Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Hashing the passwords (Do not store in clear text)

Submitted by -
Status: Implemented

Please don't store the passwords (admin/user/...) in clear text (if anybody manages to get into the machine hosting the controller, people will have a leak).

Passwords should be salted and hashed, and the password reset functionality could be done through a script that will simply set a new password in the database.

Comments
by
on ‎01-10-2014 06:28 AM

I agree completely.

And it will also remove limits of allowed chars in the password.

by
on ‎02-19-2014 11:25 PM

Just found out this security issue too will reading the wiki. Should really get fixed soon

by
on ‎03-10-2014 07:24 AM

Help!

Have forgot the password for airVision-c.

 

by
on ‎03-15-2014 06:21 PM

I second or third this suggesion.

All passwords should be heavily encrypted and protected!!!!

by
on ‎08-15-2014 05:13 AM

Agreed, passwords should never be stored in plain text.

 

I understand there are some installations out there where this will not be important ( IE. Home installations etc etc... ) and they will find the plaintext password useful.  You could add hashing/encrypting passwords as an option, make it one of the initial questions asked during the configuration wizard detailing its pros/cons.

by
on ‎08-15-2014 05:39 PM

Yeah, never plain text and the password length and restrictions should not be so limited. I mean 8 characters max? This is pretty obvious.

by
on ‎10-23-2014 08:07 AM
Let's be clear - passwords should NOT be encrypted - they should be properly HASHED. When you encrypt something, that means, by definition, you can decrypt it, this is not how passwords work. Hashing is a one way operation, no decryption possible. Passwords should be hashed and salted, not encrypted, prefereably with a password hash like bcrypt as opposed to a VPN hash like SHA1 or (shudder) MD5. The fact that they are in clear text in the database makes the wifi controller a toy. Anyone with any regulatory compliance requirements for things like HIPAA, FISA, etc. cannot use this product and maintain their compliance. This should be fixed for all supported versions, not just "new versions going forward."
by
on ‎01-26-2015 09:39 AM

This x1000

by Ubiquiti Employee
on ‎06-23-2015 04:07 PM
Status changed to: Under Consideration
 
by
on ‎07-09-2015 07:04 AM

Oh, my god! just looked through the mongo db and found the admin password in the clear .... than I found this post and now I know that this is known for over a year! I can't believe it!