Reply

Changing the router admin login name

Mars Mug
Virtuoso

Changing the router admin login name

Diverge,

By the way, the User ID field of a login does not normally form part of the security safeguards, I work on many high security systems where if you know a user’s name, you will be able to determine the User ID, and in fact if a computer has reverted to the ‘locked’ screen when a user has been away from it for a while, hitting a key will typically display a message such as ‘Press ctrl-alt-del to unlock this workstation - This workstation is currently in use by {User ID}’ .

User ID’s are more often than not used in multi user environments or with devices where there may be several users. So routers typically have a pre-set user ‘admin’ which cannot be changed. They may sometimes allow for other user IDs to be created, but not always, sometimes there is an assumption that in a home environment there will be only one ‘admin’ user. Other devices such as IP cameras for example may have multiple users, and with different levels of access.

Should you wish to continue this discussion then I think we should take it to another thread. Smiley Happy
Message 1 of 28
Diverge
Guide

Re: beta FW

My point of view isn't from high security, or a corp environment, but just a home user. Open a FTP server on port 21, and see the logs of bots trying to bruteforce with username admin, administrator, and so on. Obviously I know there are ways to prevent this (use non standard ports, secure passwords), but having the ability to change the default name is just a little reassurance for some of us.
Message 2 of 28
Mars Mug
Virtuoso

Re: beta FW

diverge wrote:
My point of view isn't from high security, or a corp environment, but just a home user.


I'm willing to reply, but no more in this thread. Smiley Wink
Message 3 of 28
Almighty1
Novice

Re: beta FW

diverge wrote:
My point of view isn't from high security, or a corp environment, but just a home user. Open a FTP server on port 21, and see the logs of bots trying to bruteforce with username admin, administrator, and so on. Obviously I know there are ways to prevent this (use non standard ports, secure passwords), but having the ability to change the default name is just a little reassurance for some of us.


See my response in this thread as I figured out how to do it provided you're on firmware's prior to 1.0.3.12_1.1.18 as that version cannot be telnet enabled as of now:

http://forum1.netgear.com/showthread.php?t=89668
Message 4 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

OK, I split these posts from another thread about Beta firmware. Changing the user name will not stop the spambots from trying to get in with ‘admin’, ‘root’, ‘administrator’ or whatever, they don’t know the admin name has changed so continue trying. They still fail because they don’t know the user name and password, they failed before because they didn’t know the password. A strong password is protection in both cases. Mathematically, what is the difference in security strength in these two examples, noting that both the name and password need to be provided before a response is given, there is no ‘name correct but password wrong’ response? User name ‘xtgnyu’ Password ‘abcd1234’ User name ‘admin’ Password ‘xtgnyuabcd1234’ I’m not saying that being able to change the user name is a bad thing, just that it isn’t really necessary to do so, the password alone can provide the necessary security providing it is strong and protected.
Message 5 of 28
dave1977nj
Apprentice

Re: Changing the router admin login name

You should be able to change the default username. Netgear could implement this if they wanted to. And I think they should. Vote +1
Message 6 of 28
Diverge
Guide

Re: Changing the router admin login name

Mars Mug,

I wasn't really lobbying for this change, but I still think it would be nice. On a NAS, you can usually create a new user w/ admin permissions, and then disable the default admin user if you want. You also have IP banning if too many failed attempts in X time.

Password strength aside, knowing the username is like 1/2 the battle. Do the math for username and password fields w/ a character limit of X (using the full limit), and when you know the username. That's my rebuttal Smiley Tongue

Any event, I'm not here to argue. Or lobby for a change Smiley Happy
Message 7 of 28
Mikey94025
Prodigy

Re: Changing the router admin login name

I vote that Netgear work on and worry about things that are more important to their customers and have a more meaningful impact. Less important requests are just a distraction.
Message 8 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

diverge wrote:
1. I wasn't really lobbying for this change, but I still think it would be nice. On a NAS, you can usually create a new user w/ admin permissions, and then disable the default admin user if you want. You also have IP banning if too many failed attempts in X time.

2. Password strength aside, knowing the username is like 1/2 the battle. Do the math for username and password fields w/ a character limit of X (using the full limit), and when you know the username. That's my rebuttal Smiley Tongue

3. Any event, I'm not here to argue. Or lobby for a change Smiley Happy


1. I know you are not lobbying for change, this thread is a spin off from comments in another thread, but it’s an idea that comes up every now and again in most of the Netgear wireless router forums.

