From MikroTik Wiki
Jump to navigation Jump to search

This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer.

  • All passwords on the router are hashed (SHA256) and encrypted (ECC);
  • all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;
  • WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);
  • WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
  • WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
  • Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
  • MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
  • WebFig uses ECDH for encryption key exchange;
  • Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;