wifi pwd stored in plaintext #4911
Comments
|
Do you mean Using the obfuscated password is only a help against a lazy intruder - I just copied the obfuscated string into the WLAN password box on my phone and was accepted onto the network. |
|
The system should not be storing passwords where non-root users can read it. As pelwell points out, obfuscating the password is pointless - the real solution is to make the password completely inaccessible to non-root users. Debian and Ubuntu both use Network Manager, which handles the wifi passwords, and prevent non-root users from access the files which contain the wifi passwords. Raspberry Pi OS does not use Network Manager. |
|
pelwell: I meant wpa_passphrase (and you are right, that doesn't help) |
|
This is not the right repo, and not the right solution. We may switch to using Network Manager in the future, but doing so will invalidate a lot of tutorials. |
Describe the bug
When I connect to WiFi, the WiFi password is stored in /etc/wpa_supplicant/wpa_supplicant.conf which is a security vulnerability that should be fixed.
If you need this:
Command used to
encryptobfuscate password iswpa_supplicant [name] [password](If not working try `wpa_supplicant essid [name] key [password])Also if using wpa_supplicant make sure to strip line 3, it's the password stored in plaintext (but commented).
Steps to reproduce the behaviour
Device (s)
Raspberry Pi 4 Mod. B
System
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, f01430c9d8f67a4b9719cc00e74a2079d3834d5d, stage5
Logs
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: