Force users to change the default username/password
Opened this issue · 5 comments
After a little research we find out there are a lot of users that do not change the default credentials and have open port to remote acess. Ie anyone can acess to their loxberry, and can see the loxone username and password because its not secured with the loxberry pin either. In most cases the remote connection is enabled to loxone also and anyone can reach the loxone web interface and use the username and password what they find in loxberry web interface.
Our recomendation is to secure the Loxone credentials with the pin.
And force users to change default loxberry/loxberry username and password combo and the default pin also.
How was the "little research" done ?
We tried to search on sites that can list opened ports for the ip adresses and you can search by keywords. For example: https://www.shodan.io/search?query=loxberry. Then we try to login with default username/password. For every person that we discovered with this method we send email to warn them about this problem and we asked them to change the password on loxberry and loxone systems, and ideally close the port for the loxberry because the remote access is not required in most of the cases.
Well, this is a quite old discussion and 4 people have 5 opinions about that :-)
- Secure Miniserver Setup: Definetly needed - there's already an issue for that: #500 It was implemented for the Mail Widget but so far not for the MS Widget. But this only helps if you are not use the default secure PIN "0000"...
- LoxBerry 2.0: All passwords were set randomly during initial wizard. A lot of users claimed about that (too complicated). If you haven't finished the wizard, you last with the dafault passwords...
- LoxBerry 3.0: We changed the behaviour and let the user now decide if he wants the default passwords or if he would like to set randomly passwords. So it is his responsibility - same as the decision to open a port to Loxberry from outside.
Yeah well I can imagine all of the people have different opinions about that :D
The 1. point will be the good solution but I personally prefer to have something like : You must set your own PIN before you can continue with the loxberry setup.
Because someone really dont know what they are doing and just follow some instructions/youtube videos without the clue about what is the final result and how risky it can be.
I agree its up to users to keep default passwords and open the ports, I just dont find this issue Security: Miniserver Passwörter , because I try to search in english and dont know the current situation about that problem.
You can close this one, setting the PIN for the MS Widget will be a good step forward 👍
The issue is so old that it comes from our "german" time ;-) I let this one open - just to make sure we do not forget it.