Menu
Reply
  • 11.78K
  • 1.08K
  • 2.55K
griffin
Alessandro Volta
563 Views
Message 41 of 56
Flag for a moderator

Re: SuperHub3 - plain text password


@mbooth wrote:

I can't believe it is displayed in plain text either.
I understand that it's a local device, but it's just good, basic security.
What if I allow people on a restricted but low security guest network? They could easily see me type in the admin password, and then use the guest network to log into the router themselves.

Like another posted, I don't want my kids seeing the password typed in either. I often set devices up for them with them in the room.

Sure, I could ask them to turn around, but that's not the point.
Yes, a factory reset can get past this but that kind of leaves a bit of evidence behind. How do I know if the password is compromised? How can I be sure I haven't been spotted typing it in.
I could have guests round and they could see it.

It's a small change, and while VM seem to be defending the choice, I don't think I've seen an actual reason *not* to obscure it. Give me a good reason and I might reconsider my position, until then.....I'm sticking with 'stupid idea'.


No they can't, the Guest Network is on a different subnet. That is the whole point of a guest Network is that it is separate from the Main Network.

 

0 Kudos
Reply
  • 21.83K
  • 626
  • 3.66K
Sephiroth
Alessandro Volta
556 Views
Message 42 of 56
Flag for a moderator

Re: SuperHub3 - plain text password


@griffin wrote:

@mbooth wrote:

I can't believe it is displayed in plain text either.
I understand that it's a local device, but it's just good, basic security.
What if I allow people on a restricted but low security guest network? They could easily see me type in the admin password, and then use the guest network to log into the router themselves.

Like another posted, I don't want my kids seeing the password typed in either. I often set devices up for them with them in the room.

Sure, I could ask them to turn around, but that's not the point.
Yes, a factory reset can get past this but that kind of leaves a bit of evidence behind. How do I know if the password is compromised? How can I be sure I haven't been spotted typing it in.
I could have guests round and they could see it.

It's a small change, and while VM seem to be defending the choice, I don't think I've seen an actual reason *not* to obscure it. Give me a good reason and I might reconsider my position, until then.....I'm sticking with 'stupid idea'.


No they can't, the Guest Network is on a different subnet. That is the whole point of a guest Network is that it is separate from the Main Network.

 


In the specific case I used, I logged into the Hub 3GUI.  I used the ASUS router's guest mode; the hub is in modem mode.

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply
  • 16
  • 0
  • 2
mbooth
Tuning in
546 Views
Message 43 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

Well colour me corrected! I did not know that.
I still think it's wrong though!

0 Kudos
Reply
  • 14
  • 1
  • 1
ZENMASTER
On our wavelength
480 Views
Message 44 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

If one remotely logs in the password is visible and not masked.

 

this is a huge security risk ., the previous router allowed masked login

0 Kudos
Reply
  • 2
  • 0
  • 2
ntyze
Joining in
437 Views
Message 45 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

Well, its a security risk but not exactly sure how "huge" that is going to be considering how easy the attack vector is to avoid. If someone was already snooping in on your traffic to be able snoop it (let alone the guy above who was asking "how do i save the password to my browser") then you have a bigger problem on your hands. 

That said, to appease people's issues with this, It's literally just a change from input type=text to input type=password and i have no idea why its unfeasible to just add the change to a the next firmware update. I'm sure its a very overlooked RFE somewhere. 

  • 2
  • 0
  • 2
ntyze
Joining in
431 Views
Message 46 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

The other (easier) alternative than waiting for virgin is just to change the input type using an extension like Tampermonkey.
I'll spare my cynicism of why the person above needs to login to the modem each time he "sets somebody up" though.

You can use this in the interim (it works for me). 

// ==UserScript==
// @name       1 liner for passwords
// @description hub3 change input type
// @match      http://192.168.0.1/
// @require http://code.jquery.com/jquery-latest.js
// ==/UserScript==

document.getElementById("Password").type = 'password';

 

  • 13
  • 0
  • 1
RazziB
On our wavelength
421 Views
Message 47 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

Well - it's October 2018, 2 years and 3 months after the original post, and the password is STILL in plain text.

It IS a security risk no matter how people try to downplay it. I guess it wasn't passed on to the Firmware department after all.

0 Kudos
Reply
  • 13.18K
  • 1.66K
  • 3.73K
Shelke
Alessandro Volta
414 Views
Message 48 of 56
Flag for a moderator

Re: SuperHub3 - plain text password


@RazziB wrote:

It IS a security risk no matter how people try to downplay it. I guess it wasn't passed on to the Firmware department after all.


The hub 3 side is more complex as LG have given the same hub to their other ISPs, it's not like the Superhub 1 or 2s which were catered to VM. So (hypothetically) their may be some setup like a centralized LG firmware team does changes they want, then the LG ISPs like VM stick their logos and pics in the firmware picture folder before rolling new firmware out. That's guess work though Cat Tongue

The firmware team don't seem to care though as the issue was reported by many via numerous avenues. I don't like the login password showing in the clear, it's bad practice.

0 Kudos
Reply
  • 16
  • 0
  • 2
mattura
On our wavelength
395 Views
Message 49 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

I totally agree, this is terrible security practice, there is no argument to not obscure password fields. VM's refusal to fix this given the details in July 2016 shows how much thought is given to security updates for their routers. If VM are this slack with password security, how can we trust them to keep our account details, payment methods and private information safe?

  • 4.44K
  • 299
  • 744
Roger_Gooner
Community elder
380 Views
Message 50 of 56
Flag for a moderator

Re: SuperHub3 - plain text password

Anyone with access to your router can reset it and log in using the default password.  

--
Hub 3.0, TP-Link Archer C8, TP-Link TL-SG1008D 8-port gigabit switch, V6
My Broadband Ping - Roger's VM Broadband Connection
0 Kudos
Reply