This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Re: How I can change the Username itself, not just the password.
Are you referring to the username and password of the UI? If that's the case, you cannot change the username as there is no option for you to change it.
Re: How I can change the Username itself, not just the password.
Are you referring to the username and password of the UI? If that's the case, you cannot change the username as there is no option for you to change it.
Re: How I can change the Username itself, not just the password.
alexthefool wrote:
Frankly, no need to try the username is half the way to crack in the router.
That’s not correct, you are confusing Identification and Authentication, the User ID is as implied - an Identifier.
I work on Secret networks, if you were able to walk into my office and access a computer you would be able to enter my User ID without any problems (or anyone else in my office), it’s my name. That’s common for many networks.
The reason that the router does not have a changeable admin ID is that it’s not the kind of device that would have multiple administrators, so maintaining a record of the current Admin ID would be a wasted effort.
Here’s some links, there are thousands of similar links if you search for something like “What is the difference between identification and authentication”
Re: How I can change the Username itself, not just the password.
There is a security risk in not allowing the name of the admin user to be changed - this is what's called two factor authentication, you need to know two things to get access, the ID & the password, and you already know one.
A few decades back, when I was doing IBM midrange support one of the presenters at a seminar was touting the security of the AS/400 series as unparalleled until I pointed out exactly what you see above, OS400 would actually tell you whether the username or the password was wrong - contrast that to many platforms that will only tell you that one of the two is wrong, leaving you to figure out which of the two it is.
Back then, I could spend half an hour chatting with a machine operator in the break room over lunch, and then walk up to their workstations and login as them, typically guessing their password within three tries - IBM training provided specific examples to passwords, and many of the users, not realizing that those were simply guidelines, took the examples back and used them literally - husband's names, children's names, that sort of stuff.
Not allowing the username to be changed is a support issue, we are dealing with consumer product that typically ends up in the hands of users who, given the ability to change more that necessary, will get themselves deeper into trouble.
Re: How I can change the Username itself, not just the password.
As I say, the user ID is commonly known, it’s handled as public information.
Every member of these forums knows the User ID of every other member. I can attempt to log in as anyone else, I get five attempts and I am then locked out from logging in (as anyone) for 15 minutes, with an e-mail sent to the person who I attempt to log in as.
I know the login IDs of every person in my company. If I walk up to a computer that is at the lock screen and I press a key a message on screen will tell me that User-ID is currently logged in. If I repeatedly try to log in as that person the computer locks out for a period of time.
If I go to the C:/Users directory of the PC I will see a list of all users who have successfully logged into this PC as the system has added profiles for them, the directory names are all the same as their User ID.
I am not at all concerned that people in my company know my User ID for both General and Secret networks because I know that they don’t know my password. If I have network problems at work and I call the IT department, one of their first questions is ‘what is your User ID?’, they may have the ability to reset my password, but they have no visibility of my chosen password and will never ask for it.
I am not concerned that people can attempt to log in as me in these forums, because I know that they don’t know my password, and will not guess it (it’s part pseudorandom, long, and contains a mixture of cases and special characters).
Many trusted systems have default User IDs that cannot be changed, e.g. admin, root, administrator, sys, system.
My point is that even high level trusted systems do not normally do anything to obscure/hide User Identification, and I can guarantee that even though my User ID is publicly known that information does not put people ‘half way’ to ‘cracking’ my account.
Re: How I can change the Username itself, not just the password.
Let me ask you this - do you use online banking?
The next time you go to the bank's web portal login to your account, does it prompt you with the user name of the last person who logged in from that computer?
Re: How I can change the Username itself, not just the password.
Yes I do use online banking, but the situation you describe does not occur since I don’t used a shared computer to access the account. But a User ID is required and it’s not secret, the extra authentication is a question (which anyone who knows me will know the answer to), and an electronic token generator is used.
Are you suggesting that everything I have posted is incorrect and that standard practice is not to treat the User ID as a public identifier, is the information in those links I posted incorrect, there were a great many more? Do you feel that the security of a router is compromised because the User ID is known, and if so would you also say that the Secret networks I use are also compromised for the same or similar reasons?
Re: How I can change the Username itself, not just the password.
Your bank is using three factor authentication - who you are (or claim to be), what you know, and what you have. There are quite a few that only use two factor authentication - username & password - and the big difference between these and ecommerce sites that also use two factor is that the bank system force the username to be entered every time you go to the site.
