fact that Mikrotik didn't do their homework here and used inappropriate characters – that can be very well debated and criticized.

It's a good idea to make it readable first, not everyone has eyesight of a military sniper.
 
phascogale
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Oct 17, 2023 11:25 am

Re: Default password Frustration

Fri Jul 26, 2024 1:18 am

not everyone has eyesight of a military sniper
But most likely everyone has a phone with a camera and thus zoomable photos on hand. This has been mentioned at least three times in this thread.

As I get older I occasionally have to manage small or unclear writing, or hills that take longer to climb. I deal with it.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6019
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Default password Frustration

Fri Jul 26, 2024 9:15 am

Some keep looking for problems and stay there.
Some keep looking for solutions and move on.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Fri Jul 26, 2024 10:44 am

1) Yes, there were ambiguous character in the first batches, now new products are manufactured without chars that can be mixed up
2) Yes, initial stickers were low print quality, that has been improved
3) You can always get the password from the distributor or mikrotik, as the default password is known to mikrotik and distributor
 
Bomber67
Member
Member
Posts: 396
Joined: Wed Nov 08, 2006 10:36 am

Re: Default password Frustration

Tue Aug 20, 2024 2:09 pm

1) Yes, there were ambiguous character in the first batches, now new products are manufactured without chars that can be mixed up
2) Yes, initial stickers were low print quality, that has been improved
3) You can always get the password from the distributor or mikrotik, as the default password is known to mikrotik and distributor
Does this mean that products are now shipped with sticker readable without a microscope?
I highly dislike this new password regime, among all other tasks we now have to also keep a record of all RBs deployed, just in case it needs to be reset with a button at a remote location..
IMNSHO I consider the task of securing devices should be left to the engineers.

But given the situation, as I am closer to 60 than 50, I am pulling my hair regarding these stickers that probably are designed by some 18 year old.
No way I can read them without strong light and a magnifying glass.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Tue Aug 20, 2024 2:54 pm

But given the situation, as I am closer to 60 than 50, I am pulling my hair regarding these stickers that probably are designed by some 18 year old.
No way I can read them without strong light and a magnifying glass.
The good news :) are that at nearly 60 you still have hairs to pull.
The bad news :( are that the situation is likely much worse than you hypothesized.
These stickers cannot possibly have been "designed", even a 5 years old would have done a better job at that, it seems evident that no thought was given to them before putting them into production.
Which means that these non-designed stickers have been non-examined and thus non-approved by a non-existent project/product manager.
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1565
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Default password Frustration

Tue Aug 20, 2024 10:19 pm

among all other tasks we now have to also keep a record of all RBs deployed

“Also”? You weren’t already assigning random passwords to each RB and storing them in a password manager?

If you were, then this change merely means you have two passwords to store per device: the one you generate locally and the one you may have to use again someday in the reset case.

IMNSHO I consider the task of securing devices should be left to the engineers.

The thing is, we tried that for a few decades, and the data are now in: there are millions of easily broken-into MT boxes out there. Unless your argument is that you should have to present a Practicing Engineer’s license at purchase time, I don’t accept your alternative as solving the problem.
 
User avatar
alaine
just joined
Posts: 13
Joined: Fri Jun 12, 2015 2:36 pm
Location: Helsinki, Finland

Re: Default password Frustration

Tue Aug 20, 2024 10:45 pm

Please please have the password label password be readable with a QR code. Any installation of thousands of devices, is not at all possible with having to physically read every device badly written password manually. Please please put a QR code next to it, which makes device provisioning several times faster, and much more reliable.

I need to read QR code (or QR codes) for :
- device serial number
- device default password
- device model

The last one I can live without, as I can map the provisioned serial numbers to the device models.

I have asked this from Mikrotik support before, no understanding of the issue, no fixing.

For a consumer, running single device, this of course is not a problem at all. It seems Mikrotik thinks all of their customers buy 1-3 devices, manually set those up, and thats it.
In real life, setting up thousands of devices, can not be done manually. It is really really weird that Mikrotik does not seem to understand any of this, as they have answered to me that "oh, the password is in that device sticker, you can read it from there!". How stupid can one be?