A NAS is often used as a multi-user device, often with access restrictions to specific areas based on User ID, so I don’t think that compares with the admin function of a home router which is normally performed by a single admin.

Most of the very high security systems I use have a ‘root’, ‘admin’, or ‘administrator’ user account that cannot be removed or disabled, only the user’s password can be set. These are systems approved by security authorities for military use, clearly there is no concern about the inability to change the administrators’ default IDs. I also use very high security military systems that do not allow the use of default user IDs, but that’s beyond the realms of this discussion.

2. The idea of giving those two examples was to show that mathematically, knowing the user ID is not ½ the battle, unless the full length of both fields are used, but I think the password field is quite long, perhaps you could check for me? I don’t believe that there will be any kind of response to a partial entry, i.e. there is no response that indicates a correct User ID but incorrect password, so both ID and password have to be entered correctly to gain access.

3. These forums appear to most people to be tech support forums, but they are in fact also discussion forums, there’s no harm in a positive debate amongst members. Previous incarnations of these forums did not require moderator approval of posts before they were accepted for view, debates in those forums were a regular occurrence and that made the forums far more friendlier in my opinion (there were of course some negative consequences).


In general I don’t disagree with the idea of being able to change the admin ID, or add a limited number of other user IDs, IP cameras / NAS drives etc. manage this quite well. The only real point I’m trying to make is that it’s not really a security enhancement beyond the principals of using a strong and well protected password (with regular changes). It’s not a feature of Netgear home grade routers (or many other manufacturers’ home grade or even SOHO routers) and I don’t think its addition would add significantly to security.
Message 9 of 28
Almighty1
Novice

Re: Changing the router admin login name

The way to do it is as follows, you need to first enable the router for telnet using the following telnet enabler:
http://www.myopenrouter.com/download/10602/NETGEAR-Telnet-Enable-Utility/

Please note that firmware v1.0.3.12_1.1.18 cannot be telnet enabled at this time.

then you just need to issue the following command via telnet, for example, to change the username to anonymous:


nvram set http_username=anonymous
nvram commit
Message 10 of 28
Diverge
Guide

Re: Changing the router admin login name

Almighty1, Good to know. I don't even open my router up to remote access, so no worries from me. SSH and teamviewer handle my needs Smiley Happy
Message 11 of 28
Almighty1
Novice

Re: Changing the router admin login name

diverge, Too bad the router doesn't seem to have ssh access to it since telnet is not very secure and I think the advantage to having a different username is that even if they got the password correct, they will not get in because they assume you are using the default login name(s).
Message 12 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

Almighty1 wrote:
… and I think the advantage to having a different username is that even if they got the password correct, they will not get in because they assume you are using the default login name(s).


They will have no indication that they have got the password correct, how do you suggest that they are determining the password in that case?

If they are able to obtain/work out the password, then either the choice of password is very poor, or it has not been secured properly (e.g. written on a post-it note). If they can crack the password why can’t they crack the user ID, they need both to gain access? If your choice of User ID was added to the password as per my example in post #5, then given your argument quoted above they would not be able to work out the password, but why not?

Remember also that WiFi does not have a User ID, there is only the passphrase to keep people away from your network, your router admin password should be at least as strong as your WiFi passphrase.
Message 13 of 28
Almighty1
Novice

Re: Changing the router admin login name

You misunderstood what I wrote, I never said they would know the password is correct but what I am saying is that let's assume they were able to get the password correct. The first scenario if they can't change the default login, since it's a Netgear device, it would automatically be "admin" so they would have gotten in already since the login is already a given parameter, it's just the password they needed to guess correct. Now if the login was changed, then even with the correct password, they can't get in. I think we are talking about different things, WiFi has a passphrase which is the wireless part of the connection but remember that on Wireless routers, you can turn on remote Admin from the WAN interface so it uses the same login/password as from the WiFi side except the WiFi side has a lower chance as the people have to be within the wireless range while on the WAN side, it's the global internet.
Message 14 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

I can’t picture a scenario where someone is capable of determining the password, but incapable of determining the user ID, can you tell me how that situation would arise?

