byakuya32 18 Posted December 8, 2021 Share Posted December 8, 2021 you should add password complexity and minimum length to stop family members from using too simple of passwords 3 Link to comment Share on other sites More sharing options...
Luke 37060 Posted December 8, 2021 Share Posted December 8, 2021 Hi, yes it's likely to be added in future updates. thanks. Link to comment Share on other sites More sharing options...
EricOnEmby 1 Posted December 10, 2021 Share Posted December 10, 2021 Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what? 1 Link to comment Share on other sites More sharing options...
CloudWing93 26 Posted December 10, 2021 Share Posted December 10, 2021 7 minutes ago, EricOnEmby said: Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what? Features like this are usually configurable my the admin. Besides if you want to use a weak kid password just setup a pin for your kids user that can be used on the local network. 1 1 Link to comment Share on other sites More sharing options...
crusher11 851 Posted December 11, 2021 Share Posted December 11, 2021 10 hours ago, EricOnEmby said: Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what? Hackers aren't going to care what your kids want to do. 1 Link to comment Share on other sites More sharing options...
Marijuana 12 Posted December 11, 2021 Share Posted December 11, 2021 2 hours ago, crusher11 said: Hackers aren't going to care what your kids want to do. LOL Agreed but honestly if someone hacked your emby server what could they possibly do besides watch the price is right or some movies But for those who don't put a password for your kids there are a few things you can do to at least better protect your server. First thing is don't use the word admin for your admin account, use something with numbers and letters mixed with some uppercase added for both admin and password. Hide all accounts from showing except the kids on your emby login screen and set a limit to 1 connection and disable that kids account from being able to change the password once set. Make sure the kids account has downloading disabled and any family photos disabled "for the paranoid". Do not allow the kids account to have any access to deleting content or management control what so ever. Reason hackers look for emby servers: Unfortunately there will always be those who run port scanners or other methods to look for emby for a number of reasons, they are looking for access to your admin panel to get your emby premiere keys, iptv m3u links, download content or just to be a pain in the butt. If they only have access to a kids login to watch barney or the smurfs they will just move on. Link to comment Share on other sites More sharing options...
EricOnEmby 1 Posted December 11, 2021 Share Posted December 11, 2021 3 hours ago, crusher11 said: Hackers aren't going to care what your kids want to do. I was talking about a use case where Emby is running inside the home network, where kids access Emby through the smart TV in the living room. If you want to expose Emby (or anything else) to the Internet as a whole, you really need to select strong passwords, or prepare to be hacked. Link to comment Share on other sites More sharing options...
byakuya32 18 Posted December 11, 2021 Author Share Posted December 11, 2021 (edited) 18 hours ago, EricOnEmby said: Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what? I was referring to just having the option to turn this on just because its a feature doesn't mean it would be forced to use and it would just ass the forcing of a capital letter a number and a symbol so that if a hacker gets in your network it slows them down where they may give up if we really want to slow them down mfa. This would be extremly useful when you have opened up the firewall and allow family to watch remotely. But it would be a checkbox you have to click to turn it on for your users not forced. Some of us want our servers protected against hackers. It is your choise to not protect it. Edited December 11, 2021 by byakuya32 Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted December 11, 2021 Share Posted December 11, 2021 6 hours ago, Marijuana said: but honestly if someone hacked your emby server what could they possibly do besides watch the price is right or some movies Depending on what account they are able to hack and the rights your configured for emby on your storage, the hacker can delete all your movies and tv shows as emby in most cases has write permissions If you have a non admin account that has been hacked the hacker could download all your movies and shows and this will mean your bandwidth is always fully under load in case a normal user wanna watch a movie, there is no upload available because everything is already in use Link to comment Share on other sites More sharing options...
crusher11 851 Posted December 12, 2021 Share Posted December 12, 2021 16 hours ago, EricOnEmby said: I was talking about a use case where Emby is running inside the home network, where kids access Emby through the smart TV in the living room. If you want to expose Emby (or anything else) to the Internet as a whole, you really need to select strong passwords, or prepare to be hacked. So disable passwords on the LAN. 1 1 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted December 12, 2021 Share Posted December 12, 2021 5 hours ago, crusher11 said: 22 hours ago, EricOnEmby said: I was talking about a use case where Emby is running inside the home network, where kids access Emby through the smart TV in the living room. If you want to expose Emby (or anything else) to the Internet as a whole, you really need to select strong passwords, or prepare to be hacked. So disable passwords on the LAN. Yes as you technically have 2 options, not required on LAN or a pin on LAN. Link to comment Share on other sites More sharing options...
