Menu
Reply
  • 3.3K
  • 103
  • 371
VMCopperUser
Problem sorter
540 Views
Message 11 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

Regrading HTTPS on a non-internet device.  While you may think this is a good idea it's generally not.  Connecting gives warning errors up when a HTTPS certificate for a non-verifiable domain/ip is issued.  Browsers will warn you about it and sometimes even block you browsing to said site!

 

If your worried about typing in the password on the unit then you are probably worried about the password the print on the bottom, or the reset pin they put on the unit.  If your that worried about it then perhaps you should just totally avoid the internet fully.

 

I do agree that it would have been a slightly better design to mask out the password as it is typed, with a tickbox to allow you to view said password.  I dont see it as an issue.  If someone is close enough to read the screen then they are also close enough to read what you type on the keys.

----
I do not work for VM, but I would. It is just a Job.

I would also make websites for them, because the job never seems to require the website to work.
  • 10
  • 1
  • 3
tim11pop
Tuning in
532 Views
Message 12 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I can understand not having HTTPS, allowing that for all users would be pretty difficult.

I am however confused as to why the password is still in plain text. This should have been fixed well before the devices went out, let alone still here a year on.

This does suggest that the password isn't stored in a secure method so is absolutely disgraceful. For at least 10 years it has been understood to be basic security to have passwords hidden from view.

I've given up on the router at the moment as I just don't want to know that it exists and I've switched it into modem mode for a pfsense router.

Regarding being able to see the password on the bottom of the router or the reset pin. The router can be locked away quite easily to get rid of this factor, however having a password in plain view is stupid at best. What if a parent was configuring the child safety stuff and a kid looks over their shoulders? What if children are having a fight and decides to block the other from accessing the internet.

It's incredibly basic stuff and I'm pretty certain that there are various IT standards which enforce this for basic security.

0 Kudos
Reply
  • 3.3K
  • 103
  • 371
VMCopperUser
Problem sorter
519 Views
Message 13 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I think most IT Professionals actually view it as a non-issue.

Most people would like to see masked passwords get the boot.

Knowing what I do about much of the hardware used on VM Routers in the past I can say openly that the passwords have usually been stored in clear text in the router (as it is in virtually every modern big brand home router you can buy).  Pfsense will probably have a hashed/encrypted password but that's in part due to the fact that you have a pc with tons of attack vectors - it's much more than a dumb router.

 

Masking passwords from your kids doesn't sound like a major thing to me, so perhaps it's just me being a bit blase to this. 

 

 

----
I do not work for VM, but I would. It is just a Job.

I would also make websites for them, because the job never seems to require the website to work.
  • 10
  • 1
  • 3
tim11pop
Tuning in
507 Views
Message 14 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I think if an IT professional would want passwords not to be masked I think they're completely in the wrong job. Imagine the complete mess that would cause, co-workers would be able to find out each other's passwords by just looking behind them at someone else's screen.

  • 1
  • 0
  • 1
zxcvbnm
Just joined
499 Views
Message 15 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

Why should home routers be less secure than commercial ones (up to a point)?  There's just no excuse to display, store, or transmit, clear text passwords. Basic security shouldn't be glossed over because of volume, or even lack of knowledge / tolerance of the person setting it up.

As a security professional I'm only too aware that users are happy to do the easiest thing, yet the first to be cross when they lose data or get hacked.  A little inconvenience for home users to force them to be a bit more secure is better for everyone, and virgin shouldn't shirk the extra load that this would put on their call centres - and certainly should put the few quid into getting decent firmware.

  • 6
  • 0
  • 0
raggedyrawny
Joining in
446 Views
Message 16 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

Also, the fact that it doesn't use a standard login form means that the password cannot be saved - is there any chance this can be fixed as well?

0 Kudos
Reply
  • 5.3K
  • 412
  • 880
Tudor
Superstar
439 Views
Message 17 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I see no point in masking the password, I can easily get most people’s password by just watching them type it in. Anything up to 16 characters is easily remembered. How many people mask their ATM PIN successfully? Even less people mask their PIN in shops, one reason why I always try to use Apple Pay,


There are 10 types of people: those who understand binary and those who don't and F people out of 10 who do not understand hexadecimal
  • 3.37K
  • 225
  • 549
Roger_Gooner
Wise owl
425 Views
Message 18 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

The last thing I want Virgin Media to do is to try and mask passwords when a load of other problems need much more urgent attention. This company has a buggy Hub 3.0 and V6, not to mention poor customer service and inconsistent service levels.

--
Hub 3.0, TP-Link Archer C8, TP-Link TL-SG1008D 8-port gigabit switch, V6
My Broadband Ping - Roger's VM Broadband Connection
0 Kudos
Reply
  • 10
  • 1
  • 3
tim11pop
Tuning in
417 Views
Message 19 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

Wouldn't that be a delight. I've got IPv6 to an extent through pfsense and a tunnel so not exactly desperate for that, but native would be nice. A focus on security would be preferred though, it's pretty basic after all.

0 Kudos
Reply
  • 2
  • 0
  • 0
Bob100
Joining in
362 Views
Message 20 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I was pretty disappointed when the Hub3 came and found the login password is not hidden when entered. It's sloppy and very bad practise. There is a hint in the word"Password" - Maybe the developers of the firmware might learn something from Googling what the word means.

In my view it needs to be sorted. I quite often log into my hub when someone else is in the room and I do NOT want them to see the password. Simple.

0 Kudos
Reply