Clear Text Username and Password Displayed in Logs

Software SW bugs discussion
1

Hi,
I noticed today the the pppd process shows the username and password in clear text. This isn’t very secure.

image
image964×152 11.6 KB

3 Likes
2

whoever can access the routers webinterface is already in full control.
nothing ist lost but debug efficiency gained.

3

IMHO it’s similar to preferring to show stars in password prompts. (Especially in dialogs that show the current password and not just the currently typed one.)

4

and what if you perform log shipping to central collectors?

this is generally regarded as very insecure practise. it should be fixed.

2 Likes
5

I agree this is very poor security practice.

6

bump this … is very insecure

7

PPPoE name and password is all nothing secret/private. For example all O2 customers have the same and it is even published there https://www.o2.cz/osobni/techzona-sluzby/289160-pppoe.html

Přihlašovací údaje

Uživatelské jméno: O2 (velké O a číslice 2)
Uživatelské heslo: O2 (velké O a číslice 2)
8

Not everyone in this world is with O2! I’m with a different ISP and the PPPoE username/password is the same as for all logins such as web portal and telephone support etc which in it’s own right is insecure but that’s another issue. When I say it’s the same I mean it is still unique to the individual account, not shared amongst many like O2 apparently. I fail to see how having the clear text usernames and passwords is a secure practice and cannot really see how it helps with debugging either.
This router I thought was ALL about security. What a joke!!!"

Will be selling mine very soon unless this is resolved.

9

According to https://linux.die.net/man/8/pppd the pppd process has a hide-password option. I don’t use pppoE at all, but maybe you could fix this issue by yourself by passing this option to the pppd process on startup until this is solved i turris repo (+1 for it)

Maybe here:

EDIT: And @Mordorf don’t sell your Omnia because of this issue, the Omnia has so many others benefits (like patching something for yourself if you don’t like the decisions made by the devs :wink: )