Force users to change the default username/password #1452
Comments
|
How was the "little research" done ? |
|
We tried to search on sites that can list opened ports for the ip adresses and you can search by keywords. For example: https://www.shodan.io/search?query=loxberry. Then we try to login with default username/password. For every person that we discovered with this method we send email to warn them about this problem and we asked them to change the password on loxberry and loxone systems, and ideally close the port for the loxberry because the remote access is not required in most of the cases. |
|
Well, this is a quite old discussion and 4 people have 5 opinions about that :-)
|
|
Yeah well I can imagine all of the people have different opinions about that :D The 1. point will be the good solution but I personally prefer to have something like : You must set your own PIN before you can continue with the loxberry setup. I agree its up to users to keep default passwords and open the ports, I just dont find this issue Security: Miniserver Passwörter , because I try to search in english and dont know the current situation about that problem. |
|
The issue is so old that it comes from our "german" time ;-) I let this one open - just to make sure we do not forget it. |
After a little research we find out there are a lot of users that do not change the default credentials and have open port to remote acess. Ie anyone can acess to their loxberry, and can see the loxone username and password because its not secured with the loxberry pin either. In most cases the remote connection is enabled to loxone also and anyone can reach the loxone web interface and use the username and password what they find in loxberry web interface.
Our recomendation is to secure the Loxone credentials with the pin.
And force users to change default loxberry/loxberry username and password combo and the default pin also.
The text was updated successfully, but these errors were encountered: