That's not a very large set to brute force. Especially for a local user that can see the mac address and knows the "algorithm". 4 random capital letters is 26^4 possibilities, or just under 1/2 million 456,976. That's much better than no password, but a pretty low bar from a security standpoint.Solution could be to combine part of a serial number or MAC address which are unique and eg. 4 random letters printed in CAPITAL on a sticker.
These 4 letters could be quite BIG on a sticker and MAC could be read from the rest of a sticker or from WinBox
This goes way beyond 'convenience', these sorts of random passwords absolutely will result in a lot of pointless e-waste, financial waste and needless man-hours solely because the device got factory reset and can no longer be accessed due to credentials being inaccessible (company out of business, stickers faded/lost/removed etc)Convenience is the worst enemy of security.
Do it properly or not at all.
BTW ... what if I reset configuration to factory settings. Is that password set to the printed one?Convenience is the worst enemy of security. Do it properly or not at all.
If we limit letters to distinguishable enough we loose a lot of randomness and security.That's not a very large set to brute force. Especially for a local user that can see the mac address and knows the "algorithm". 4 random capital letters is 26^4 possibilities, or just under 1/2 million 456,976. That's much better than no password, but a pretty low bar from a security standpoint.
Well my intended workaround was ...netinstall what happens then? Same question arise.
So what is the problem with random 4 letters as a suffix to the part of serial number .. which is different as well each time ... as a default password?
The Llama MT Password Reading Magnifying Glass!!
The box should have 2 or 3
- password
- Mac address
- optionally the serial number
I believe the kids call them QR codes and when read by a mobile device's photo app can launch a URL.Barcodes would go a very long way to helping this situation. Not everyone has a barcode scanner, but it's a pretty easy sell if you have to configure lots of them
On idea be that the QR code launch the Mikrotik mobile app,
I thought that one of the advantages of QR codes was the built in QR Code error correction feature, with level H providing 30% reed-solomon redundancy.Not a QR code, should just be a regular old barcode
QR codes work better for things like wifi passwords as it can contain a lot more information (such as URLs) but provide no benefit in this instance and have some drawbacks
What is the story here? I'm confused. Multiple scenario's mixed together?
netinstall is not always an option…you aren't configuring them all in the same physical location
deploying gear on radio towers
there is no way for any other company to take over the operation of the deployed gear by simply factory resetting it, as the password is gone.
oops we don't have what is written on the sticker so now someone has to climb the tower and read it
this regulation does NOTHING for devices that have inherent vulnerabilities and exploits which is often how devices get compromised without ever needing the know the login credentials
the idea of netinstall is terrible because…it's no better than a randomized password as that gear is unserviceable to anyone other than you and your company
4.1 No universal default passwords
Provision 4.1-1 All IoT device passwords shall be unique and shall not be resettable to any universal factory default
value.
Many IoT devices are being sold with universal default usernames and passwords (such as "admin, admin") for user
interfaces through to network protocols. This has been the source of many security issues in IoT and the practice needs
to be discontinued. Following best practice on passwords and other authentication methods is encouraged. Device
security can further be strengthened by having unique and immutable identities.
So send back to factory testing location?The next step to unlock the device is to put the device to the gps position of the first power up...
It was a joke, but some garmin gps you can really unlock them where for the first time (outside the factory) they lock the gps...So send back to factory testing location?The next step to unlock the device is to put the device to the gps position of the first power up...
You are completely missing the mark here. Not one person here is assuming you leave the default password (or lack of one) alone and use it indefinitely. That's idiotic and not what anyone is talking about
If you were expecting to be able to walk up to a router someone else installed and used to manage, but get full admin access on it without a reset of some kind, you're either dreaming or hoping for a world without any security at all.
Thank you!
Not only toddlers ... impatient teens , just press the hAP ac2 reset button, when there is an internet outage, or a slower internet than they expected. The label "reset" and its place close to the power connector look like it will do just a fresh restart of the gateway, a softer alternative to power off/on, which they cannot do when the PoE ether1 port is secured. Where in fact it does a configuration reset to the default config.Although I do think that the MicroTik devices make reset too easy; i wonder how many routers have been reset by toddlers, that seem to love to push buttons,
the device is essentially inoperable as a network device until the user intervenes and is forced to not just leave it with default credentials.
First, this would only affect new routers, if it wasn't possible to configure the router without setting a non-blank (possibly requiring using a password that wasn't one of the "common defaults" like admin/admit).Hang on a sec. Your plan is to have a mode where someone remote can blank out the configuration and provide a new one, including a new non-empty password, in order to get around a regulation passed to avoid having routers completely taken over by LAN worms?
Are you actually thinking through real world situations and the implications?Hang on a sec. Your plan is to have a mode where someone remote can blank out the configuration and provide a new one, including a new non-empty password, in order to get around a regulation passed to avoid having routers completely taken over by LAN worms?
Are you proofreading your proposals or just throwing out a repeated wish for no security whatsoever?
I assume your "attack senario" is something like the following:
[SOLVED]Passwords are available in CSV format from the distributor accounts.
You guys are good with scripts, come up with a script that takes these passwords from CSV as variables and uses them in your SSH mass config scripts
Or ... just Flashfig routers en-masse with some big switch.
This seems like it would be a good solution for distributors, but what about a small ISP? And hopefully, the distributors only have the passwords for the routers they bought for resale, i.e. not all routers.Passwords are available in CSV format from the distributor accounts.
This seems like it would be a good solution for distributors, but what about a small ISP? And hopefully, the distributors only have the passwords for the routers they bought for resale, i.e. not all routers.Passwords are available in CSV format from the distributor accounts.
just 3 lines hahahahahaha[SOLVED]Passwords are available in CSV format from the distributor accounts.
You guys are good with scripts, come up with a script that takes these passwords from CSV as variables and uses them in your SSH mass config scripts
Or ... just Flashfig routers en-masse with some big switch.
Few problems with thisPasswords are available in CSV format from the distributor accounts.
You guys are good with scripts, come up with a script that takes these passwords from CSV as variables and uses them in your SSH mass config scripts
Or ... just Flashfig routers en-masse with some big switch.
1 & 2) We spoke and I think the confusion partially came from that the most recent order they got didn't have the imei, password, ssid2 or ssid5 columns in the list. This data, while not ideal (a lookup process from your servers would be better), does appear to provide a workable solution, though far from optimal.1. Distribitors got all needed information some time ago, please ask Your distributor to check their email and their account, where relevant info is shown in a giant popup.
2. Here is a real sample of the file the Distributor is able to give you:
"item_code","item","master_nr","serial_nr","manufacture_code","qty","soft_id","mac_first","mac_last","mac_count","imei","user","password","ssid2","ssid5"
"C52iG-5HaxD2HaxD-TC-US","C52iG-5HaxD2HaxD-TC-US hAP ax²","HAC19PAAK2B","HAC19PAAK2B","314","1","AFKW-BAAJ","41:A2:83:A0:1C:20","41:A2:83:A0:1C:26","7","","ADMIN","16YADDTAL8","",""
You should be able to do something with the first and last MAC
3. Flashfig is a separate app available on our download page: https://download.mikrotik.com/routeros/7.8/flashfig.exe
4. Can't do that, you can use SSH script to do a fully custom solution
5. An open APi to get passwords?
P.S: login is shown in caps for some reason, this is an error in the CSV generator, will be fixed. Password is correct as output.
{
"item_code": "C52iG-5HaxD2HaxD-TC-US",
"item": "C52iG-5HaxD2HaxD-TC-US hAP ax²",
"master_nr": "HAC19PAAK2B",
"serial_nr": "HAC19PAAK2B",
"manufacture_code": 314,
"qty": 1,
"soft_id": "AFKW-BAAJ",
"mac_first": "41:A2:83:A0:1C:20",
"mac_last": "41:A2:83:A0:1C:26",
"mac_count": 7,
"imei": "",
"user": "ADMIN",
"password": "16YADDTAL8",
"ssid2": "",
"ssid5": ""
}
./script.sh 41:A2:8A:9F:FA:CC
"9D1HA45GAYG"
#!/bin/bash
mac_address=$1
awk -F "," -v mac="$mac_address" '$0 ~ mac {print $13}' data.csv
*** I still haven't read a valid example (other than protected-routerboot) where this default password is a problem.
But a concrete example, not bullshit.
Of course I too could be wrong, but for now I have no data regarding something insurmountable that you haven't made me consider yet.
Yes it is normis. Re-read what I said as you clearly misunderstood itthe sticker has only the DEFAULT password which you must change.
this is not comparable to "I inherited a router that somebody password protected"
Yes I have, there is some merit in theory but not always in practicehave you read my posts at all?
Here's another user, like others who have already been banned twice in a month on this forum, who begins to talk about graduation and various bulls–t.[...]
If you cannot even envision this as a real scenario and see the very real issues posed by having randomized passwords, then as far as i'm concerned you are woefully unqualified to be weighing in on this argument. No better than the opinions of a school student on how the real world works
[...]
Thanks!Password will be on the device itself and also on a similar sticker on the quickguide paper inside the box (in later batches)
Do you have any idea of the extra workload, on this way, then there is for anyone?
Do you work with RouterBOARD?
Just netinstall-it-all.
1) Our distributor sends us all the devices he distributes already branded with a branding package and a default password which is not empty (but for us is the same).
2) When devices arrive in our labs, all individual devices are tested, it is not the end user,
hotel or tower installation the correct way and place to first test/set up a device.
The first step is netinstall ignoring completly previous or default password.
Our branding package grant on software reset (except on another netinstall, obviously) the same default password we want.
3) Our technicians already have the device ready. In case for any reason they need another,
they certainly don't go and buy it themselves, but it is already given to them ready by one of the labs.
4) In case of taking over work done by third parties, unless protected-routerboot is involved (that's another story),
it takes a moment to take control of the device if you have the credentials,
and a moment to reset it completely (without netinstall) by setting the credentials you want (and, if needed, apply the branding package at same time).
If you do not have the credentials (and the protected routerboot is not involved) the device must still be reset,
often open if they are devices that have MikroTik cards inside and the reset is not exposed,
so that you know the default password, or not, since they are resetting and reinstalling with netinstall, nothing changes.
5) If you do not know the password, if the device needs to be reset, you still need physical access and press reset.
If the technicians you use aren't even qualified to hold down reset at startup until the device appears on netinstall, that's another matter...
The final sum of what I wrote is:
A) For those who work seriously on it, nothing changes.***
B) For end users, MikroTik seems to have made an agreement with the opticians. All young people without vision problems in the company?
*** I still haven't read a valid example (other than protected-routerboot) where this default password is a problem.
But a concrete example, not bullshit.
Of course I too could be wrong, but for now I have no data regarding something insurmountable that you haven't made me consider yet.
*** ALL ABSOLUTELY WRONG ***you don't seem to understand that THIS REQUIRES LOGGING INTO THE ROUTER FIRST. you can't take a brand new hAP AC2 router out of the box and simply netinstall it, you have to log into the router first to change the boot settings.
Another bullshit, if you read, I wrote that I don't give a damn if it arrives already branded by the distributor or not, I netinstall it instantly without even putting the password...[...] You are not dealing with the same issues we are so stop telling people it's not an issue simply because someone else has to deal with your problems. [...]
No, it says exactly what it says: The first step is netinstall ignoring completly previous or default password.You are referring to the branding package that your distributor installs for you, so you don't have to deal with the problem being discussed here that you're telling everyone else to stop complaining about and just deal with?2) […]
The first step is netinstall ignoring completly previous or default password.