Many ecommerce sites, where the focus is on ease of use rather than security, "remember" you and just require the password to be entered.
All I am doing is pointing out here that whatever the authentication system, if one factor is known, the task of getting in is significantly easier - you seem to feel that the real security is the token, but if I had it, it would not help me any, unless I knew the other two.
From your description I'd guess RSA SecureID - we used that a few years back - does it generate a new token every 60 seconds? Have you had the token generator lose sync yet?
Re: How I can change the Username itself, not just the password.
Yes, the User ID (who I am) is clearly shown at the top of the window in my Android App with only the last three digits masked, but in any case I don’t have to enter that ID, it’s ‘remembered’ by the App. No, no loss of sync yet, but I don’t tend to use it heavily.
All I am doing is pointing out that not being able to change the Admin ID is quite common, it applies to business grade routers, SAN shelves, servers, UPSs, and many other network devices and software, and that it’s very common in office networks for the User ID to be open to anyone simply from the lock screen of their PC, or by knowing how User IDs are allocated by the IT department (in my office it’s first-name.last-name). Our accredited secret systems also treat the User ID as public information in the same way, they are Orange book compliant.
Re: How I can change the Username itself, not just the password.
I understand it might be a common practice in many system. Maybe, it is even good enough. But it doesn't necessarily mean it is better.
The example you mentioned are mostly internal, or inside a trust system. What I am concerned is the outsiders, UNtrusted ones. I think you cannot deny that two unknowns is much harder to guess than one unknown. Yes, with other settings such as block the intruder out for a period of time after a number of trials, it might be safe enough. But surely it is billion times more safe if there are two strain to guess.
In my NAS, I stopped the admin account and create another super user with a nonsense name to be the administrator. My colleague who is using the same model of NAS with me, has his NAS been cracked once through the admin login. Perhaps he is more unlucky than me, perhaps he is more silly in setting password. But no one can deny if we look at the very lengthy log of our NAS, there is a load of "admin" trying to login. Anyone who want to crack the NAS from the company will start with "admin" with different password. It is the same case here, anyone who want to crack into the network with the router of this brand, they know where to start with. Of course, how to hide the brand of my router is another issue. In a sense it might be a factor of authentication.
It might be common, it might be "good enough". But it is not difficult to make it better, is it?
Re: How I can change the Username itself, not just the password.
A NAS is a multi user device, and so it’s appropriate to have multiple user IDs. These routers are single user admin, there is no need for multiple admin accounts even if you could have more than one person performing that role. So in effect the User ID is pretty much redundant, and in fact my SOHO router has no Admin ID, that field is simply blank.
What stops people gaining unauthorised access to the router is the password, not the User ID, and if you a want to use the User ID as an authentication field then I have to ask if you are using all the possible characters of the current Authentication field?
What is the difference in difficulty in determining these User ID / Password combinations where both are required to access the account?
1. User ID – FredBloggs, Password 123456 2. User ID – Blank, Password FredBloggs123456 3. User ID – Admin, Password 123456 4. User ID – Admin, Password FredBloggs123456
Anyone who is aware of my router model, a Draytek Vigor 2950, will know that there is no User ID, does that make the router less secure?
At work I use Cisco routers costing thousands of pounds, they have no admin ID either, they only prompt for a password, no mention of a User ID.
What if we had one User ID which is fixed and added a second password i.e. User ID, Password1, Password2, is that so different to what is being asked for here? What about these examples;
1. User ID Admin (openly known), Password1 – FredBloggs, Password2 123456 2. User ID none – not used, Password1 – FredBloggs, Password2 123456
Neither of those two examples are any easier to guess than example 4 above, if you think otherwise please explain.
What is being effectively asked for here is to change the User ID into a kind of password, i.e. a router with two passwords, and I would say that's really only of any security value if the all characters of the existing password are used (which on its own would be monstrously difficult to determine if good password selection is used)
Re: How I can change the Username itself, not just the password.
Babylon5 wrote:
At work I use Cisco routers costing thousands of pounds, they have no admin ID either, they only prompt for a password, no mention of a User ID.
You can, if you so choose, create users, with different levels of access on most Cisco IOS versions, and almost every installation I have seen will only allow access without a userID from the console - for security reasons.
Re: How I can change the Username itself, not just the password.
