Prudent time frame for changing router password?

softdown
softdown Solar Expert Posts: 3,812 ✭✭✭✭
Lets imagine that you are of interest to "hackers" How often would you change your router password? 
First Bank:16 180 watt Grape Solar with  FM80 controller and 3648 Inverter....Fullriver 8D AGM solar batteries. Second Bank/MacGyver Special: 10 165(?) watt BP Solar with Renogy MPPT 40A controller/ and Xantrex C-35 PWM controller/ and Morningstar PWM controller...Cotek 24V PSW inverter....forklift and diesel locomotive batteries

Comments

  • pdh
    pdh Registered Users Posts: 31 ✭✭
    Just once. Set it to something very strong: a long string of characters (say, 16 characters or more -- more is better), no words in it, using both upper- and lower-case letters, plus numbers and special characters.

    Changing your password often is a protection against continued use of a stolen / guessed password. That is, changing your password is useful only *after* a bad guy has already obtained it. If no bad guy ever learns it, then there's no benefit to ever changing it. So if your password is strong enough that it can't be guessed, and if you're careful not to allow it to be stolen (don't write it down on a sticky note on your office wall -- find a way to remember it without writing it down) then there's no need to ever change it (unless you're using software that forces you to do so).

    The biggest challenge is finding a way to remember your long, strong password.. but there are lots of ways to do that.

  • mike95490
    mike95490 Solar Expert Posts: 9,583 ✭✭✭✭✭
    Many routers had a backdoor flaw, and there is new firmware to correct that.  If the backdoor is not closed, it matters not what your password is.



    Powerfab top of pole PV mount | Listeroid 6/1 w/st5 gen head | XW6048 inverter/chgr | Iota 48V/15A charger | Morningstar 60A MPPT | 48V, 800A NiFe Battery (in series)| 15, Evergreen 205w "12V" PV array on pole | Midnight ePanel | Grundfos 10 SO5-9 with 3 wire Franklin Electric motor (1/2hp 240V 1ph ) on a timer for 3 hr noontime run - Runs off PV ||
    || Midnight Classic 200 | 10, Evergreen 200w in a 160VOC array ||
    || VEC1093 12V Charger | Maha C401 aa/aaa Charger | SureSine | Sunsaver MPPT 15A

    solar: http://tinyurl.com/LMR-Solar
    gen: http://tinyurl.com/LMR-Lister ,

  • pdh
    pdh Registered Users Posts: 31 ✭✭
    > If the backdoor is not closed, it matters not what your password is

    Very true. There are several ways that bad guys could compromise a system that's protected with even the strongest password... software or hardware flaws as you mentioned; hardware or software keyloggers; a small hidden camera trained on your keyboard; interception of Wi-Fi or HTTP transmissions that include the password "in the clear"; reading the little yellow sticky note with the password on it, or breaking into the password database on systems where there is such a thing; and there are others.

    Changing your password frequently doesn't help with any of this -- in fact it makes it harder to maintain a good strong password without writing it down. It limits the damage after you've already been hacked, but that's all it does.
  • Estragon
    Estragon Registered Users Posts: 4,496 ✭✭✭✭✭
    If I was "of interest to hackers" I would set my router password to "password", and never change it, then never do anything with my router. Maybe I'd write a script to constantly update the score of Princess Bride on Rotten Tomatoes or something, then do what I really wanted to do in a public library.
    Off-grid.  
    Main daytime system ~4kw panels into 2xMNClassic150 370ah 48v bank 2xOutback 3548 inverter 120v + 240v autotransformer
    Night system ~1kw panels into 1xMNClassic150 700ah 12v bank morningstar 300w inverter
  • BB.
    BB. Super Moderators, Administrators Posts: 33,431 admin
    I have my routers set to never allow remote (over the internet) logins--Only from my local network (wired or wifi--still need good passwords).

    Also, set my router to never reply to pings (no return, nobody sees any hardware to try and hack).

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • Dave Angelini
    Dave Angelini Solar Expert Posts: 6,728 ✭✭✭✭✭✭
    The Engineers at Schneider and Outback have told me their web portals are very safe. I still wonder about it though. I monitor about 25 systems and although I can only read the data (The portals do not allow changing settings)  I do not know enough about the safety that I am told is designed in.  Comments on this?
    "we go where power lines don't" Sierra Nevada mountain area
       htps://offgridsolar1.com/
    E-mail offgridsolar@sti.net

  • softdown
    softdown Solar Expert Posts: 3,812 ✭✭✭✭
    The Engineers at Schneider and Outback have told me their web portals are very safe. I still wonder about it though. I monitor about 25 systems and although I can only read the data (The portals do not allow changing settings)  I do not know enough about the safety that I am told is designed in.  Comments on this?
    Would any company admit that they don't take security seriously? 

    Changing the subject here a bit. Just learned that our bluray players are required to have 1 GB of internal memory and an internet data port. That is a lot of data. I had not imagined that the lowly bluray player was capable of potentially extensive surveillance. 

    Being a Ludite is pretty attractive at times. 
    First Bank:16 180 watt Grape Solar with  FM80 controller and 3648 Inverter....Fullriver 8D AGM solar batteries. Second Bank/MacGyver Special: 10 165(?) watt BP Solar with Renogy MPPT 40A controller/ and Xantrex C-35 PWM controller/ and Morningstar PWM controller...Cotek 24V PSW inverter....forklift and diesel locomotive batteries
  • softdown
    softdown Solar Expert Posts: 3,812 ✭✭✭✭
    edited March 2018 #9
    BB. said:
    I have my routers set to never allow remote (over the internet) logins--Only from my local network (wired or wifi--still need good passwords).

