Is my WiFi password safe in OctoPi  

  RSS
ales.f
(@ales-f)
Active Member

The setup instructions for OctoPi ask you to enter your SSID and WiFi password in octopi-network.txt. At that point, the password is obviously stored as clear text. Does OctoPi encrypt the password after first boot or is it always stored as clear text? If it's stored as clear text forever, isn't it unsafe?

...
Posted : 03/05/2017 6:20 pm
christophe.p
(@christophe-p)
Member Moderator

Yes it is,

So it could be done by publishing the octoprint on internet with poor security level (that would be not really usefull for remote users, the indirect attack he can do then can be way more dangerous) or by accessing the local network (cracking the wifi password or connecting directly through Ethernet. In addition, you'll need to have the credential to connect to the ssh, or simply to have physical access to the SD card.

So in my opinion, if a hacker is in position to read this file, it's way too late to make access to this password really important.

Finally, IMHO, Octoprint is a server, so should be connected through Ethernet, period 🙂

I'm like Jon Snow, I know nothing....
Posted : 04/05/2017 3:29 pm
maximilian.r
(@maximilian-r)
Estimable Member



Finally, IMHO, Octoprint is a server, so should be connected through Ethernet, period 🙂

I will ask my neighbor if he minds an ethernet cable trough his living room 😉

(i live in the second floor and the printer is in the basement)

...
Posted : 04/05/2017 4:16 pm
ales.f
(@ales-f)
Active Member

Yeah, I see your point that when a hacker has access to the TXT file it's too late to worry about WiFi password security. Still I don't like the idea of storing the password in clear text. I'll run an Ethernet cable to the printer room. Unlike Maximilian, I can drop an Ethernet cable from the attic because the printer is on the second floor.

...
Posted : 05/05/2017 1:37 am
Mario
(@mario)
Eminent Member

Don't worry too much about it. Your regular WiFi configuration (e.g. WPA supplicant) would also be stored in a plain text file.

Also check your WiFi router's settings. Some manufacturers (like AVM) add an option to only allow known devices into the wireless network.

Last but not least, every important/security related communication (like online banking, online payment, etc.) should be handled using SSL anyway, so even if someone is able to intercept packets and be able to decrypt them, they'd still have to overcome the SSL encryption as well.

...
Posted : 05/05/2017 3:48 pm
Share:

Please Login or Register