Babylon5 wrote:
These routers are single user admin, there is no need for multiple admin accounts even if you could have more than one person performing that role.
Neither of those two examples are any easier to guess than example 4 above, if you think otherwise please explain.
What is being effectively asked for here is to change the User ID into a kind of password, i.e. a router with two passwords, and I would say that's really only of any security value if the all characters of the existing password are used (which on its own would be monstrously difficult to determine if good password selection is used)
I would only say a router is a single legitimate user device. There surely more than one person, the administrator, who wants to log in. Otherwise, no password is needed at all.
It is a simple math, man. Guessing one password is easier than guessing two. If you think otherwise please explain.:p
And yes, asking to change the username actually is asking to set up a two passwords authentication system.:eek: It is enlightening to me. Be frank, I am not an IT professional. I have never ever thought in this way as an end user.:o As a low technique paranoid end user, two "passwords" is more safe than one.
I don't disagree one password can be very secure, even secure enough. My password is monstrous. It consists of over 20 digits (something like repeating Bblon5329067 three to four times). I still think that it may be good enough, but it is not difficult to make it better.
By the way, sometimes we may need to think of some careless users who keep using easy passwords (like my colleague who got his NAS cracked:D). For example, which one is easier to crack if you were a hacker?
user: admin (fixed) password: 12345
user: root (set by the silly user and unknown to others) password: 12345
well, I admit, both are easy enough, but still, the first one is few seconds easier. If lucky enough, the second one can be protected once or twice by the blocking wrong password mechanism, if there is any.
Re: How I can change the Username itself, not just the password.
A consumer router is intended for a single user to log in and manage settings. There are no facilities to log who made what change and when. If the desire is to have multiple user accounts, this is probably not the type of device you should be looking to install on your network.
Regarding the math behind what makes the log in secure, having the ability to change the user id really makes no difference if the password is secure. I could argue that having no user id at all and a very secure password is just as safe as having a fixed and known user id and a very secure password, due to the permutations of characters allowed and number of characters used. Additionally, a known user id and a secure password could be just as difficult to hack as a unknown user id and an insecure password.
As an example of the above, most utilities, banks and even corporations such as Google or Apple have a known user id (your email address), and require only the password to be secure.
Just wanted to clarify some previous comments regarding two factor authentication, as I believe there is some misinterpretation of what that means. Most implementations of this type of verification require two items, usually something you know (a password), and something you have (such as a phone which can receive a text message, or an automated call). A user id and password combination is not a valid example of what is commonly known as two factor authentication.
Re: How I can change the Username itself, not just the password.
alexthefool wrote:
It is a simple math, man. Guessing one password is easier than guessing two. If you think otherwise please explain.:p
Let’s keep it simple just for an easy to calculate example, passwords using numbers only;
Using two passwords;
Password 1 – 4 digits – 10,000 possible combinations
Password2 – 4 digits – 10,000 possible combinations
The user is not informed which one is incorrect, so the number of possible combinations of the two passwords is 10,000 * 10,000 = 100,000,000
Using one password;
Password – 8 digits – 100,000,000 possible combinations
Unless people are using the entire 31 possible characters of the password then there’s nothing gained security –wise by having a changeable User ID. If people are using a 31 character password properly then the number of unique passwords is astronomical, will never be guessed.
The User ID is for identification, not a password, and in this case of the home router – single admin function it’s fairly redundant. Use the password properly and all is well.
These Cisco 7000 series devices cost many thousands, this particular one is about £32,000 in the UK). They have a fixed Admin account that cannot be changed, and only require a password to be entered to access that user level. They are considered highly secure and will not be out of place in a military network (I use them). http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-10-slot-switch/Data_Sheet_C78-4...
fordem wrote:
You can, if you so choose, create users, with different levels of access on most Cisco IOS versions.
I know, but can you delete/remove/rename the Admin User?
While everyone is correct in saying that having a user selectable Admin ID should be relatively easy, it would require a change to router code, something else to store. It would as has been mentioned lead to more issues with support, and more people who having forgotten the User ID / Password having to factory reset, a password alone is easier to remember.
But the argument that this makes things more secure leads me to question why people might think that the password alone is not secure, and if the password can be ‘guessed’ then why can’t the User ID be equally easily guessed? The password field is 31 characters long, and if the admin can’t make a secure password out of that then changing their User ID to something other than Admin isn’t likely to help at all.
