As said in the topic, what do you all think about encrypt the passwords, esp. webinterface password inside nvram? Currently it is stored blank inside it :/
Date: 27 Mar 2011 09:08
Number of posts: 6
RSS: New posts
If someone has access to the nvram he is already inside the router, so it doesn't make sense.
hmm not really… if someone is logged in (due what reason ever), it is not the same as he is able to see all passwords blank.
For sure, he is able to change also the encrypted password to his own, but he is not able to see it, esp. if you reuse the password on some other places.
If someone is logged in, then they already know the password. So what security advantage is there to encrypting the password, given that they know it?
The only advantage I see is preventing somebody from looking at the passwords in a nvram backup file. But that's pretty obscure.
Anyway, what is the router password protecting it against? Somebody in your locak network hacking in and changing QOS settings? Not every lock needs to be as secure as a bank vault.
"So what security advantage is there to encrypting the password, given that they know it?"
Not be able to see all other passwords, like for cifs, wlan (not really imported), usb share, ftp users (maybe)…
I do not really complain about the webif password, as you already mentioned, if he is locked in, then he is locked in.
But in my opinion, it is not quite good, to see all other passwords as well (if you have everything configured…), but it is only a thought and a disscussion about it ;)
Consider for a moment that if you encrypt the passwords in NVRAM, the encryption key must also necessarily be in NVRAM, which makes the entire exercise a bit pointless.
My Tomato utilities site: http://multics.minidns.net/blog/articles/tomato_utilities