Disable password on local network missing

[reggierat 18]

Not sure if i'm going crazy... but didn't there used to be an option to remove passwords on the local network

 

Version 4.8.1.0

 

[crusher11 851]

It's been removed because it was a gaping security hole and led to thousands of servers getting hacked. There are dozens of threads about it.

[Luke 37066]

@reggierathave you checked out the new profile pin feature? With this you only need to sign in once, then you can use a quick pin when you return to an app.

Does this help?

[reggierat 18]

is profile pin a replacement for the old feature?

I'd prefer to just not sign in on the local network if possible, but pin will work too i guess

[ebr 14913]

Please see the new docs here: Passwords

[Luke 37066]

8 hours ago, reggierat said:

is profile pin a replacement for the old feature?

I'd prefer to just not sign in on the local network if possible, but pin will work too i guess

@reggieratBut signing in just once and then having the app remember isn't so bad, right?

[TeamB 2352]

1 hour ago, Luke said:

@reggieratBut signing in just once and then having the app remember isn't so bad, right?

I think you guys are over emphasising (suggesting) the PIN feature.

Some people just want a passwordless log in experience on their local networks. All you need to tell people is that all clients should now remember your password so you don't have to enter it every time, just the first time.

The PIN is an optional feature you can add to your login to add a barrier to other users of your household from accessing your account, add a PIN like 1234 to stop kids using your parent account etc.

[rbjtech 4265]

10 minutes ago, TeamB said:

I think you guys are over emphasising (suggesting) the PIN feature.

Some people just want a passwordless log in experience on their local networks. All you need to tell people is that all clients should now remember your password so you don't have to enter it every time, just the first time.

The PIN is an optional feature you can add to your login to add a barrier to other users of your household from accessing your account, add a PIN like 1234 to stop kids using your parent account etc.

Would tend to agree.

This doc is a little confusing imho ... and really not helping matters ... 

https://emby.media/support/articles/Passwords.html

You don't even need to mention the word PIN in the password section - but you do need to emphasise that you just need to login once and make it clear that if you do not logout, then you never need to enter a password again...    That will satisfy the majority of these users.

On another section after saying the above - maybe labelled as  'Optional Protection on your account' THEN specify that you can use a PIN - but it's then clear it's Optional.   I expect most users that previously had no passwords, will simply not care about this - and will stop reading...  Maybe even put it as a seperate document that you need to click on to get to .. 

Edited February 16 by rbjtech

[ebr 14913]

3 hours ago, rbjtech said:

but you do need to emphasise that you just need to login once and make it clear that if you do not logout, then you never need to enter a password again

Quote

By default all Emby apps will require authentication on each device ONCE per user. After that, the credentials will be remembered on that device enabling easy switching between profiles. If you have a shared device where you wish to secure access to one or more users that have been authenticated, you can set a PIN code for that user and then require that PIN be entered any time someone attempts to login or switch to that user.

Isn't that doc saying exactly what you said it should...?

[seanbuff 840]

1 hour ago, ebr said:

Isn't that doc saying exactly what you said it should...?

Yes, but to make it really clear, as this isn't the first time this has come up

Perhaps you could move the highlighted portion to the above "Password" section, and then add (optional) to the "Profile PIN" section to make it super clear that it's not a requirement.

[ebr 14913]

14 hours ago, seanbuff said:

Perhaps you could move the highlighted portion to the above "Password" section, and then add (optional) to the "Profile PIN" section to make it super clear that it's not a requirement.

I like it.  Done.

[jiggity 22]

On 16/02/2024 at 12:19, TeamB said:

Some people just want a passwordless log in experience on their local networks. All you need to tell people is that all clients should now remember your password so you don't have to enter it every time, just the first time.

That is still possible, so long as you are making those passwordless accounts LAN only access.

You need to set the LAN netmask in emby network settings, and then make sure any LAN accounts created are NOT set to have remote access, or management. Add any further restrictions you require, like parental controls and you now have a LAN only account that you can use with no password.
Hide these users from remote login screens as a precaution and off you go.

The ones i created prior to 4.8 still work no problem, and I have tested new ones, this still works.

If you want an account that has LAN and remote access you will require a password.

[johenning 1]

On 2/16/2024 at 8:28 AM, crusher11 said:

It's been removed because it was a gaping security hole and led to thousands of servers getting hacked. There are dozens of threads about it.

Was it turned on by default, or how was it a security hole?

I don't like the removal, spend an our debugging my network config before I realized the feature got dropped. Why not put a big disclaimer on it?
My server isn't exposed publicly, but I still like to have passwords. The passwords only get used if connected via the VPN. Now I have to remove them entirely to get the previous flow back. So in fact it will now be less secure

[Luke 37066]

1 hour ago, johenning said:

Was it turned on by default, or how was it a security hole?