Then again, this is one of the reasons our CPEs are not Mikrotiks as of now. All CPEs must support symmetric gigabit ethernet, with very basic IPv4 NAT mode and IPv6 very basic firewall mode. With Mikrotik, the IPv6 traffic is NOT handled with hardware, and with IPv6, the device CPU can only send/receive about 20% of that line speed. So, Mikrotik CPU is 100%, when some 220 Mbps IPv6 single stream traffic is passing through a very basic HEX-S/hAP ac2/hAPax2/hAPax3 configuration. Our customers can easily see that with any speed test, and the ISP must then remove all Mikrotiks from the network, and replace these devices with non-Mikrotik hardware.

When, oh when, Mikrotik will learn that IPv6 is heavily used around the world, and hardware Fast Path support in Mikrotik MUST be implemented. Now!
 
Bomber67
Member
Member
Posts: 396
Joined: Wed Nov 08, 2006 10:36 am

Re: Default password Frustration

Tue Aug 20, 2024 11:21 pm

The thing is, we tried that for a few decades, and the data are now in: there are millions of easily broken-into MT boxes out there. Unless your argument is that you should have to present a Practicing Engineer’s license at purchase time, I don’t accept your alternative as solving the problem.
Well, if some fella is sloppy and does not secure his devices, or his customer's, it is still not MT's responsibilty...
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1565
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Default password Frustration

Wed Aug 21, 2024 12:35 am

Well, if some fella is sloppy…

That's the thing: it isn't "some fella." There were around 250k compromised MT boxes in the 2021 Meris attack alone, creating enough traffic to nearly double Cloudflare's normal load.

This isn't a problem for "some fella," it's a problem for everyone on the Internet.

Thus why countries are passing laws requiring strong default passwords. This is the type of pro-social thing we have governments for.

it is still not MT's responsibilty...

Okay, let's take your legal theory as given. Should Cloudflare go file 250k separate lawsuits for negligent configuration against those bot owners? There isn't such a thing as a reverse class-action, as far as I'm aware.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Wed Aug 21, 2024 12:46 am

But, if I recall correctly, the 250,000 of Meris were connected to a router os bug/vulnerability, not to 250,000 compromised passwords.
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1565
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Default password Frustration

Wed Aug 21, 2024 1:28 am

But, if I recall correctly, the 250,000 of Meris were connected to a router os bug/vulnerability, not to 250,000 compromised passwords.

That's the 2018 attack. While many remained unpatched by the time of the 2021 attack, the first linked article says, "…compromised devices that…use the default usernames and passwords."
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Wed Aug 21, 2024 1:59 am

The article says:
While the vulnerability was patched after its detection back in 2018, it’s still being exploited in compromised devices that do not use the patched RouterOS versions, or that use the default usernames and passwords.
The last part of the sentence is "captain obvious" speaking, and it is not entirely accurate, an attacker needs to know the credentials AND have a way to remotely log in.
From the CVE and related articles, it appears that the issue was with the possibility of using Winbox to download files, including the user/password database that was (easily) decryptable without authenticating, this seems to me detailed enough:
https://blog.n0p.me/2018/05/2018-05-21- ... issection/
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1565
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Default password Frustration

Wed Aug 21, 2024 2:15 am

If your point is that we cannot know how many of those 250k attack bots were set up using default or easily-guessed passwords, then yes, we indeed do not know that.

But this is a side issue. The point is, we have data showing that a whole lot of historical RouterOS boxes have no password (the old default) or an easily-guessed one. I believe this new policy of default random passwords is likely to help materially with that.

I could be wrong. Maybe enough people will reset them to blank or monkey123 that we'll be right back in the same soup. My question then is, what should we be doing instead?

Keep in mind that doing nothing isn't an option. It's legally required that MT do this by the EU now.
 
Bomber67
Member
Member
Posts: 396
Joined: Wed Nov 08, 2006 10:36 am

Re: Default password Frustration

Wed Aug 21, 2024 11:20 am

Well, if some fella is sloppy…

That's the thing: it isn't "some fella." There were around 250k compromised MT boxes in the 2021 Meris attack alone, creating enough traffic to nearly double Cloudflare's normal load.

This isn't a problem for "some fella," it's a problem for everyone on the Internet.

Thus why countries are passing laws requiring strong default passwords. This is the type of pro-social thing we have governments for.

it is still not MT's responsibilty...

Okay, let's take your legal theory as given. Should Cloudflare go file 250k separate lawsuits for negligent configuration against those bot owners? There isn't such a thing as a reverse class-action, as far as I'm aware.
I have no reason to question your numbers.
But as you probably understand: It is the responsibility of the customer or the customer's representative (the tech) to config the devices properly.
There are all kinds of people out there, some of them have no idea what they are doing, and that might cause harm or damage to something or someone, but they are responsible themselves.
There are a million ways in our modern world that perfect legit gear can cause harm if you don't know how to prepare and use it, and that's not the responsibility of the manufacturer.

Those of us who has worked with RBs for decades know what we need to do and want to do it efficiently.
Staring at tiny blurry stickers through a magnifying glass in the light of a headtorch, setting up large amount of devices manually and maintaing DBs with thousands of default passwords is not in that category.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Wed Aug 21, 2024 11:40 am

But as you probably understand: It is the responsibility of the customer or the customer's representative (the tech) to config the devices properly.

A parallel from transportation industry: it's drivers' responsibility to avoid other parties in traffic. But this didn't work too well after a short while and hence countries mandated driving on <insert the correct side here> side of roads. And if some driver doesn't drive on the right side of a road (pun intended), then he/she gets fined ... and causing an accident is not requirement for a fine.

Not exactly the same thing, but ... when you buy a new car, the dealer will have to prepare it for delivery after it comes out from factory. The process is not exactly trivial (it changes with time, in some certain period in the past bodies were protected by a layer of wax/parafine and dealers had to wash it away using hot water prior to handing cars over to buyers. If you're an ISP, then, well, you have to prepare CPEs for your users.

So get over it and adapt to the new reality.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 3046
Joined: Mon Apr 08, 2019 1:16 am

Re: Default password Frustration

Sat Aug 24, 2024 1:59 am

"So get over it and adapt to the new reality."

It still is a stupid thing to do,
"Password after reset that is printed on the device."

- Devices are sometimes in public area's, like CUBE 60 are.
- Password versus box table is stored in distributed databases.

- First thing to do is to change that password!
That should have been the only fix to the password problem, by making the change mandatory if the current password is empty or "admin" or some other common value.

So maybe if everyone changes the password to "admin", the idiocy of the new regulation should be clear.

To me, it is the "running" or active password that matters the most.
Not something initial or after some "reset".
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Sat Aug 24, 2024 9:10 am

"Password after reset that is printed on the device."

- Devices are sometimes in public area's, like CUBE 60 are.
- Password versus box table is stored in distributed databases.

Those who are genuinely concerned about device security (I'm pretty sure you are as are most regulars on this forum) can do something about it. Like covering password part of sticker using black permanent marker or ripping off the sticker. The whole thing is about those who don't do anything (either due to their ignorance or negligence), for those current state is much better than previous one. After all, most exploits are done over network without physical access to device being compromised.
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sat Aug 24, 2024 9:43 am

How realistic is a databreach? Is this password database absolutely secure? Distributors have access too? The wider the audience the more likely a breach. Which actions are taken in case of this database is leaking to public? Which actions are in place to prevent a databreach?
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sat Aug 24, 2024 11:43 am

After all, most exploits are done over network without physical access to device being compromised.
Yes, and - again - the insecurity is mainly the fact that *somehow* there is access to the device files from the outside, the Meris that has been cited was a bug that allowed to download the database with user/password credentials AND that info was relatively easily decryptable.
Having a default, common or strong password would not have changed the effects.
No way to blame the customers for their inappropriate security in that case.

The way Mikrotik implemented the EU norm is different from what other manufacturers do (AFAIK they keep the default admin/admin or admin/blank but the first thing when you boot the device for the first time or after a reset is that you MUST change the password), in this sense Mikrotik was more catholic than the Pope in choosing this procedure.

How safe is this "central" database is a good question infabo made, it is not even clear if only one copy exists at Mikrotik and access to ti is granted to Mikrotik support personnel and to the various distributors, or distributors are given partial databases of only the devices they bought from Mikrotik and sold to customers.

@mkx
To remain in the automotive comparisons, I often like to cite the checklist on the original instruction manual of the Volkswagen T1:
https://www.thesamba.com/vw/archives/ma ... /page1.jpg
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Sat Aug 24, 2024 11:54 am

I often like to cite the checklist on the original instruction manual of the Volkswagen T1:

It's a very good checklist, too good to be useful nowdays. The thing is that when some kind of engineering marvel hits the mass market, everyone is wary of new thing and have to learn how to properly use it. Many of early owners of Bulli previously rode horse carriages (likewise users of early routers came off dial-up modems and BBSes). But after a while everybody take things as granted and don't bother to learn the details. In such case a bit of "forced education" might be the only way forward.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sat Aug 24, 2024 11:59 am

Yep. :) this remains valid anyway:
Always drive defensively. Expect the unexpected.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Default password Frustration

Sat Aug 24, 2024 9:27 pm

The way Mikrotik implemented the EU norm is different from what other manufacturers do (AFAIK they keep the default admin/admin or admin/blank but the first thing when you boot the device for the first time or after a reset is that you MUST change the password), in this sense Mikrotik was more catholic than the Pope in choosing this procedure.
Yeap. Even Cisco started to force users to set secure passwords on first start-up, even though the device wasn't even accessible remotely without setting a password (and thus it was actually secure from remote intruders).

I haven't actually read the EU law regarding the passwords, but if every other vendor did it by forcing a password change, instead of random passwords per device, then I am inclined to believe that 'random passwords' wasn't a requirement by law.

MikroTik took the most difficult way for everyone (us and them) and having a central database with all the passwords (or even worse if the passwords are derived algorithmically) is a step backwards. One way or another some day this database (or even part of it) will leak to the public.

All MikroTik really had to do was to actually force a password change on first start-up (not that half-assed implementation where you can cancel it or ctrl+c it).
Something like, the router doesn't even route traffic (in case the user keeps the default config) if the admin password isn't set to something secure, and you cannot set any config (if you start with a clean config) unless you first set a secure password (meaning requiring sensible password complexity and don't allow "12345" and stuff like that).
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sat Aug 24, 2024 10:11 pm

This password dialog was really the definition of half-assed. Encyclopedia Britannica added it: "half assed: ROS password dialog you can click away without actually setting a password at all."
Truly, never seen personally something at the same time useless and ridiculous like that.

Really, why did they not go the forced password way? Is installing a new device without touching default config a real-world use-case? Someone without need to change default config thus not setting a admin password even when enforced? It is not publicly known why they opted for the most difficult approach. Of course, there are other vendors printing wifi default password on their stickers as well. But not for the admin user.

Mikrotik could have limited access to all management apis (winbox,ssh,API,etc) to physical Ethernet ports only - as long no admin pw is set. So at least no one from e.g. wifi or untrusted non-physical sources can't do harm.

And one is for sure: the pw database will leak. It is just a matter of time.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sun Aug 25, 2024 12:51 pm

I haven't actually read the EU law regarding the passwords, but if every other vendor did it by forcing a password change, instead of random passwords per device, then I am inclined to believe that 'random passwords' wasn't a requirement by law.
Possibly because it is not at all clear which specific directive/norm/law they are attempting to be compliant to.

In any case the Law will say something generic and vague *like* "must implement adequate measures to prevent .... according to the state of art ....".

The (good or bad?) news are that the Cyber Resilience Act (CRA) has been approved (it still needs to be adopted).
We will see how manufacturers will attempt to comply with it.

The whole text can be found here:
https://www.european-cyber-resilience-act.com/
https://www.european-cyber-resilience-a ... 2022).html
The most relevant parts are Annex III (that lists what is covered by the Law):
https://www.european-cyber-resilience-a ... nex_3.html
And Annex I (that lists essential cybersecurity requirements)
https://www.european-cyber-resilience-a ... nex_1.html
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Sun Aug 25, 2024 1:53 pm

The problem with EC legislation is that there are two kinds (actually there are more, but in this case two are relevant): regulations and directives. Regulations apply in all member states immediately after they enter in force, equally in whole EU. Directives, however, need to be transposed into national laws and the ways of transposition can vary from country to country. I don't know which EU rule is about the "password frustration", but if it's directive, then national law in Latvia (which mostly applies to Mikrotik operations) may be "more catholic than Pope". Non-EU vendors have, in this case, freedom to choose in which EU country they'll apply for the necessary approvals (because, you know, EU is a single market and "shit" entering any EU member can then freely spread everywhere).
OTOH MT does have a track record of doing things differently than average competiting vendors, so what do we know? MT obviously won't clear the fog here ... as usually.
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sun Aug 25, 2024 2:10 pm

Maybe ETSI TS 103 645?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Sun Aug 25, 2024 2:36 pm

Maybe ETSI TS 103 645?

This is ETSI standard, not EC legislation. Standards may get into legislation (in which case laws/rules/directives/... don't have to go into technical details but rather refer to certain standard), but without some kind of regulation they are not mandatory. So my rant about EC legislation stands ...
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sun Aug 25, 2024 3:21 pm

Yes, of course. But we don't know whether Mikrotik introduced it because of law or standards.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sun Aug 25, 2024 3:27 pm

If you check the Annex I, article 1, paragraph 3 of the mentioned CRA it can be read (in a restrictive way) to the effect that shipping a router with a password is not a sufficient measure to prevent unauthorized access to it. :shock:

Not unlike what happens now with credit/debit cards (the PIN cannot be shipped in the same envelope as the card), the password should be delivered to the customer through a separate shipment or different channel.

Fun times ahead. :lol:
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sun Aug 25, 2024 3:36 pm

can't find the mentioned paragraph. have a link?
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sun Aug 25, 2024 3:39 pm

Not unlike what happens now with credit/debit cards (the PIN cannot be shipped in the same envelope as the card), the password should be delivered to the customer through a separate shipment or different channel.
I don't know where you live, but I never ever received a credit/bank card shipped with PIN code in same envelope ever in my whole life.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sun Aug 25, 2024 3:56 pm

I don't know where you live, but I never ever received a credit/bank card shipped with PIN code in same envelope ever in my whole life.
Exactly, as I said, the PIN cannot be shipped in the same envelope as the card, to avoid the possibility that if the card is stolen "in transit" it can be used by the thief if also the PIN is present.
Even if you get your card at the bank office, the card and PIN are in separate envelopes (and the few times I did that - but cannot say if it is a Law requirement - the two envelopes were in the custody of two different employees).

Annex I (already provided link):
https://www.european-cyber-resilience-a ... nex_1.html
Article 1:
1. SECURITY REQUIREMENTS RELATING TO THE PROPERTIES OF PRODUCTS WITH DIGITAL ELEMENTS
Paragraph 3:

(3) On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:

(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state;

(b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;
,,,
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sun Aug 25, 2024 4:27 pm

Not unlike what happens now with credit/debit cards
To be fair: you said "now" like it is something new.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sun Aug 25, 2024 4:45 pm

To be fair: you said "now" like it is something new.
Well, I wrote now meaning now, as in now, would already have been better? :?
Or should I have gone all the way to adding "since the dawn of times" or "AFAICR"? :wink:
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Sun Aug 25, 2024 6:41 pm

Yes, "already" would have been crystal clear for me. But as a non native speaker I cant tell for sure if the the sentence with "now" has the same meaning.

Do you know the scene from Spaceballs movie?
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Sun Aug 25, 2024 7:39 pm

Do you know the scene from Spaceballs movie?
Yep.
We're at now now. :lol:
... as a non native speaker ...
... which makes a nice round two of us. :wink:
 
Bomber67
Member
Member
Posts: 396
Joined: Wed Nov 08, 2006 10:36 am

Re: Default password Frustration

Mon Aug 26, 2024 8:04 am


It still is a stupid thing to do,
"Password after reset that is printed on the device."
Excactly.
That should have been the only fix to the password problem, by making the change mandatory if the current password is empty or "admin" or some other common value.
Excactly.
To me, it is the "running" or active password that matters the most.
Not something initial or after some "reset".
Excactly.

By their approach MT has created a lot more work and administration for their customers, without achieving more security-wise than could be done by forcing a password change after initial boot.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Mon Aug 26, 2024 8:31 am

Maybe not obvious, but since most of our devices have a default configuration, all it takes to make them work is plugging in the ISP cable and connecting to the default wireless SSID.

Which a LOT OF PEOPLE DO.

There is no "initial connection" to change password. They never connect to it.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Mon Aug 26, 2024 9:01 am

There is no "initial connection" to change password. They never connect to it.

Perhaps devices should ship with default config with internet connection (whichever it is) disabled. This would force users to connect at least once. During this initial connection, user would be forced to set admin password (with some proper password quality policy enforced), after which the internet connection would get enabled (implicitly after admin password is set). And until this was done, device would be essentially safe against internet attacks due to internet being disabled.

I guess that the above would allow ISPs to provision device easily ... their provisioning systems would simply be connected to one of LAN ports (which would be fully configured and enabled with factory config).
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Mon Aug 26, 2024 9:52 am

It is already a misconception to ship with default configuration. Trying to guess all needs. Impossible.