My point with WiFi is that it’s considered to be highly secure with WPA2, providing the user has selected a strong password, and there isn’t a user ID required. WPA2 is not weakened because there is no User ID requirement.

But regarding User ID / Password, how many systems are you aware of where the User ID cannot be determined? It is typical of most network systems to have a quite easily identifiable User ID (often the person’s name e.g. Fred.Bloggs) but no one knows your password. Phone up the IT department with an issue and they will know your User ID, but can’t tell you your password, they can only reset it.
Message 15 of 28
Almighty1
Novice

Re: Changing the router admin login name

That situation can easily arise if someone actually specifically targeted you and not randomly as the attacker knows your IP already and then the first thing they do is they port scan your IP and with the R7000 for example when you connect to the WAN side, it will come up with a prompt:

Authentication Required

The server http://someaddress:80 requires a username and
password. The server says: NETGEAR R7000.

User Name:
Password:

The major problem is it identifies exactly what type of host it is and all someone needs to do is google "Netgear default username" which will come up with admin as the default name so they will basically use the known username variable and then guess the password instead which means they only need to get the password correct as they already have the username correct.

Now, if you can change the username, what makes you think someone can't choose a long username that no one can guess since just like a strong password, someone can choose a username that cannot be guessed using words that can be found by combining dictionaries and login names can be as long as 256 characters.

The other thing is I am not talking about WiFi as the username is used to get into the web interface meaning that it can come on the LAN side which can be WiFi or wired since who said you can't have guests or neighbors who try to do bad things on your network or it can be from the WAN side as in the global internet.

There is a difference in talking about systems where a user id cannot be determined since it depends how much access the person has to the host in question as if they already have a account, all they need to do is look at the /etc/passwd file for a list of login names and the users on the account but knowing the user id and even if you did have the password, you would only be able to get into an account but you still will not have administrator level access which is what you would have when you get into the router since first you would need to hack a account that has access to the super user group and then you would have to guess the password at that stage.

Passwords usually can't be retrieved and only can be reseted as it is encrypted but that doesn't mean there isn't a way to packet sniff the passwords as this is how irc servers usually get hacked. For instance, DES passwords are limited to 8 characters, MD5 passwords are limited to 16 characters, Blowfish passwords are limited to 32 characters. So it all comes down to probability as on the 5,000+ servers we host, none of the usernames are related to the real name of the person since the person selects their username and password.

WPA2 may be highly secured but it has been cracked since there are tools for that purpose.
Message 16 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

I think you misunderstood what I was asking for. I was after a scenario where the password is capable of being ‘hacked’ but the user ID is not? I see nothing in post #16 which explains that, e.g. if the password can be ‘sniffed’ then isn’t the User ID capable of being sniffed at the same time? If WPA2 has been cracked why could the User ID not be cracked at the same time? What is it that makes the User ID harder to determine than the Authentication password? If the answer to that is nothing then surely a strong well-chosen password of an appropriate length is enough to satisfy the Authentication requirement?

As I have said I have no problem with the idea of allowing the User ID to be changed, but I don’t agree that the change would necessarily strengthen the security of the router, and my reason for pointing out the accepted Identification/Authentication of other systems such as corporate networks, military secret networks, even WiFi authentication is that they seem to suggest the same.

I would only agree that the User ID choice becomes a worthwhile security enhancement if the full length of the Authentication field has been used, but I think that field is over 30 characters long in the R7000, a well-chosen password of that length would take quite a while to hack.

I work for a company with a global workforce of over 100,000 people, if I know someone's name it is highly likely I know their User ID, and variations only really occur where there are one or more people with the same name on the same domain. If I’m in an office I can walk up to a PC where the user is away from his desk and read the User ID from the 'locked' screen, that’s on a certified secret network. Knowing the User ID in that scenario is not considered to be a security risk or breach.

I use passwords of length 10 characters using the typical recommendation of lower/upper case, numbers, symbols. Using the strength calculator here https://www.grc.com/haystack.htm I see;


For a 10 character password;

Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 19.24 million centuries


For a 30 character password;

Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 68.97 billion trillion trillion trillion centuries

I’m relaxed about the fact that I can’t change the router admin ID, I’m the only person in the house who accesses it. I would not complain if I could change it, but I lose no sleep because I can’t. I would much rather see https support for router admin than selectable User ID.

