03-17-2025, 01:12 PM
(03-17-2025, 12:21 PM)Tim Curtis Wrote:(03-17-2025, 07:25 AM)the_bertrum Wrote:(03-16-2025, 12:40 PM)TheOldPresbyope Wrote: Only root can read/write the NetworkManager connection profiles.
The insecurity issue here is that moOde’s default user is a “sudoer”. Keep your login credentials safe, just as you should for any computer connected to a network.
Regards,
Kent
Yeah, that's the bit I find disturbing. Fair enough that just knowing the password won't let you decrypt in flight traffic but it does allow you to connect to the network as if you had every right to be there.
Well, I don't have WPA3 and won't be upgrading any time soon so it's academic really
Since WPA3-SAE requires a plaintext password instead of a one-way hash like WPA-PSK it makes it impossible to store it securely because to do so requires that the plaintext can't be recovered i.e., it has to be converted to a one-way hash.
One thing that could be done is to never display the password for WPA-SAE. It would always need to be entered when saving the Network Config form. This at least keeps it out of easy Browser console inspection. Someone would then need to know the logon password for the Pi in order to view it which like knowing the password for any OS gives you access to lots of things.
There may be other approaches.
The fine people who developed the WPA3 protocols will know a darn sight more about security than I do, so I'm sure they would not have done this if it introduced anything insecure. It just doesn't "feel" right to someone who's been repeatedly thumped for storing passwords in clear throughout his career
----------------
Robert
Robert