But in reality most people need little adjustments to the default configuration. That's what someone can do by using QuickSet already. No need to have a firewall enabled by default when using the devices as AP (like a cap ax) and these rules are useless to have by default just because maybe. But on the other hand, reverting the default config on first login is unreasonable for most people, as it removes everything. And setting up from blank field without basic Mikrotik knowledge is quite impossible task.

So it would be better to ship with no config at all. Dumb device that just waits for being set up.
A forceful setup wizard on one Ethernet port with DHCP enabled and a open wifi SSID.

User needs to connect by cable or wifi, get Mikrotik Home app or web browser and go through some basic wizard to finish the initial setup.There he needs to set password and ask them whatever questions that are needed and useful for setting up the most common needs (wifi, lan, wan connection, system, unattended ROS update, etc).
Then the 99% user will really be done and won't never ever need to connect to the device again.

I mean, srsly: look at the competition. They basically all use guided setup wizards for initial setup. Why does Mikrotik insist on this legacy default config concept?

And the best: as there is no default config that does anything useful there are also no concerns. You could leave first Ethernet port open for provisioning - like holding reset button 2sec on boot - so all professionals are happy again.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Mon Aug 26, 2024 10:34 am

Wouldn't this make your (admin) life even harder? Now you complain about one default password, then you will complain about a requirement to connect via Smartphone app to each and every device and run a wizard
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Mon Aug 26, 2024 11:03 am

And the best: as there is no default config that does anything useful there are also no concerns. You could leave first Ethernet port open for provisioning - like holding reset button 2sec on boot - so all professionals are happy again.
You could add an "provision-initial-password" endpoint to REST API. As I already said, device is listening on e.g. eth1 and open wifi for connections. Regular users use the APPs or use webfig to go through a guided wizard. Experts or professional users could use the "provision-initial-password" API endpoint (which is at this state the only accessible/enabled endpoint and available without authentication) to set an admin password by some scripting or part of provisioning process. This functionality could also be added to Winbox as well. In the neighbor listing these dumb unprovisioned devices could be listed as "waiting for initial setup". Then there is a "adopt device" button, click it, enter password. Done.

Once this password is set, the admin can proceed with the work as usual as it was in 2009 already. Connect using Winbox and/or automate the provisioning. Basically like the admin would do as it was in times before the password-sticker.

But regardless what I propose here. It may even be too complicated. But take my/our input as inspiration. Be open for change. Evaluate processes. Evaluate user interfaces. This does not mean you need to actually change. But talk and discuss about it - even if it is company internally.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Mon Aug 26, 2024 11:42 am

It is not like I cited the CRA (which is not yet in effect) casually.
Annex 1, Article 1, paragraph 3 (a) is exactly about this:
(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state;
This is what MIkrotik is IMHO already doing.

If you take a device and just connect it, there are two possible outcomes:
1) it won't work, for *whatever* reasons, and it will need to be configured
2) it will work AND the default firewall settings are good enough to protect the user network in most cases

@Normis
With all due respect :), I cannot believe that there is a relevant amount of people that:
1) buy a Mikrotik device, re-known as a very powerful/customizable but complex environment (as opposed to the simpler alternatives)
2) don't even access it to verify the default settings

But the CRA will (and Mikrotik already does) cover this (iMHO rare) possibiliity.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Mon Aug 26, 2024 11:47 am

Sorry I did not understand the comment directed at me. Can you clarify the point you are making?
Unfortunately MikroTik is popular with two very very different groups. Home users that plug and play (or mobile operator that just gives them a router). and professional installers. We have to make both groups happy and secure.
 
infabo
Forum Guru
Forum Guru
Posts: 1175
Joined: Thu Nov 12, 2020 12:07 pm

Re: Default password Frustration

Mon Aug 26, 2024 11:53 am

Operators use flashfig and ignore the default password - or how do they? Can a mobile operator request devices without the sticker? Operator may not want user to see these credentials as user should not be able to change config.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26717
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Default password Frustration

Mon Aug 26, 2024 11:54 am

operators can use flashfig, yes
user should not be able to change config
most likely this depends on the country.
in our country users absolutely will change the config
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Mon Aug 26, 2024 3:19 pm

Sorry I did not understand the comment directed at me. Can you clarify the point you are making?
Unfortunately MikroTik is popular with two very very different groups. Home users that plug and play (or mobile operator that just gives them a router). and professional installers. We have to make both groups happy and secure.
I meant that the IMHO most users of Mikrotik, in the sense those that choose a Mikrotik, do so because Mikrotik routers/devices can be (though not so easily) configured, those that expect plug and play and/or a simple configuration will likely choose an easier/simpler device.

