Password Security - home devices
slowbike
Posts: 8,498
Just thought I'd post a quick heads up / reminder on password security.
Background:
We purchased a network camera - to keep an eye on our new kitten whilst we're not at home. Didn't want to spend huge amounts - so went on Amazon, and as we have prime - chose a camera that would be delivered next day - it's cheap (£20-30) so wasn't expecting much - but, it'll do.
To set it up - and use it - you have to download an app, set up a profile, then feed that profile your wifi details to hold in front of the camera. Fairly innocuous you think ...
To set up a profile you have to put in an email address and a "complex" password - only it didn't like my complex password, despite that on the face of it, it fitted the criteria. So I simplified the password, which it accepted - then promptly forgot exactly what modifier characters I'd used.
So I used the "forgot password" function to reset it ... only, it didn't reset it ...
it emailed me the password I used .... in plain text ... yes - they store the email either in plain text (most likely) or reversible encryption - which is fairly pointless.
The result is, I have to assume from this that if the company is lax on how it stores passwords, then it's lax on who has that information or where they may pass it on to. I have to assume my Wifi details are compromised (no great biggy tbh) and that any passwords / email address have also been compromised. I have to assume that anyone can access the camera too.
I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
The point of this post is more to do with passwords though. I used a burner email address and the password was unique - but had I done what I know many do - use my standard email address and a generic password - that could've compromised my email account - and any service that uses the same - eg Paypal or Amazon accounts etc ...
So my advice is DON'T use GENERIC passwords - ever ... make the unique and less guessable - have a system of recording them if you need to (write them down and stick them in a draw at home if you have to - you're less likely to lose them!) and when you're setting up devices - use burner email addresses - gmail & hotmail are free - don't use the gmail modifier though, because that's a known function. Assume any email address you do use may be compromised - so keep your payment methods on a different address.
Background:
We purchased a network camera - to keep an eye on our new kitten whilst we're not at home. Didn't want to spend huge amounts - so went on Amazon, and as we have prime - chose a camera that would be delivered next day - it's cheap (£20-30) so wasn't expecting much - but, it'll do.
To set it up - and use it - you have to download an app, set up a profile, then feed that profile your wifi details to hold in front of the camera. Fairly innocuous you think ...
To set up a profile you have to put in an email address and a "complex" password - only it didn't like my complex password, despite that on the face of it, it fitted the criteria. So I simplified the password, which it accepted - then promptly forgot exactly what modifier characters I'd used.
So I used the "forgot password" function to reset it ... only, it didn't reset it ...
it emailed me the password I used .... in plain text ... yes - they store the email either in plain text (most likely) or reversible encryption - which is fairly pointless.
The result is, I have to assume from this that if the company is lax on how it stores passwords, then it's lax on who has that information or where they may pass it on to. I have to assume my Wifi details are compromised (no great biggy tbh) and that any passwords / email address have also been compromised. I have to assume that anyone can access the camera too.
I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
The point of this post is more to do with passwords though. I used a burner email address and the password was unique - but had I done what I know many do - use my standard email address and a generic password - that could've compromised my email account - and any service that uses the same - eg Paypal or Amazon accounts etc ...
So my advice is DON'T use GENERIC passwords - ever ... make the unique and less guessable - have a system of recording them if you need to (write them down and stick them in a draw at home if you have to - you're less likely to lose them!) and when you're setting up devices - use burner email addresses - gmail & hotmail are free - don't use the gmail modifier though, because that's a known function. Assume any email address you do use may be compromised - so keep your payment methods on a different address.
0
Comments
-
This is what I've done, using an old router. My new router has two access points so you could probably have one for IoT and one for phones, tablets, PCs etc.slowbike said:I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
0 -
yer - I'd do the same, but I don't have an old router atm - and I use Sky - which when I got it, you had to use their router as no other router was compatible - something to do with how they authenticate ... not sure if that's still true - I didn't worry at the time because their router basically works...thistle_(mbnw) said:
This is what I've done, using an old router. My new router has two access points so you could probably have one for IoT and one for phones, tablets, PCs etc.slowbike said:I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
0 -
I don't bother trying to dream-up new passwords anymore. Instead, I use Bit-Warden which a) automatically generates (very), random passwords and allows me to store them all on my (encrypted), phone. It lets you copy n paste the passwords also, so on your phone at least, you don;t have to type the whole character string out every time. It's really very good, and from what I believe, is very secure...0
-
I normally use apple's random password generator - works most of the time, but just occasionally you get something that it doesn't work with.
Plus - this particular app doesn't seem to integrate with apple's password service - so to log in I'd have to either remember the password - or go into the password store each time and copy/paste.
Eitherway, I still have to assume the device is compromised - and could quite easily have a packet sniffer posting back any and all the data running over my network.0 -
A cynic might suggest that cheap networked devices are sold specifically to scoop up personal information.1985 Mercian King of Mercia - work in progress (Hah! Who am I kidding?)
Pinnacle Monzonite
Part of the anti-growth coalition1 -
Thirded. My IOT stuff sits behind an OpenWRT'd that acts acts as both a sniffer and a VPN service for the IOT stuff, meaning that there is nothing on my private ethernet network that It can access.thistle_(mbnw) said:
This is what I've done, using an old router. My new router has two access points so you could probably have one for IoT and one for phones, tablets, PCs etc.slowbike said:I'm now going to start a new security method on my home network - IoT devices will sit on their own isolated network. The devices will be physically turned off when we don't need them.
The OpenWRT'd box is controlled via serial (RS232) from a raspberry pi to enable two way communications between the IOT network and my home network apps using a bespoke interface - almost definitely overkill, but I was bored, ok?Intent on Cycling Commuting on a budget, but keep on breaking/crashing/finding nice stuff to buy.
Bike 1 (Broken) - Bike 2(Borked) - Bike 3(broken spokes) - Bike 4( Needs Work) - Bike 5 (in bits) - Bike 6* ...0 -
I'm just looking at replacing my Sky router now - it's possible - now to get one at a sensible price that gives me what I require - pref Gb interfaces - not the 10/100 - which of course are on all the cheaper modules - or get a cheaper one then plug a GB switch into the back of that ... hmm ...
Cheapskate? Me?!
0 -
I'd do what you guys are suggesting if I had any idea WTF you;re talking about.You can fool some of the people all of the time. Concentrate on those people.2
-
I'm looking at the TP Link modem/routers - they replace the ISP provided ones
the TP Link ones seem to provide a guest access WiFi - which you can isolate from your own network - which is a good start.0