    Also, set my router to never reply to pings (no return, nobody sees any hardware to try and hack).

    -Bill
    My new router offers two separate data transfer "ports"...........2.4 and 5. Sure would be convenient for hackers to download from one bandwidth while the user blithely uses the other bandwidth without even noticing slow service.

    This router tells me of DDoS attacks by the lights. Plus the TV internet service went down as well......for a long time. 

    I would imagine the NRO enjoys as much clandestine access as the NSA...working hand in hand. Looking at our "selection" of current public servants, I wonder about control of the political process. We always seemed to have more freedom fighters actually working in the best interests of the Constitution and the public. 
    First Bank:16 180 watt Grape Solar with  FM80 controller and 3648 Inverter....Fullriver 8D AGM solar batteries. Second Bank/MacGyver Special: 10 165(?) watt BP Solar with Renogy MPPT 40A controller/ and Xantrex C-35 PWM controller/ and Morningstar PWM controller...Cotek 24V PSW inverter....forklift and diesel locomotive batteries
  • pdh
    pdh Registered Users Posts: 31 ✭✭
    > The Engineers at Schneider and Outback have told me their web portals are very safe. I still wonder about it though. I monitor about 25 systems and although I can only read the data (The portals do not allow changing settings)  I do not know enough about the safety that I am told is designed in.  Comments on this?

    When they say their web portals are safe, what do they mean? Could be:

    a. They allow only SSL / HTTPS to communicate with the portal; and/or
    b. They use strong crypto once an SSL / HTTPS session has been established; and/or
    c. They don't store sensitive data unencrypted on their own machines; and/or
    d. They control and limit physical and network access to their web portal server machines; and/or
    e. They regularly apply security patches to their servers' operating system and to their web server; and/or
    f. Something else

    Just as a curiosity, I notice that www.outbackpower.com accepts HTTP (non-encrypted) access -- that is, you can access their site via http://www.outbackpower.com/.

    In contrast, try the steakhouse at http://www.outback.com. You'll see that the steakhouse automatically upgrades you to an encrypted HTTPS session -- that is, it re-directs you to https://www.outback.com (https, not http) and it presents an X.509 certificate from Entrust that gives you some assurance of who you're talking to.

    So as a very quick first impression, I'm more impressed with the web security at Outback Steakhouse than at Outback Power. (Although maybe their customer portal is locked down more tightly than their main web page is?)

  • mike95490
    mike95490 Solar Expert Posts: 9,583 ✭✭✭✭✭
    Schneider is a large enough player, they have a functional security team
     and have found and eradicated malware in systems supported by them.

    Powerfab top of pole PV mount | Listeroid 6/1 w/st5 gen head | XW6048 inverter/chgr | Iota 48V/15A charger | Morningstar 60A MPPT | 48V, 800A NiFe Battery (in series)| 15, Evergreen 205w "12V" PV array on pole | Midnight ePanel | Grundfos 10 SO5-9 with 3 wire Franklin Electric motor (1/2hp 240V 1ph ) on a timer for 3 hr noontime run - Runs off PV ||
    || Midnight Classic 200 | 10, Evergreen 200w in a 160VOC array ||
    || VEC1093 12V Charger | Maha C401 aa/aaa Charger | SureSine | Sunsaver MPPT 15A

    solar: http://tinyurl.com/LMR-Solar
    gen: http://tinyurl.com/LMR-Lister ,

  • softdown
    softdown Solar Expert Posts: 3,812 ✭✭✭✭
    mike95490 said:
    Schneider is a large enough player, they have a functional security team
     and have found and eradicated malware in systems supported by them.

    That must have disappointed the NSA....having to step up their game a notch. Or..insert Chinese/Russian/Iranian NSA counter part. 
    First Bank:16 180 watt Grape Solar with  FM80 controller and 3648 Inverter....Fullriver 8D AGM solar batteries. Second Bank/MacGyver Special: 10 165(?) watt BP Solar with Renogy MPPT 40A controller/ and Xantrex C-35 PWM controller/ and Morningstar PWM controller...Cotek 24V PSW inverter....forklift and diesel locomotive batteries
  • Estragon
    Estragon Registered Users Posts: 4,496 ✭✭✭✭✭
    > @Dave Angelini said:
    > The Engineers at Schneider and Outback have told me their web portals are very safe. I still wonder about it though. I monitor about 25 systems and although I can only read the data (The portals do not allow changing settings)  I do not know enough about the safety that I am told is designed in.  Comments on this?

    Nothing is "safe" on a computer. That said;

    @pdh suggests ssl adds a level of security and it does, but only to the extent it can. It gives a warm fuzzy feeling by showing a padlock icon in a browser, but all that tells you is the site produced credentials approved by some (field settable) trusted authority, and the subsequent interactions with the site may have some (field settable) degree of encryption. It tells you exactly nothing about the security of the site itself.

    I don't know enough about how the portals are constructed to have a clue about whether security should be a concern. My guess is probably not - Outback et al would be open to nasty litigation if they did anything other than provide a way to upload and display info to a web page. If they incorporated any sort of field device writable capability, they deserve a cigarette and a blindfold. Schneider techs certainly aren't dumb, and likely don't smoke.
    Off-grid.  
    Main daytime system ~4kw panels into 2xMNClassic150 370ah 48v bank 2xOutback 3548 inverter 120v + 240v autotransformer
    Night system ~1kw panels into 1xMNClassic150 700ah 12v bank morningstar 300w inverter