DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2960 - Passwords stored in PLAIN TEXT in your config files

More
12 Jun 2013 08:07 #76521 by jamessp1
Just to let anyone who cares about security know. Some of the files in the config backup contain PLAIN TEXT passwords.

I assumed (wrongly) that a manufacturer of a VPN and Firewall would have had a reasonable grasp of the importance of security. It's 2013 not the 1990's. I'm gob-smacked.

The file I found is the ddns file in the backup config at \etc\persistence\config\.

I don't know if there are more files like this as my 2960 is so minimally configured ('cos it doesn't work) that it is impossible to set other config that may use passwords.

FInally -- remember - Plain Text Passwords!!! - When Draytek Support ask you to send in a copy of your config, just changing the login passwords is not enough. You should consider changing every password in your config, saving the backup file for Draytek, and then reverting to a perviously saved config.

Because I sent my config to support... now all I have to do is change all the passwords on the external services that I might have plugged into the 2960 and update all my other systems... that should be fun :oops:

Please Log in or Create an account to join the conversation.

More
13 Jun 2013 06:50 #76546 by admin
As the config is human readable (as opposed to binary) which allows editing, 3rd party scripting etc, what would you expect the passwords to look like?

The passwords cannot be encrypted with a one way hash because then the router would not be able to use the passwords when needed.



Forum Administrator

Please Log in or Create an account to join the conversation.

More
13 Jun 2013 08:51 #76548 by cocospm

admin wrote: As the config is human readable (as opposed to binary) which allows editing, 3rd party scripting etc, what would you expect the passwords to look like?

The passwords cannot be encrypted with a one way hash because then the router would not be able to use the passwords when needed.


Good grief. If you're going to try and defend DrayTek's entirely indefensible storing of passwords in this way, at least try to ensure you know even the slightest thing about security techniques in the first place. Your response is laughable, I'm afraid.

Please Log in or Create an account to join the conversation.

More
13 Jun 2013 13:55 #76554 by jamessp1
Thank you cocospm. You put it very well.

Please Log in or Create an account to join the conversation.

More
15 Jun 2013 13:36 #76608 by admin

cocospm wrote:
Good grief. If you're going to try and defend DrayTek's entirely indefensible storing of passwords in this way, at least try to ensure you know even the slightest thing about security techniques in the first place. Your response is laughable, I'm afraid.



You can respond aggressively and rudely or you can explain what you mean and what you expected. I'm not 'defending' anyone; just asking a question.

So, again, how would you want/expect passwords to be stored in a script/config (non-binary) file?

If you send support a config, why are you 'horrified' that it contains your config? What did you think it contained?



Forum Administrator

Please Log in or Create an account to join the conversation.

More
15 Jun 2013 17:42 #76610 by cocospm
You can take my posting any way you like. You didn't ask me to explain what I meant, because I hadn't even posted to this thread - go read things again. You might have asked the original postser (jamessp1), but it would appear he is as shocked as I was.

For someone - in your case the admin of this forum, no less - to make such a completely uninformed and ridiculous post required, I felt, such a dismissal. It happened to be me who made this point, but it could well have been anyone else.

If I sent a config file to Draytek I would expect it to contain, er, the router's configuration, with the passwords suitably encrypted. There is no need whatsoever for Draytek to know my passwords, and there is no reason whatsoever why a router would need to store my passwords in their original or, indeed, recoverable, form. If you believe otherwise then, please, enlighten us all - with specifics - to your greater security knowledge.

Please Log in or Create an account to join the conversation.

Moderators: Sami