Password Security - home devices
slowbike
Posts: 8,498
Just thought I'd post a quick heads up / reminder on password security.
Background:
We purchased a network camera - to keep an eye on our new kitten whilst we're not at home. Didn't want to spend huge amounts - so went on Amazon, and as we have prime - chose a camera that would be delivered next day - it's cheap (£20-30) so wasn't expecting much - but, it'll do.
To set it up - and use it - you have to download an app, set up a profile, then feed that profile your wifi details to hold in front of the camera. Fairly innocuous you think ...
To set up a profile you have to put in an email address and a "complex" password - only it didn't like my complex password, despite that on the face of it, it fitted the criteria. So I simplified the password, which it accepted - then promptly forgot exactly what modifier characters I'd used.
So I used the "forgot password" function to reset it ... only, it didn't reset it ...
it emailed me the password I used .... in plain text ... yes - they store the email either in plain text (most likely) or reversible encryption - which is fairly pointless.
The result is, I have to assume from this that if the company is lax on how it stores passwords, then it's lax on who has that information or where they may pass it on to. I have to assume my Wifi details are compromised (no great biggy tbh) and that any passwords / email address have also been compromised. I have to assume that anyone can access the camera too.
I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
The point of this post is more to do with passwords though. I used a burner email address and the password was unique - but had I done what I know many do - use my standard email address and a generic password - that could've compromised my email account - and any service that uses the same - eg Paypal or Amazon accounts etc ...
So my advice is DON'T use GENERIC passwords - ever ... make the unique and less guessable - have a system of recording them if you need to (write them down and stick them in a draw at home if you have to - you're less likely to lose them!) and when you're setting up devices - use burner email addresses - gmail & hotmail are free - don't use the gmail modifier though, because that's a known function. Assume any email address you do use may be compromised - so keep your payment methods on a different address.
Background:
We purchased a network camera - to keep an eye on our new kitten whilst we're not at home. Didn't want to spend huge amounts - so went on Amazon, and as we have prime - chose a camera that would be delivered next day - it's cheap (£20-30) so wasn't expecting much - but, it'll do.
To set it up - and use it - you have to download an app, set up a profile, then feed that profile your wifi details to hold in front of the camera. Fairly innocuous you think ...
To set up a profile you have to put in an email address and a "complex" password - only it didn't like my complex password, despite that on the face of it, it fitted the criteria. So I simplified the password, which it accepted - then promptly forgot exactly what modifier characters I'd used.
So I used the "forgot password" function to reset it ... only, it didn't reset it ...
it emailed me the password I used .... in plain text ... yes - they store the email either in plain text (most likely) or reversible encryption - which is fairly pointless.
The result is, I have to assume from this that if the company is lax on how it stores passwords, then it's lax on who has that information or where they may pass it on to. I have to assume my Wifi details are compromised (no great biggy tbh) and that any passwords / email address have also been compromised. I have to assume that anyone can access the camera too.
I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
The point of this post is more to do with passwords though. I used a burner email address and the password was unique - but had I done what I know many do - use my standard email address and a generic password - that could've compromised my email account - and any service that uses the same - eg Paypal or Amazon accounts etc ...
So my advice is DON'T use GENERIC passwords - ever ... make the unique and less guessable - have a system of recording them if you need to (write them down and stick them in a draw at home if you have to - you're less likely to lose them!) and when you're setting up devices - use burner email addresses - gmail & hotmail are free - don't use the gmail modifier though, because that's a known function. Assume any email address you do use may be compromised - so keep your payment methods on a different address.
0
Posts
Plus - this particular app doesn't seem to integrate with apple's password service - so to log in I'd have to either remember the password - or go into the password store each time and copy/paste.
Eitherway, I still have to assume the device is compromised - and could quite easily have a packet sniffer posting back any and all the data running over my network.
Pinnacle Monzonite
Part of the anti-growth coalition
The OpenWRT'd box is controlled via serial (RS232) from a raspberry pi to enable two way communications between the IOT network and my home network apps using a bespoke interface - almost definitely overkill, but I was bored, ok?
Bike 1 (Broken) - Bike 2(Borked) - Bike 3(broken spokes) - Bike 4( Needs Work) - Bike 5 (in bits) - Bike 6* ...
Cheapskate? Me?!
the TP Link ones seem to provide a guest access WiFi - which you can isolate from your own network - which is a good start.