undefined | Better HN

0 pointsgruez5y ago0 comments

Many of the items on the checklist are questionable. eg.

>Can the wireless network(s) be scheduled to turn off at night and then back on in the morning?

This seems almost tin-foil hat level security. Nobody is wardriving at 3am and hacking into your wifi.

>Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.

How does this improve security? I guess you can use it to catch an attacker on the rare chance that they get access at the same time you're on the admin page, but that's not really worth considering.

>Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most important when using Remote Administration. An October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."

What's wrong with "admin" with a secure password?

0 comments

mikestew5y ago

I work on a product that allows "one user at a time". It's not a security issue, it's a "don't want to maintain a multi-user database for extremely small benefit" issue. There's no good reason to have multiple folks futzing with this thing's configuration, just like there's no good reason to have multiple folks futzing on your router. Most of the time my product or your router sits in an out-of-the-way place gathering dust, multi-user access is a laughably infrequent use case.

Now why the author calls this out is anyone's guess. Sometimes someone sees a product like what I work on, sees single-user, assumes "aha! Better security!" No, we're just lazy. If there's any additional security, that's gravy and not a design decision.

tyingq5y ago

I agree that the author seems over the top.

I do think "one logon at a time" might be a good idea, just not for security reasons. I suspect these routers don't do well with concurrent updates.

Changing the admin id would have the benefit of culling out noise. An unsuccessful login attempt to "myuniqueadmin" catches your attention as something meaningful.

j / k navigate · click thread line to collapse