Just to let anyone who cares about security know. Some of the files in the config backup contain PLAIN TEXT passwords.

I assumed (wrongly) that a manufacturer of a VPN and Firewall would have had a reasonable grasp of the importance of security. It's 2013 not the 1990's. I'm gob-smacked.

The file I found is the ddns file in the backup config at \etc\persistence\config\.

I don't know if there are more files like this as my 2960 is so minimally configured ('cos it doesn't work) that it is impossible to set other config that may use passwords.

FInally -- remember - Plain Text Passwords!!! - When Draytek Support ask you to send in a copy of your config, just changing the login passwords is not enough. You should consider changing every password in your config, saving the backup file for Draytek, and then reverting to a perviously saved config.

Because I sent my config to support... now all I have to do is change all the passwords on the external services that I might have plugged into the 2960 and update all my other systems... that should be fun :oops:

As the config is human readable (as opposed to binary) which allows editing, 3rd party scripting etc, what would you expect the passwords to look like?

The passwords cannot be encrypted with a one way hash because then the router would not be able to use the passwords when needed.

admin wrote: As the config is human readable (as opposed to binary) which allows editing, 3rd party scripting etc, what would you expect the passwords to look like?

The passwords cannot be encrypted with a one way hash because then the router would not be able to use the passwords when needed.

Good grief. If you're going to try and defend DrayTek's entirely indefensible storing of passwords in this way, at least try to ensure you know even the slightest thing about security techniques in the first place. Your response is laughable, I'm afraid.

Thank you cocospm. You put it very well.

cocospm wrote:
Good grief. If you're going to try and defend DrayTek's entirely indefensible storing of passwords in this way, at least try to ensure you know even the slightest thing about security techniques in the first place. Your response is laughable, I'm afraid.

You can respond aggressively and rudely or you can explain what you mean and what you expected. I'm not 'defending' anyone; just asking a question.

So, again, how would you want/expect passwords to be stored in a script/config (non-binary) file?

If you send support a config, why are you 'horrified' that it contains your config? What did you think it contained?

You can take my posting any way you like. You didn't ask me to explain what I meant, because I hadn't even posted to this thread - go read things again. You might have asked the original postser (jamessp1), but it would appear he is as shocked as I was.

For someone - in your case the admin of this forum, no less - to make such a completely uninformed and ridiculous post required, I felt, such a dismissal. It happened to be me who made this point, but it could well have been anyone else.

If I sent a config file to Draytek I would expect it to contain, er, the router's configuration, with the passwords suitably encrypted. There is no need whatsoever for Draytek to know my passwords, and there is no reason whatsoever why a router would need to store my passwords in their original or, indeed, recoverable, form. If you believe otherwise then, please, enlighten us all - with specifics - to your greater security knowledge.