Admin Password Management

Tell us your most wanted features from QNAP products.
Post Reply
ytene
Getting the hang of things
Posts: 59
Joined: Mon Jul 23, 2012 6:17 am
Location: UK

Admin Password Management

Post by ytene » Mon Apr 20, 2020 12:47 am

Hello everyone...

I've just been prompted to upgrade my TVS-672XT to version 4.4.2.1270 of QTS. In the "What's New" notes that helpfully auto-launched after the final reboot, I see that the first feature change is one which modifies the default "admin" account password from the value "admin" to the hex values (omitting the colon separators) of the device's MAC address.

The note goes on to helpfully point out that this can be found either on a label on the NAS itself, or using the QFinder Pro application via a PC on the same network segment as the NAS.

I'd like to respectfully offer a few brief observations:-

1. If the person setting up the NAS puts the network cable in to the "wrong" network port on a machine that has more than one network socket (My 672XT has at least 3 RJ45 sockets - 1x10Gb and 2x1Gb), will QFinder Pro return a valid MAC address that will still work with the "admin" account?

2. If this is being done as an aid to security... then isn't this a bit like saying that security has been "improved" by upgrading from a known-in-advance value ("admin") to a value that an attacker might need all of 5 minutes to find out if they have either physical or local-segment network access to the device? (Put another way: is this actually any more secure?)

3. When I set up my 672 from new, about 2 months ago, nothing in the setup process prompted me to go to User Manager and set up an Emergency/Spare account with Admin access, to be available in case something happened to corrupt the primary admin account (which feels a bit like a missed opportunity).

At least the "Create New User" feature has a password entropy check - but I do think this is a "change" as opposed to an "improvement"...
TS-670/16Gb with 6xWD Red 12Tb [RAID6] + 2 Cold Spare
TVS-672XT/32Gb with 6xWD Red [RAID6] 12Tb + 2 Cold Spare
Linux Mint 19.3/64-Bit / Windows 10/64-Bit

User avatar
dolbyman
Guru
Posts: 20087
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Admin Password Management

Post by dolbyman » Mon Apr 20, 2020 1:14 am

first two question were asked in the forum as well when qnap announced that feature

no answer yet (nobody here has reset their nas to factory to try)

best to ask qnap these questions via ticket

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9266
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Admin Password Management

Post by Moogle Stiltzkin » Mon Apr 20, 2020 1:23 am

ytene wrote:
Mon Apr 20, 2020 12:47 am
1. If the person setting up the NAS puts the network cable in to the "wrong" network port on a machine that has more than one network socket (My 672XT has at least 3 RJ45 sockets - 1x10Gb and 2x1Gb), will QFinder Pro return a valid MAC address that will still work with the "admin" account?
yes, qfinder can display the mac address. However i think the new default uses mac address 1, not the other mac ports.
https://www.qnap.com/en/how-to/knowledg ... -explained

in qfinder it will first show you the mac of the port you connect. however, you can still see your other ports mac address, by right click your nas in the qfinder and click show details. it's all listed there. the one you want to know for the default password is mac address 1 :)

ytene wrote:
Mon Apr 20, 2020 12:47 am
2. If this is being done as an aid to security... then isn't this a bit like saying that security has been "improved" by upgrading from a known-in-advance value ("admin") to a value that an attacker might need all of 5 minutes to find out if they have either physical or local-segment network access to the device? (Put another way: is this actually any more secure?)
it's just security through obscurity. before the malware scripts would automatically insert a widely known password for default. but to make it harder, they made EACH NAS use their own mac address, does complicating it for automated scripts from trying to insert a single password which has suddenly become many.

ytene wrote:
Mon Apr 20, 2020 12:47 am
3. When I set up my 672 from new, about 2 months ago, nothing in the setup process prompted me to go to User Manager and set up an Emergency/Spare account with Admin access, to be available in case something happened to corrupt the primary admin account (which feels a bit like a missed opportunity).

At least the "Create New User" feature has a password entropy check - but I do think this is a "change" as opposed to an "improvement"...
you mean password strength checker?
https://www.grc.com/haystack.htm

yes this is a good tool to have. it will verify whether your password is strong enough or not, which is good enough to know. If your password is too easy, it will be easily crackable through methods such as brute force which is a script that hammers at your nas login with guesses until it strikes gold. This is why it's important to enable auto limit logins. The idea is the admin would be notified when an unusual amount of failed login attempts is occuring and it slows down the attackers login guesses to a crawl to give time for the admin to notice this attack and block their IP or change their security to a more hardened setting.

so this entrophy just tells you if the password you use can be easily cracked or not, by these automated processes or not. definitely important to know, and definitely shouldn't be using passwords like that which are flagged as being too weak.


you might be surprised to know that this same thing applies to encryption. E.g. if you encrypt your volume or share, you should apply a sufficiently strong encryption key for the same reason. so it might also benefit from a password strength checker i would reckon.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

Post Reply

Return to “Features Wanted”