Menu
Reply
  • 15
  • 0
  • 3
RussPitcher
On our wavelength
416 Views
Message 31 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

A factory reset button will not reveal your password over WiFi. Neither will it display your password to anyone in sight. 

I’m curious; why are you actively arguing for poor security?  What possible advantage does that give you?

0 Kudos
Reply
  • 26K
  • 1.1K
  • 4.23K
Superuser
Superuser
405 Views
Message 32 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

nor will a WPA2 protected network

0 Kudos
Reply
  • 15
  • 0
  • 3
RussPitcher
On our wavelength
404 Views
Message 33 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

Don’t be so sure. 

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

Again, why argue for poor security when better security is so easy?

0 Kudos
Reply
  • 21.83K
  • 626
  • 3.66K
Sephiroth
Alessandro Volta
398 Views
Message 34 of 56
Flag for a moderator

Re: SuperHub3 - plain text password


@RussPitcher wrote:

A factory reset button will not reveal your password over WiFi. Neither will it display your password to anyone in sight. 

I’m curious; why are you actively arguing for poor security?  What possible advantage does that give you?


I'm not at all arguing for poor security.  I'm arguing against a pointless argument.  If the Hub's factory reset required a password, then I'd understand why people would ask that proper security standards be applied to the Hub's GUI password.

As to your factory rest point, the sticker on the Hub 3 will then show the applicable password.

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply
  • 15
  • 0
  • 3
RussPitcher
On our wavelength
389 Views
Message 35 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

Sigh. You can lead a horse to water...

0 Kudos
Reply
  • 21.83K
  • 626
  • 3.66K
Sephiroth
Alessandro Volta
381 Views
Message 36 of 56
Flag for a moderator

Re: SuperHub3 - plain text password


@RussPitcher wrote:

Sigh. You can lead a horse to water...


Look, if there is a backdoor (factory reset), whilst a hidden GUI password is obviously desirable, the ferocity with which some people have attached VM's decision is illogical.

 

Seph - ( DEFROCKED - My advice is at your risk)

  • 3
  • 0
  • 4
stevespalding
Tuning in
377 Views
Message 37 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

I think you’re missing the point. A factory reset is just that - a reset. If this were to occur, it would not only be obvious but would erase any other potentially sensitive information. This kind of ‘attack’ is as you quite rightly point out possible. However, someone wishing to be more intelligent about gaining access (someone who does not wish to be noticed for example) is not going to use a factory reset. It’s not this ‘bull in a China shop’ type of attack that the password is designed to prevent, rather unauthorised and unnoticeable access to the hubs settings (for example to extend permitted usage hours or to allow access to previously blocked sites). Also for users using the hub in modem only mode the network is not likely to work (depending on the ip configuration in use by the rest of the users network) once a reset is performed. In short, a factory reset is destructive of the existing setup / configuration.

Displaying a password in the way the hub does is just silly. As others have pointed out, correcting it is a trivial matter  (from a software engineers point of view) and why this hasn’t been corrected yet is a mystery to me. Mind you, why an ISP refuses to communicate with their customers via email is also a mystery to me. 

0 Kudos
Reply
  • 26K
  • 1.1K
  • 4.23K
Superuser
Superuser
363 Views
Message 38 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

and real HTTPS requires a public accessable ip address to verify the SSL cert. you can't do this on a local only address.

0 Kudos
Reply
  • 16
  • 0
  • 2
mbooth
Tuning in
308 Views
Message 39 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

I can't believe it is displayed in plain text either.
I understand that it's a local device, but it's just good, basic security.
What if I allow people on a restricted but low security guest network? They could easily see me type in the admin password, and then use the guest network to log into the router themselves.

Like another posted, I don't want my kids seeing the password typed in either. I often set devices up for them with them in the room.

Sure, I could ask them to turn around, but that's not the point.
Yes, a factory reset can get past this but that kind of leaves a bit of evidence behind. How do I know if the password is compromised? How can I be sure I haven't been spotted typing it in.
I could have guests round and they could see it.

It's a small change, and while VM seem to be defending the choice, I don't think I've seen an actual reason *not* to obscure it. Give me a good reason and I might reconsider my position, until then.....I'm sticking with 'stupid idea'.

0 Kudos
Reply
  • 21.83K
  • 626
  • 3.66K
Sephiroth
Alessandro Volta
291 Views
Message 40 of 56
Flag for a moderator

Re: SuperHub3 - plain text password


@mbooth wrote:

I can't believe it is displayed in plain text either.
I understand that it's a local device, but it's just good, basic security.
What if I allow people on a restricted but low security guest network? They could easily see me type in the admin password, and then use the guest network to log into the router themselves. [SEPH]: Now that's a security flaw, imo.

Like another posted, I don't want my kids seeing the password typed in either. I often set devices up for them with them in the room.

Sure, I could ask them to turn around, but that's not the point.
Yes, a factory reset can get past this but that kind of leaves a bit of evidence behind. How do I know if the password is compromised? How can I be sure I haven't been spotted typing it in.
I could have guests round and they could see it.  [SEPH]: Not if you take care that they don't see it.  That's how simple it is.

It's a small change, and while VM seem to be defending the choice, I don't think I've seen an actual reason *not* to obscure it. Give me a good reason and I might reconsider my position, until then.....I'm sticking with 'stupid idea'.  [SEPH]: I see VM silent on the matter rather than defending it.  You're absolutely right though, there is no actual reason not to obscure the password.  As for my own attitude in this thread, I'm only poking at those who come across as so outraged by this really minor matter.


 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply