To be clear, my original question was genuinely intended to cause an elaboration, and was not intended to endorse or excuse any current methods. You can read "What would you expect?" in one of two ways, one being a sarcastic way, which was not intended. I literally meant 'what would you expect' as in 'how would you want it presented'. You will see this often here and the purpose is to garner further information - DrayTek do not participate formally here, it's a user forum but they DO read it, so adding information to a comment/complaint is useful because if they are reading, they will understand the point better. Jamesp1, I do not accept your summary of what I said or thought - you have jumped to lots of incorrect conclusions, but I think you won't change your mind.

Complaining that someone commented on a public thread is bogus; any user is welcome to comment on a topic or ask about it, not just if they have an 'answer'. It's fine to correct a technical error that another user has made (or even not made, but you misinterpreted) but ad hominen personal attacks or criticism other users or moderators are not productive and will not be accepted. Saying To be clear, healthy courteous or even robust debate is fine. "You're wrong" is fine.

As far as I can see, the files that are exported in the 2960 router config which contain plain text passwords are:

Code:

\etc\persistence\config\network \etc\persistence\config\appuser \etc\persistence\config\mail_alert \etc\persistence\config\device_info \etc\persistence\config\cwmp \etc\persistence\config\vpn_server_secret_config

I might be wrong, because I have not configured every part of my 2960 to see if the passwords are stored in clear text or not, but from now on when I send in my config to support I will be changing these password entries manually.

Hope this helps other people worried about PII exposure.

Admin - Please don't continue to delete posts on this thread. You are denying the opportunity for other users to decide for themselves whether views are relevant and authors credible. Its an important part of forum participation that everyone can offer views, defend positions and demonstrate technical competence without such needless censorship.

Having checked, there are plans to improve the mechanism and storage method but there isn't a release date/schedule for that but it is being worked upon. I guess it will use something like the master password method I mentioned earlier, but don't know for sure.

6 months on.... No change. Passwords still stored in clear in the 2960.

Product Management - Do you have a roadmap and have you read "basic application security for dummies" yet?

I for one like my passwords stored in clear text, that way I can see what the hell is going on in my backup file.

For god sake, create a backup and then encrypt it yourself, hardly rocket science. This is nothing unique to Draytek by the way. Pretty much all home-small office grade routers store the passwords in clear. You are making quite a fuss here. Your backups are sensitive data end of, regardless of whether the password is scrambled or not.

I think it is due to be changed shortly; not sure on exact firmware version though. That said, you can't please everyone.
I can see it would be jolly useful to be able to enter passwords by an automated tool which writes tests files
in clear text... maybe it will accept clear text but output encrypted...