Manual:Security
This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer.
- All passwords on the router are hashed (SHA256) and encrypted (ECC);
- all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;
- WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);
- WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
- WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
- Bandwidht-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
- MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
- WebFig uses ECDH for encryption key exchange;
- Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;