Community discussions

MikroTik App
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Winbox stores all your saved passwords UN ENCRYPTED locally

Wed Aug 31, 2016 8:34 pm

Hi,

I know in winbox, when i do an export of my "Managed" tab entries the resulting .WBX file contains all my saved device passwords, un-encrypted in plaintext. That is fine for an export (as i just encrypt that .WBX file for storage).

However when i import my .WBX file into winbox (after an winbox upgrade for example), winbox then seems to then save a .CDB file (also un-encyrpted) and requires that this .CDB file exist/remain in place (if you then re-encrypt the .CDB file after importing , all your managed devices in winbox, disappear - obviously winbox accesses this .CDB file every time it launches, and requires that it be un-encrypted).

This clearly is not a good situation security wise as you now have a plain text file sitting your PC with all your mikrotik passwords.

Is there anyway this can be fixed? (either by encrypting the .CDB file or making it such that when you import a .WBX file winbox then stores the entries in some kind of encrypted cache or in the registry - so that you dont have to have a plaintext file with all your passwords lurking on your pc)

Please dont reply with " just un-check "keep Passwords in winbox" " that is not a solution to this security issue, nor a solution when you have 100s of mikrotiks and wish to employ password diversity.

thanks!
:beep :beep :beep
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Wed Aug 31, 2016 8:46 pm

I've known this from my start of using MikroTik.
My solution is that my management system uses full disk encryption, and two-factor authentication.


WinBox needs to be rewritten to use the Master Password as an encryption password for the address book.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
Sob
Forum Guru
Forum Guru
Posts: 5405
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Wed Aug 31, 2016 9:19 pm

There already is support for master password for some time.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Wed Aug 31, 2016 9:22 pm

Master password is current 100% useless, as the address book file is still 100% clear-text.
The Master Password *ONLY* makes WinBox ask for a password before running.
You are still able to read the actual address book - which is the point of the OP's post.
The address book NEEDS to be encrypted.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
Sob
Forum Guru
Forum Guru
Posts: 5405
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Wed Aug 31, 2016 10:48 pm

That's not what I see. I started WinBox in clean VM (I just had one available where WinBox was not used before) and saved few fake items to address book. They were saved in Addresses.cdb in user profile and everything was clearly readable in there. When I set master password, the content of file completely changed and it looked like all random bytes (which is how encrypted stuff looks like).

I also tried import and export. Exported .wbx file does not have any encryption. When imported to clean WinBox (I deleted settings from user profile), new Addresses.cdb was by default unencrypted. When I set master password, it got encrypted as before. Importing to existing encrypted address book also worked fine and the resulting file was not readable.

The only way an unencrypted password was stored even when master password was set, was with Keep Password option enabled. Then the last used password can be been in settings.cfg.viw.

And one bonus bug, which does not affect security, is when you have encrypted address book and you do not enter master password, WinBox still allows you to add new entries, you can see them in the list, but they get lost when you close WinBox or enter master password.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Thu Sep 01, 2016 2:49 am

There already is support for master password for some time.
Hmm.. maybe he is right, i will check this in a few hours when i get back to my pc.. the only reason i say that maybe he is correct (ie setting a msaster password ENCRYPTS the saved entries stored on your pc) is because i found this post from 2014, from Nomis (mikrotik creator) - (now im not sure if this was every put in to effect)

-------------------------
Thu Feb 13, 2014 8:33 am
Yes, this is true. Do not "save" passwords on a PC where you are not the only user. We are working on a new Winbox where you will be able to set a master password, that will encrypt your passwords.
-----------------

from:
http://forum.mikrotik.com/viewtopic.php?t=81816
:beep :beep :beep
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Thu Sep 01, 2016 2:54 am

I WAS ABLE TO REMOTE IN TO MY PC AND CONFIRM THIS!!

IF YOU DO SET A MASTER PASSWORD , IT SEEMS TO ENCRYPT (OR OTHERWISE OBFUSCATE ) THE SAVED "MANAGED" ENTRIES OF WINBOX ON YOUR LOCAL COMPUTER (i tested this by looking at the .CDB file , before and after setting a " Master Password" the file is un-readable by human eyes after setting a master password)

WELL DONE MIKROTIK !! THANKS!
:beep :beep :beep
 
User avatar
otgooneo
Trainer
Trainer
Posts: 572
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Winbox stores all your saved passwords UN ENCRYPTED locally

Thu Jun 29, 2017 10:35 am

I just today realized that it won`t encrypt user/pass. Just now set master password and secured my winbox db. Well done. Good job Mikrotik. :-)
----------------------------
Want to learn more and more...

Who is online

Users browsing this forum: Kindis, korniza, mlow, mwdiers, nacer and 123 guests