I believe that you are simplifying too much, you have two groups in mind:
1) home users that plug and play (or mobile operator that just gives them a router)
2) professional installers
that are actually three:
1) Home users that plug and play
2) mobile operator that just gives them a router (even if they give the router to the final plug and play user, the router will br configurrd by them)
3) professional installers
of these three only the first would not change the password anyway.

I believe that there are at the very least 5 of them:
1) Home users that plug and play
2) Home users that DO NOT plug and play
3) mobile operator that just gives them a router
4) SO (as in SOHO) users that - even without being professional network engineers - know enough the RoS
5) professional installers
of these five only the first would not change the password anyway
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12327
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default password Frustration

Mon Aug 26, 2024 3:33 pm

The fact that I was able to easily enter other operators' networks also makes you understand that the quality of professional technicians counts,
who often improvise without knowing what they are doing...

So, for me botnet (all brand) = 33% blank/standard/weak password + 33% ignorance of ISP... + 34% default firewall rule or settings removed or disabled

If one of my client buy MikroTik (or other) and try to use winbox or web to remote configure the device... On my network do not work at all...
Must use VPN...


If it were up to me,
I would revoke any possibility of existing to ISPs that don't even set a stupid rule that doesn't let IP addresses that don't belong to them leave their network...
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1429
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Default password Frustration

Mon Aug 26, 2024 3:53 pm

ISPs don't offer free protection against botnets, DDoS attacks or anything like that. While they probably should provide it as an option for the general public IMO, these services are mainly for businesses and are usually pretty expensive because they require a lot of investment from the provider. Companies like Cloudflare, Amazon and Microsoft have invested billions of dollars in this.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12327
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default password Frustration

Mon Aug 26, 2024 4:50 pm

So I'm a white fly compared to everyone else?
The basics, like blocking spoofing and blocking incoming connections on standard ports, for me is the a-b-c of civilization...
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Oct 11, 2005 4:53 pm

Re: Default password Frustration

Mon Aug 26, 2024 6:22 pm

Maybe not obvious, but since most of our devices have a default configuration, all it takes to make them work is plugging in the ISP cable and connecting to the default wireless SSID.
Something like, the router doesn't even route traffic (in case the user keeps the default config) if the admin password isn't set to something secure, and you cannot set any config (if you start with a clean config) unless you first set a secure password (meaning requiring sensible password complexity and don't allow "12345" and stuff like that).
If the device doesn't work until a secure password is set, then problem solved.
Just saying...

I guess it was easier for MikroTik to change the manufacturing process than to devote a few hours of a developer to creatively solve the issue in software.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1419
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default password Frustration

Mon Aug 26, 2024 6:28 pm

... unless you first set a secure password (meaning requiring sensible password complexity ...
JFYI:
https://neal.fun/password-game/
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Mon Aug 26, 2024 8:00 pm

 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1429
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Default password Frustration

Mon Aug 26, 2024 9:57 pm

So I'm a white fly compared to everyone else? The basics, like blocking spoofing and blocking incoming connections on standard ports, for me is the a-b-c of civilization...

Yeah, you're definitely an angel compared to the typical run-of-the-mill ISPs. At most they block like egress smtp and similar but that's about it. I wish more consumer-grade ISPs cared about this but unfortunately that's just the crappy reality.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12327
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default password Frustration

Tue Aug 27, 2024 12:57 pm

crappy reality.
:(


OT: You can't imagine what happens when you have to block DNS by law and use your own... Do you know how many Chinese things call home?...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12290
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default password Frustration

Tue Aug 27, 2024 3:44 pm

OT: You can't imagine what happens when you have to block DNS by law and use your own... Do you know how many Chinese things call home?...
Korean things as well (I've got a Samsung smart TV which is constantly trying to call home). And probably things conceived elsewhere as well (I don't believe that American SW designers are any better with regards to consumer privacy than the rest), calling home (probably called something "cloud") is mainstream these days.

Who is online

Users browsing this forum: No registered users and 14 guests