Our branding package grant on software reset (except on another netinstall, obviously) the same default password we want.
Don't you read what other peoples write?[…]
Again, this is irrelevant to the challenges caused by shipping routers with random default passwords.
[…]
I've already worked out a solution with the distributor to supply the raw password file data so I can match the mac address the deployment system is currently connected to and lookup the password. It's a bunch of extra work, and it causes extra work for the distributor also which they aren't thrilled about, but it should enable us to continue working after this rolls out.Like it or not, I think all roads go through netinstall for the mass deployment scenarios. No amount of discussion is likely going to change that home device will have a default password. No doubt this is PITA, but needed and totally manageable IMO.
I think there are some under-appreciated advantages to "always netinsall" - even if it means re-training for your staff...trusting that the devices come with a "good version" is NOT always true & and ensuring all version match in the field is generally desirable.
If you doing "hundreds per day", did you talk with your distributor and/or sales@mikrotik.com to see if you can place a custom order for ones without passwords. I'd imagine that be possible at HIGH volume, but dunno.
Ok, I re-read documentation and never knew they added a reset button straight to netinstall function, that didn't exist when I started using netinstall, so I learned something new, but it absolutely changes nothing because the whole problem, which you still utterly fail to comprehend, is that time=money, and netinstall ads lots of time and manual processes to a deployment scenario.*** ALL ABSOLUTELY WRONG ***you don't seem to understand that THIS REQUIRES LOGGING INTO THE ROUTER FIRST. you can't take a brand new hAP AC2 router out of the box and simply netinstall it, you have to log into the router first to change the boot settings.
It seems to me that it's you who don't know how the devices work...
Netinstall launches with the reset button without even having opened winbox or webfig before...
Another user who says he has problems with the default password because he doesn't know how the product has always worked...
Another bullshit, if you read, I wrote that I don't give a damn if it arrives already branded by the distributor or not, I netinstall it instantly without even putting the password...[...] You are not dealing with the same issues we are so stop telling people it's not an issue simply because someone else has to deal with your problems. [...]
Another use that do not read...
No, it says exactly what it says: The first step is netinstall ignoring completly previous or default password.
You are referring to the branding package that your distributor installs for you, so you don't have to deal with the problem being discussed here that you're telling everyone else to stop complaining about and just deal with?
Our branding package = Our branding package, not the distributor package, understand the differencies?
Another user looking for another meaning in what has been written...
Don't you read what other peoples write?[…]
Again, this is irrelevant to the challenges caused by shipping routers with random default passwords.
[…]
The topic is from @millenium7, the OP, who worries ALSO about when to take over other networks, so I'm also replying to him, not you.
Another user who doesn't read all the posts, but only some...
Did you join the discussion later, did you think you were the only one I was replying to?
I remind you that I'm not bragging, I wouldn't gain anything, I'm just indicating how things go, because for me the default password changes absolutely nothing...
Physically the device must be taken out of the box and connected to the ethernet directly on ether1.
First run netinstall, installing at the same time branding OR autoconfig script, by holding reset without never use winbox or CLI
is faster than
running commands via another cable on one ethernet on bridge by CLI, and then wait for it to reboot for netinstall on ether1...
never knew they added a reset button straight to netinstall function, that didn't exist when I started using netinstall
Ahhhh now it's starting to make sense. So if you encounter a situation like a radio/router/switch being factory reset on top of a tower, you just walk away and don't do anything about it.I only stick to things that can actually be done without giving a damn about the default password.
Nothing more, nothing less.
I didn't think anyone could ever come up with all this bulls–t in one post.Ahhhh now it's starting to make sense. So if you encounter a situation like a radio/router/switch being factory reset on top of a tower, [...] my world right up
Let's hope they believe you... It's from the beginning of the topic that I've been saying that the speed of installation doesn't change for those who distribute.[…] no need to log in […]
@normisJust wanted to add, that yes, you can launch Netinstall just by pushing it's button, no need to log in. Also Flashfig is even easier - it is on by default when you first (!) boot your device. For devices with a beeper, this is indicated by a chirping sound. It means you can Fllashfig a device in seconds, just power it on
False, with flashfig, for example, you can blank admin password and proceed as usual for who have prepared some complex for first setup,but it also seems that it is there to modify the config, but not the default config for future resets.
So I took this too litterally "If RouterOS reset-configuration command is used later, Flashfig configuration is not loaded, but the RouterOS default configuration. (To permanently overwrite factory default configuration, use Netinstall process not FlashFig)." Where you just saw it as an opportunity for a second stage.False, with flashfig, for example, you can blank admin password and proceed as usual for who have prepared some complex for first setup,
or why not send instruction from flashfig to load directly the branding package with default config wanted, and reboot..... and is permanent, also after full reset (except netinstall)
It actually this problem that is rather annoying in this thread IMO.the main issue is make the password readable!
Stop using characters like O/0/I/l/1/8/B as trying to decipher what they are gets really old really fast after repeated failed attempts on every device.
Bitwarden, which is open source, in its password generator, has an option to avoid ambiguous characters, maybe you can use that function as a starter.We did also notice the issue with ambiguous characters and bad font. We will find a solution ASAP.
One option is to switch to all caps letters only, another is to avoid O/0/I/l/1/8/B. In any case, we are workinng on it.
B / 8 or b / 8Just curious but why do you prefer lower case? Otherwise, I believe the rest of the suggestions were great options.
Right...when using HEX, somebody will still enter "O" because they will not know it's hex
We did also notice the issue with ambiguous characters and bad font. We will find a solution ASAP.
One option is to switch to all caps letters only, another is to avoid O/0/I/l/1/8/B. In any case, we are workinng on it.
Striked zero ... good old days ... never confusion about what that is.
204 is the production batchWhat is the significance of the /204/r4 at the end of the serial number on the label? Is the 204 a date code and r4 a revision level?
considering that the initial version of the CPE autoconfig scripts was written in 2015, and based largely on an earlier autoconfig script I'd written in 2014, most certainly not. However one of the post installation change management scripts it installs, absolutely does. Your feedback helped solve an issue using the fetch output as an array.
[ And I wouldn't be surprised if you find something I wrote in the autoconfiguration code you use... ]
Not quite a barcode. But I suspect if the font/size was better, OCR would likely work. I use the iPhone with IMEIs and ICCIDs and surprised how well it works to read them.The next 10% is please include a barcode for the password
I believe Normis said it will be on the Quick Start guide. That seems easier for an end-user save than the box.stick it straight on the box - optionally the product as well
Anything else is far slower at scale. Forget OCR and all the associated issues (highly inaccurate for one), even just trying to scan a QR code takes far longer and has issues with being out of focus, too far away etc before it works. Barcodes typically 'just work' and are very fast which is why they are still used everywhere. At the end of the day all it needs to do is type out the read string via a simulated keyboard, thats how barcode scanners work. You can scan a dozen items (serial and password) in as many secondsNot quite a barcode. But I suspect if the font/size was better, OCR would likely work. I use the iPhone with IMEIs and ICCIDs and surprised how well it works to read them.The next 10% is please include a barcode for the password
I believe Normis said it will be on the Quick Start guide. That seems easier for an end-user save than the box.stick it straight on the box - optionally the product as well
You slap your Aditum label over MikroTik that fast? amazing.[...]The whole process for 120 routers took me just over 2.5 hours in total (100 hAP AC2, 40 hAP AC Lite). Overall the reboxing and labeling took as long as the configuration did. [...]
Forget OCR and all the associated issues (highly inaccurate for one)
even just trying to scan a QR code takes far longer
has issues with being out of focus
Barcodes typically 'just work' and are very fast which is why they are still used everywhere.