I don't like the removal, spend an our debugging my network config before I realized the feature got dropped. Why not put a big disclaimer on it?
My server isn't exposed publicly, but I still like to have passwords. The passwords only get used if connected via the VPN. Now I have to remove them entirely to get the previous flow back. So in fact it will now be less secure

Why not just give them passwords? Then in Emby apps you only have to sign in once and your authentication will be remembered. Is once too much?

[johenning 1]

16 hours ago, Luke said:

Why not just give them passwords? Then in Emby apps you only have to sign in once and your authentication will be remembered. Is once too much?

No apps, browsers. And not just my devices, the devices of my family who I have a hard enough time to get to remember its called "emby", nevermind passwords.

[Luke 37066]

On 2/19/2024 at 7:17 AM, johenning said:

No apps, browsers. And not just my devices, the devices of my family who I have a hard enough time to get to remember its called "emby", nevermind passwords.

You could help them sign in one time though, right?

[flipside 6]

On 18/02/2024 at 18:05, johenning said:

Was it turned on by default, or how was it a security hole?

I don't like the removal, spend an our debugging my network config before I realized the feature got dropped. Why not put a big disclaimer on it?
My server isn't exposed publicly, but I still like to have passwords. The passwords only get used if connected via the VPN. Now I have to remove them entirely to get the previous flow back. So in fact it will now be less secure

same here and it doubly odd  though as i didnt set any passwords , except for my admin account , and everyones being asked which has caused a whole bunch of confusion.

The change has also seem to have broken the 'fix' for showing the user screen on open of the app on my LG TV , unticking remember me , as this now means the password is needed on each login where as previously it didnt. Do i now need to create a password for all the users log them in to each device with the remember me option ticked , will that work with the user choice screen ?

[flipside 6]

 Do i now need to create a password for all the users log them in to each device with the remember me option ticked , will that work with the user choice screen ? ok So no that didnt work ,  I reset the password for the standard uses to blank and they can login with it going back to the user choice screen on exit . However if i login i have to set it to remember me and if i do that its always logged in as me until i logout and then i have  to enter teh password again.

without the user choice on startup option as per AndroidTV I guess the only option  is for me if i dont want to keep loggin out/in is to remove the password on my  account and setup a seperate admin account.

Edited February 20 by flipside

[darkassassin07 423]

When you start the app and it asks for your pin: Don't logout, just select your user icon in the top right and select 'switch user'.

 

Ideally the app would load the user select screen instead of the last user, but it doesn't.

[rbjtech 4265]

11 hours ago, flipside said:

without the user choice on startup option as per AndroidTV I guess the only option  is for me if i dont want to keep loggin out/in is to remove the password on my  account and setup a seperate admin account.

I'm really not sure why the single click 'user selection' option like AndroidTV has was not implemented as part of the new login process on all the clients before the back end change was enforced.

For multi-user devices, it is the obvious way to login , as you never know who is going to be using the device.   Once logged in (once) it remembers the password and thus replicates the convienence of 'no password' that everybody wants and for those that have child/adult logins, the optional PIN protects those accounts with a simple 4 digit pin only.    It now even works on remote devices.  Everybody wins.

I believe @Lukesaid this is coming to all clients - but so far it's just Emby Theatre, Android TV and Web/Browser ?     

 

[rbjtech 4265]

11 hours ago, flipside said:

without the user choice on startup option as per AndroidTV I guess the only option  is for me if i dont want to keep loggin out/in is to remove the password on my  account and setup a seperate admin account.

Which you should probably do anyway as it's good practice.   You will also get the option to remove remote access from the admin account if you have no need for that.   It will probably be easier to clone the Admin user, keep the clone as Admin, remove the remote access, then rename the old Admin account to your normal user and then remove Admin permissions.   That way, you retain the watch states as the 'copy/clone' feature only copies the settings, not the watch state for obvious reasons.

[reggierat 18]

I must've been living under a rock to not hear about the security issues/breach

In light of this , then the current solutions are perfectly fine.

[darkassassin07 423]

@reggierat

 

[serpi 72]

On 2/16/2024 at 6:48 PM, Luke said:

@reggieratBut signing in just once and then having the app remember isn't so bad, right?

Entering a complex password even once with a tv remote (that has no number pad) is really bad.

And this is for every single device and every single user.

Just give us the option back and put a big security warning on it.

[iiiJoe 55]

6 minutes ago, serpi said:

Entering a complex password even once with a tv remote (that has no number pad) is really bad.

And this is for every single device and every single user.

Just give us the option back and put a big security warning on it.

Just curious, you’re using Emby as TV app?