I don’t know if this exists or not (at work so can’t check) but a time delay after three attempted login failures would also give me greater confidence if my router admin was exposed to the WAN (which it isn't).
Message 17 of 28
Almighty1
Novice

Re: Changing the router admin login name

I think it's better to just learn to agree that we have different opinions as this will not lead anywhere and just be a endless discussion since all I and diverge is saying is there are two variables, username and password. If username is known such as this case, then all one needs to do is figure out the password. Figuring out the password is easier than figuring out both the username and password. It's almost like trying to guess a persons name, would it be harder to guess a person's first name and last name or would it be easier if we know the first name or last name and just had to guess the other. Just like if you didn't put your name is Andy, we would have to figure out both the first name and last name which would be a lot harder than guessing your first name and last name. Besides, I already provided the answer on how to get the login name changed which is really what the original poster wanted to know. All the other concerns is really something each person should take into their own consideration and form their own conclusion. Netgear has always been considered a low end device since all these routers people are talking about are nothing more than NAT devices and not real routers such as Cisco which excludes the companies they bought out, Juniper Networks for example.
Message 18 of 28
Almighty1
Novice

Re: Changing the router admin login name

so I wouldn't expect it to have high security as unlike those using the high end devices, you won't be having monetary losses due to security issues, same reason it will not have the same performance in the amount of packets it can handle per second.
Message 19 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

Almighty1 wrote:
Figuring out the password is easier than figuring out both the username and password.
But it’s not at all easier, that’s the point I have been trying to get across with those examples. Here’s another simpler one; Scenario A – User defined ID Code 1 (User ID) 8 random characters – search space size 6.7e+15 Code 2 (P/W) 8 random characters - search space size 6.7e+15 Both Code 1 and Code 2 must be correct, no indication of which is wrong, search space = (6.7e+15) * (6.7e+15) = 4.45e+31 Scenario B – Fixed ID Code 1 (User ID) known – takes zero time to crack Code 2 (P/W) (combination of both codes from Scenario A) 16 random characters – search space = 4.45e+31 The fact is that most people with the option of a user selected ID will not treat it as a password but will use an easy to remember name or word, they will not apply strong password principles to it. So in Scenario A above ‘Code 1’ will typically be a lot easier to crack than ‘Code 2’. I have no objection to the notion of user selectable IDs, but do disagree with the notion that this makes the User ID / PW combination harder to crack, a longer/stronger password does that job. If you don’t want to continue this discussion then that’s fine, I’m not expecting you to agree, discussions don’t require all round agreement and I treat them as an exchange of ideas. I was hoping that more people would contribute their ideas and opinions since I’m no expert in this area.
Message 20 of 28
Almighty1
Novice

Re: Changing the router admin login name

The only thing is you're not comparing apples to apples as Scenario B - fixed ID, the p/w is now 16 random characters instead of 8 since basically you are doubling the code 2 because code 1 is known which is the reason I and diverge said 50%, doubling the password to 200% of scenario A ofcourse would make it equal to scenario A. It would be more fair if you kept both with a 8 random character passwords since people would not automatically use 16 character passwords just because code 1 is known so scenario B is actually 6.7e+15.
Message 21 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

The point of the example is to show that;

User ID – Fred_Bloggs, P/W adcd1234

Is the cryptographically the same as;

User ID – Admin, P/W Fred_Bloggsabcd1234

So for people who are unable to change User ID, as so many devices will not allow, they can if they wish add their desired ID to the P/W field. But I would argue that a strong password is all they should ever really need and for a single administrator having a fixed User ID of ‘admin’, ‘root’, ‘administrator’ etc. is not a security limitation because it’s not intended to be used for Authentication.

As I said, most people will choose an easily remembered User ID which will not stand up to strong password requirements, it will for example fail a dictionary search very quickly, so shifting part of the Authentication over to the Identification field is not recommended. In my Scenario A the Search Space of the User ID field is likely to be very much lower than the Search Space of the P/W field because of the user’s choice of ID.

1. Having a user selectable User ID is fine, but …
2. People should not be using the User ID Identification field as a part of security Authentication, if they select a User ID which meets strong P/W requirements, then it should be part of the P/W field.
Message 22 of 28
Almighty1
Novice

Re: Changing the router admin login name

Except the thing is security experts all will tell you to never use any personal information that is tied to the username as part of the password. But in any case, weak passwords are always bad. That's not to say that someone couldn't simply do: User ID - Fred_Bloggs, P/W Fred_Bloggsabcd1234 which would still be easier than: User ID – Admin, P/W Fred_Bloggsabcd1234 since believe it or not, my password is exactly 6 characters which is just one capital letter, 4 lower case letters and a number. It has been used since 1985 but so far has not been cracked and I have accounts on over 6,000 systems. Some places requires 8 characters minimum, while some places requires 8 characters and atleast one uppercase letter while other places requires 8 characters minimum with atleast one number, one uppercase letter minimum and no repeating characters. And believe it or not, there was a person which had a strong password that cannot be found in any dictionary that is 25 characters long with a combination of uppercase, lowercase, numerals, and special characters since we have a copy of the form they used to signup for the account, they pissed someone off and guess what, their account got hacked because the user id was known since it's the part before the @ in their e-mail address. So it all really depends on if you're a target and how good the luck is since it's just like winning the lottery, there is the probability of one getting all 6 numbers correct but it still happens. All the talk about how long it takes only means the it is cracked in numerical/alphabetical order and the persons password happens to be the last thing it will guess since you never know if it's the password the person happens the choose is the 8th tried or the 14,500,000 one.
Message 23 of 28
Mars Mug
Virtuoso

Re: Changing the router admin login name

Sorry, but that last paragraph really made no logical sense at all, especially the suggestion that someone’s account with a 25 character length random password was hacked because hackers were able to work out their user ID. Are you seriously suggesting that the User ID is more important to security than the password, because that’s what that paragraph seems to say? So, I fed in a random mix of 25 characters with no repetitions as you described into here to see how many permutations this creates; https://www.grc.com/haystack.htm And I got the results below. So you are suggesting that the people who were somehow able to crack that password would have been thwarted by a different User ID? That password must have been a nightmare to remember and enter at the login screen?
Message 24 of 28
Almighty1
Novice

Re: Changing the router admin login name

It makes perfect sense, just that you don't understand it since you are assuming someone will guess a password starting in chronological order like...
aa
ab
ac

which would take as long as what the site says but remember, it's just like you throwing out a dozen rocks, do they all land in the same order as it's thrown out? password cracking tools will try things at random and it can guess that password on the first attempt or it can guess it on the nth attempt. grc.com as in Steve Gibson while he is widely known for security, Spinrite and such, doesn't mean he's correct in everything as a lot of it has to do with fate and luck. Just like you can get hit with a random car, if you can predict when a password will get cracked or when you get hit by a car, you wouldn't be here talking. You're using something known as probability of how long it takes to completely try every possible combination for a password, not from real world experience such as what I said whether it made sense or not, it happened before and involved the US CERT as well as other federal agencies. Also, just like others have said:
Steve Gibson is recommending long, low-entropy passwords. This can give an advantage of convenience only in the short term. If there is a significant advantage to the password user, attackers will optimize for this type of low-entropy password by changing the search order.

Gibson implies in his reasoning that short passwords will be tried first. The efficient way to crack passwords is to try them roughly in the order of increasing entropy, not length. Increasing length is conventional, not essential.

Any gain in convenience you get by using long passwords with low entropy is lost when the attack methods change. Attackers adopt heuristics to target patterns in passwords, and you're back to relying on entropy. At that point, Gibson's approach just means uselessly typing more characters. The convenience gain is reversed.

Any public recommendation of a low entropy scheme, at any level of detail, is self-defeating. The more it's adopted, the faster it weakens relative to entropy.

Worse, if you were really getting the benefit of convenience by assuming dumb lexical order brute force attacks and using lower entropy than you should, you have to change your passwords to compensate for the loss of safety as the attack methods are adjusted to neutralize the length advantage.

Worse still, Steve Gibson is recommending low entropy for encryption keys, for example in WPA2 wireless encryption. When you use encryption for wireless transmission, you intentionally expose the cyphertext immediately, expecting it to be stored by keen attackers, and to be safe for some required period according to the strength of the key. In the long term, only the entropy of your key can reliably slow down decryption attempts. By the time you realize your key isn't as strong as you were led to believe, it's too late to change it. Your attacker already has your weakly encrypted data.
Message 25 of 28
Top Contributors
Discussion stats
  • 27 replies
  • 59297 views
  • 5 kudos
  • 5 in conversation
Announcements