You can scan a dozen items (serial and password) in as many seconds
Having to piss fart about with a phone, different apps, integrating or moving data around etc, it largely defeats the purpose
Yes, with the current default password scheme our average time to program a case of 20 hAP AC2 routers works out to a touch over 1 minute per router since we have everything running in parallel. We *can* do it closer to 15 minutes for a case, but that takes two people as there's too much time spent opening boxes and reboxing for one person to get it done that quick. 99% of the time it's just one person doing orders as there's usually in inverse correlation between size of the order and the speed the customer is expecting it, so most of the time we don't need to double up people for rush jobs. Also that speed per device does not apply to hAP AC3 routers as they have more intricate packaging and a warning sticker over ether1, and they come 10 to a case, but the time per case is roughly the same (i.e. it takes twice as long to program them as it does the AC2). hAP AC Lite routers, which we don't sell that many of anymore, take about 90 seconds per device averaged over 20 routers because they simply take longer to install the OS and perform their configuration. You can see why any change in the process that slows down the process is extremely unwelcome.You slap your Aditum label over MikroTik that fast? amazing.[...]The whole process for 120 routers took me just over 2.5 hours in total (100 hAP AC2, 40 hAP AC Lite). Overall the reboxing and labeling took as long as the configuration did. [...]
Anyway, other countries are fighting to get rid of someone's force-provided ISP/whatever router and bring their own, and here you are doing the exact opposite. 'murica.
Good luck.
OCR has been used in critical real-time industry-scale applications for decades. For computer-printed text, it's a solved problem, to the extent that researchers have been focusing on handwriting recognition instead, the original problem from the 1980s considered too easy now. Provided the text is printed big enough, at high enough resolution, and you aren't working from a blurry scan/photo, accuracy is as close to 100% as any real-world system involving humans can hope to become.
They also generally continue to work much better when the label is partially worn or damaged. There's a reason that the barcode is still universal standard at retail and grocery stores for all UPC codes, the scanners to read them are very reliable and work even when packages are worn or lightly damaged.A barcode - unlike OCR or QR - is simple, clean, accurate, effective and cheap.
Welcome Your first post on the forumHello, Druvis here... […]
flash-boot - Flashfig mode on startup is enabled. This setting will revert to NAND after a successful configuration change OR once any user logs into the board.
Thanks for fixing the docs. Incorrect documentation is worse than no documentation.Okay, after a little investigation, the help page has been updated:
You have obviously thought this through.it doesn't matter, in the initial configuration script just put it to nand-only, as it should be done.
Just got multiple new cAP AX, AX3 and 1 RB5009.2. Password will be on the device itself and also on a similar sticker on the quickguide paper inside the box (in later batches)
Well, no.I would like to remove the password from my new AX3. Is this setup correct?
I was referring to /tool/mac-telnet which I want to say does prompt then try. But I see it's real telnet from photos... More WAG here.The fact it responds with invalid username or password, would indicate it does work.
No ?
Yeah, mission accomplished 2000% here. Super secure.Curious puzzle, but poor @bpwl
That 3th character is for me U (Uniform).EDIT: Maybe 0ALIM 0AYQ3G zero-alfa-lima-india-mike-zero-alfa-yankee-queen-three-golf
I spend 30 minutes at the wrong time to figure of the S vs 5 – I was hoping it was that...You cannot imagine how angry I am. This was a problem just waiting to happen.
[...]
Netinstall over VPN, without physical access to the device?
There is no local device that can run Docker Container.
Brecht as in north of Antwerp ? That's 40km from where my spare is sitting (Kontich). If REALLY needed, you can collect it tomorrow (I'm not there but I can instruct the colleagues to fetch it from my desk).@holvoetn : friend and hAP ax³ is in Brecht.
Be careful with that assumption.Label matches I assume. Reported MAC addresses are in range of the used ether port. QR code on label is also the SN.
That would be correct for port 3E01 = .....C2
W01= .....C8
Connected port is .....C4
I want to keep the default/basic configuration but without the default password.