byakuya32 18 Posted December 16, 2021 Author Share Posted December 16, 2021 On 12/11/2021 at 9:27 AM, Painkiller8818 said: Depending on what account they are able to hack and the rights your configured for emby on your storage, the hacker can delete all your movies and tv shows as emby in most cases has write permissions If you have a non admin account that has been hacked the hacker could download all your movies and shows and this will mean your bandwidth is always fully under load in case a normal user wanna watch a movie, there is no upload available because everything is already in use exactly depends on what account they get into even worst if they get into the right account they can have full reign of the server if there are any back doors. Link to comment Share on other sites More sharing options...
ebr 14910 Posted December 16, 2021 Share Posted December 16, 2021 8 hours ago, byakuya32 said: if they get into the right account they can have full reign of the server if there are any back doors. I don't believe there is any way for this to happen. They could access your media and server settings and, if you allow deletion then they could do that which could be quite destructive but I do not believe they could gain actual access to the machine. Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted December 16, 2021 Share Posted December 16, 2021 2 minutes ago, ebr said: but I do not believe they could gain actual access to the machine. They don't need access to the machine. Actually on every movie and show etc. in emby as an admin, there is an option to delete, and this is the problem why we need the revamp of the user permissions because this does not only delete the media file from the emby library, it is deleting the media file from storage. So all i need is an admin account with some magical secure password like 1234 or H4cker etc... so the attacker can delete everything from within the emby web UI Link to comment Share on other sites More sharing options...
ebr 14910 Posted December 16, 2021 Share Posted December 16, 2021 30 minutes ago, Painkiller8818 said: Actually on every movie and show etc. in emby as an admin, there is an option to delete, and this is the problem why we need the revamp of the user permissions because this does not only delete the media file from the emby library, it is deleting the media file from storage 35 minutes ago, ebr said: if you allow deletion then they could do that which could be quite destructive You can disable delete functionality for your users if you wish. Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted December 16, 2021 Share Posted December 16, 2021 And if you choose to give your admin account remote access it is upon you to ensure it admin account has a strong password? For users it only matters if you allow users to Delete. Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted December 16, 2021 Share Posted December 16, 2021 53 minutes ago, Happy2Play said: And if you choose to give your admin account remote access it is upon you to ensure it admin account has a strong password? the long requested MFA feature would do that Link to comment Share on other sites More sharing options...
ebr 14910 Posted December 17, 2021 Share Posted December 17, 2021 16 hours ago, Painkiller8818 said: the long requested MFA feature would do that But it is also completely within your power now to do that. You are asking for us to make it harder to use the system in order to "protect" people from themselves. We have to weigh that type of thing carefully against the ease of use of the system. You, as a server owner, are completely in control of just how secure your installation is already. Now, having said that, I think a request like this one (enforcing complex passwords) is potentially useful, but I think it should be optional so that people can remain in control of just how easy their system is to use vs how secure it is. Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted December 17, 2021 Share Posted December 17, 2021 (edited) Sure it is something optional but also something that's getting more and more a basic feature on most services. Having a good and secure password is not that secure many people think, seeing a lot vulunerabilities etc. A hacker can find a way, and the complexity of the password is nothing worth in such a case. 2FA/MFA makes it much harder to bypass this, because there are only 2 ways to bypass or lets say hack 2FA/MFA atm and this would be a cookie/session hijack while i am in the same network or getting physical access to your MFA used device (phone in most cases) While hacking a password of a normal emby server with the emby given out of the box solutions is much simpler as you may think. Dictionary attack with a large list and a good GPU which makes 60K to 100K pw/s will do the job in most cases depending on the list. As far as i know emby doesn't support block for 5 mins after 3 or 5 failed logins out of the box etc. so having a 2FA/MFA would help extremely to prevent somehting like that. Sure, the weakest factor is the human itself but you also never have revamped the user permissions etc, which in my opinion is not a "feature request" it is more like a security thing and should get more priority over fixing some subtitle things. It would be great to see this security related things having more priority over some small visual things. Edited December 20, 2021 by Painkiller8818 Link to comment Share on other sites More sharing options...
AnomalousTech 7 Posted December 30, 2021 Share Posted December 30, 2021 +1 to this. I would like to be able to set a complexity requirement. I use to use the AD plugin for this reason alone. However, it didn't work as expect at all times. I'd also like to see 2FA/MFA as an option. Use with Google Authentication or some other app based 2FA. Doesn't need to be text or email. I suppose email would be okay if someone wants to add SMTP settings. Link to comment Share on other sites More sharing options...
ginjaninja 533 Posted December 30, 2021 Share Posted December 30, 2021 not a complete solution but this option goes some way Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now