cybereality
[H]F Junkie
- Joined
- Mar 22, 2008
- Messages
- 8,789
I think it's a good idea. They should also ban WEP while they're at it since it provides almost no security.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Forgot the password? Your device is bricked.
- Thread starter M76
- Start date
pendragon1
Extremely [H]
- Joined
- Oct 7, 2000
- Messages
- 52,122
this one?
SuperSubZero
2[H]4U
- Joined
- Nov 21, 2000
- Messages
- 3,780
It was originally from XKCD. https://xkcd.com/936/
- Joined
- May 18, 1997
- Messages
- 55,620
M76
[H]F Junkie
- Joined
- Jun 12, 2012
- Messages
- 14,035
I made the mistake of assuming you don't want to have the password on the device for security. I forgot you can change the password so people with physical address can't access the admin page. So it is not bricked assuming all manufacturers put the password on the device itself.
D
Deleted member 243478
Guest
Apple already does this and every dick and his dog still bitches and moans about right to repair. Expect the most secure device in the world but still expect to be able to repair it yourself.
I do not want to get political with this so I pose a rhetorical question, how is this not a political move? Dont answer. This is a really hard topic to discuss without crossing the rules line imo.
Ill just say that is another freedom lost if this is true.
Ill just say that is another freedom lost if this is true.
IcePickFreak
[H]ard|Gawd
- Joined
- Dec 1, 2010
- Messages
- 1,714
Is someone really going to break into your house to steal your coffee maker/refrigerator/toaster password if it's printed somewhere directly on the unit?
M76
[H]F Junkie
- Joined
- Jun 12, 2012
- Messages
- 14,035
No, but you can't have it on the device in a hotel lobby, or office building. Even at home you perhaps want to keep your kids out of the filters in your router.
Too many secrets.
Grimlaking
2[H]4U
- Joined
- May 9, 2006
- Messages
- 3,245
Wow someone doesn't want ssl any more.
This is very bad. So this is like if your smartphone doesn't work to the point that it's bricked at the password level. It happens if for some reason it hangs while you were inserting a new password. Then you cannot erase it to factory level and configure it again.
This is a bit like what Apple does on its iphones so it is very difficult to resell apart from doing it through Apple channel.
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1707758471){kind=avatar}
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,858
I'm not talking about SSL. I'm talking about encryption of stored data. In general I am opposed to everything and anything cloud, but if cloud has to exist, it should be set up so the user, and only the user possesses the encryption key.
I don't see any way of doing this without having the user manually install the key on each device to be used. Any automation of this process requires that your key be put in the hands of someone else.
Have you checked the new law in EU regarding your bank account ? It is just crazy. If you ever want to buy or pay for something, you can only do it with your card (no check apart for some rare transactions) and yo need to validate that with an App on your phone and your figerprint or facial recognition and a password which needs to be changed every 3 months. Applicable on the 1st April (not an April's fool). Just crazy and not secured at all. It is just that if someone hacks you, it will be so good, that you won't have good proofs to get the money back and so the bank won't lose anything and police won't look into it, will consider yourself responsible for your loss. But in the mean time paying with real money and checks are becoming illegal (especially in France and Sweden)... so no more choice.
GoodBoy
2[H]4U
- Joined
- Nov 29, 2004
- Messages
- 2,761
Right to repair has nothing to do with this. Cell phones are already generally secure (the point of the proposal/law), but with physical access can be broken in to. This is about set and forget type devices like IoT connected refrigerators, wifi routers, edge devices. Right to repair is not impacted at all by this.
Those are not reasons to not hold hardware manufacturers to best practices regarding the security of their devices. In the above situation they can remove those passwords from the devices' labels.
It's still a good idea that is long overdue.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,858
Not at all.
No one is saying that the factory reset option should go away.
Just that when you factory reset you reset it to a unique password for that one device, not the same password for all devices. That unique password can be laser etched into the device, so that you never lose it.
It is also not a security issue to have it laser etched, as the device would have to be encrypted, and wipes the key upon factory reset, so all data is inaccessible.
This is just common sense. Any time you use the same default password across your entire product lineup bad things can and will happen.
Ah ok. So this is already the case on many devices, like the Orange Boxes. Not a big deal. On the contrary it's good. Many persons leave the default password.
The problem with a hardware forced timeouts is that would be tantamount to a denial of service/access to the device. A hacker could deny the owner the ability of accessing the device. Sure, save the in internet from an IoT botfarm but deny the owner of the device the ability to access and control said device. It's a double edged sword.
I would agree with a mandatory default password change after initial startup and configuration of the device. Seems to be the easiest and most logical method of stopping root password issues.
GoodBoy
2[H]4U
- Joined
- Nov 29, 2004
- Messages
- 2,761
Umm, no. If the devices are made with a focus on security, remote management option will be disabled by default. And if it is enabled and a hacker keeps trying and locking the administration of the device, unplug it from the internet for 15 minutes.
Saving the internet from a botfarm is far better that not.
Darunion
Supreme [H]ardness
- Joined
- Oct 6, 2010
- Messages
- 5,327
Agreed. If someone cant use their toaster for 15 mins is a small price to pay to prevent botnets from dropping entire online services and providers (which would result in the user not being able to log into their toaster anyways).
Just checked, and the only recent thing regarding account security is: https://www.ccpc.ie/consumers/2019/...e-how-you-bank-and-shop-online-are-you-ready/
Guess what: you're spreading a load of bull manure. For example, the only change for me is that I will require 2 step authentication (my bank is using a non-internet-connected device) to log in instead of merely a password.
Last edited:
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,993
I think my router and/or cable modem does this. And yeah its better than having admin/<nul> as the default login/password that I'm sure quite a few people never change
D
Deleted member 243478
Guest
It has everything do with it, you cant do data recovery / swap out SSD’s when they are
Yes it does, everything from iPhone data recovery demanding access to manufacturer tools right down to the T2 hardware encryption chip that ties all Mac’s SSD’s to the board.
Thunderdolt
Gawd
- Joined
- Oct 23, 2018
- Messages
- 1,015
Is this your first time reading about the idea of encryption?
D
Deleted member 243478
Guest
Hardware encryption not shitty software encryption.
Thunderdolt
Gawd
- Joined
- Oct 23, 2018
- Messages
- 1,015
My bad. I thought you were anti hardware encryption because the only example you could think of that you didn't like was one that was hardware encryption. That must be some new logical technique.