Global User Security Settings - Force Password and Hide Profiles

[BAlGaInTl 288]

In tweaking my server a bit over the last few days, and in reading and replying to some posts here, a couple of (what seem to me) rather simple security enhancements came to mind.

 

1. Option to require password. This could be both a global or individual user setting.

 

It doesn't have to change the behavior of anything else. Actually... I couldn't believe this wasn't there somewhere. Am I missing it? Couldn't a user just delete their own password and open a security hole?

 

2. Global option hide profile pictures/login.

 

Right now, the only way to do this is per user, which is fine for someone like me that only has 5

 

It doesn't seem like these would be difficult changes unless I'm missing something.

[Luke 42077]

Yes good ideas, thanks.

[BAlGaInTl 288]

Yes good ideas, thanks.

I thought so... So I created this thread.

 

Don't worry... I searched first.

 

Edited February 8, 2019 by BAlGaInTl

[crusher11 1101]

Related to this I wouldn't mind being able to connect a local user with a remote user, so we can go password-free locally (to have one account per household member) but still get into the same account (with the same Continue Watching, etc) remotely with a password. Unless there's a way to do that already?

[Neminem 1518]

As this has been shutdown by @ebr

 I will continue here....

And I will strongly encourage any one to support this.

As we are seeing an influx of users getting compromised by bad actors. 

Why should Emby not impose a password policy ?

Or at least impose passwords on Emby Connection accounts since they need to be created local first.

But dont need a local password.

 

This gives the Admins a FAULSE sense of security, being a Emby Connect account.

But in fact if configured wrong !!

Leaves the door right open.

As seen below, in at least 1 example. 

 

I know I have asked this before, but the vote is still no.

1)  This on is from this morning.

I suspect this is the case, need confirmation.

2) This one is earlier this year.

Had not set password, when setting up Emby Connect accounts.

TBH we as users " Admins don't get any warning when NOT doing so. "

So how would this admin know ?

And I guess this is just the tip of the Iceberg.

Not all admins would confess to this. 

 

[Neminem 1518]

@ebrI see this as an escalating issue for non the wiser new comers to your software.

To put this bluntly, you are NOT helping anyone or Emby by not imposing this FR.

All bad rep. will fall back to Emby, if not set in stone.

Please demand a password on admin enabled accounts.

this last 2 months I have see the 2 above admin's not knowing what's going on.

Its both stupid and dangerous not to do so.

Issues following this can be.

Loss of data.

Loss of years of custom artwork procurement. 

The one that would strike me the worst, is this

"Loss of premier license sold to highest bitter. "

 

But You as a company could careless i guess.

If its a lifetime license admin has 2 options, ask you to renew license key and confess to bad security. 

Or just buy a new license.

 

I this OHH so real scenario what would you tell the admin.

We will

1) create a new license and cancel the old key ?

2) Buy a new and don't look back ?

[Gilgamesh_48 1240]

While some enhancements to security are, maybe, a good idea, they should allow all "enhancements" to be turned off and they should default to off. 

I do not allow and do not want any "remote access" and I do not want to have to jump through any hoops to keep running the way I am. 

I do not believe I need any extra security as my network is locked down quite well and the only way anyone has any access to my computers or devices or network is either to hack my wireless network, very unlikely, or break into my home. The former is highly unlikely and, if the latter happened, then I would have many more problems than the security of Emby. 

I do NOT object at all to added security but I do object to forced security. 

[17732 21]

I'll be happy if emby enhances security,

[rbjtech 5284]

Emby and security have a love/hate relationship.   A 'scare' happended a while ago where their lack of modern Auth caused 'local' accounts to be accessable remotely and thus 'hacked' (there was no evidence anything was done beyond emby itself) - but they did improve various things (I'll find the list shortly..) but one thing they never completed, despite being an obvious omission to even 'basic' security - is the lack of a password policy and password enforcement.

I totally 'get' that users may not want passwords on a local install - but as soon as you allow remote connectivity - you change the risk in using Emby significantly and thus, the wizard should force a password check/update on all existing and any future accounts.  For each  Admin account, it should force something half decent to stop brute force (remembering strangely that Emby DID implement password lockout first ..) and for normal users - an 'short' password is probably ok, but something is better than nothing, remembering an attacker does not know the entropy of the password used.  But simply put - do not allow no passwords when emby has a gateway into your home network from the open internet.

Let me find the list - they started working though it and were doing well - but progress then stalled/stopped ... 

Edited September 20, 2025 by rbjtech

[rbjtech 5284]

Actually it was via a PM to the Admins following the security incident - to be fair, some of the oustanding items have now been completed in 4.8+ (those in Green below) - but the password one has sadly not been implemented... @Luke @ebr @softworkz

--

"Hi All,

So I've been keeping a track of the proposed security changes post the security issue in May (for my my own security audit) and thought I'd share it.

Would it be worth providing an update to the security incident thread/blog as you guys have made some great progress with the 'security' side of things.  Maybe you want to finish the Authorisation overhall with all the Clients before pushing something out on the Blog ?

I also just wanted to say that I appreciate the security enhancements, my trust in the product is now a lot better pre-incident, and even though my service sits behind multiple external perimeter defenses, it's still nice to have a security conscious core product. 

Regards."

 

Action	Detail	Status	Availability
Brute Force Lockout	Will now add fixed delay to response if incorrect password has been entered 10+ times.	Complete	Beta 4.8+
Brute Force Lockout Notification	Separate Notification type added if the above is activated.	Complete	Beta 4.8+
Proxy Headers	Proxy headers may be turned on/off or if deemed to be remote (ie non RFC1918 addresses)	Complete	Beta 4.8+
Plugin Security	Enhancements made to Plugin security.	Complete	Beta 4.8+
User Admin	Improvements in viewing 'users' as a table to see their Admin status, last login etc.   Pin outstanding but optional anyway.	Complete	Beta 4.8+
Local vs Remote Access	Concept has been replaced with local device token passed Authentication.	Complete	Beta 4.8+
Local vs Remote Access	Server side is complete, and clients are being updated allowing multi-users with token based passwords to be saved on the device.  Web, Roku and Android have been updated thus far (as of 8th Oct 2023)	Complete	Beta 4.8+
PIN Access	Not directly related to the incident, but due the above allowing priviledged accounts to be 'saved' with a valid token on any device, this allows a 2nd layer of Access control for those already logged into the device.  It is not a MFA mechanism.	Complete	Beta 4.8+
Password strength/entropy	Still no password strength check - allow a weak password, but get user acknowledgement that is is unsuitable for remote usage ?	Outstanding	tbc
User/Group Admin	Further improvements to add Library Access to the users Admin table  - or show in the Library views.   Ie a table showing which users have access to which libraries on a single page.	Feature Request	tbc
Cipher Hygeine Update	Remove outdated ciphers from .NET	In progress ?	tbc
Unauthorised Image access.	Images can still be accessed remotely if the URL is known.   For metadata, probably not an issue, but for personal photo libraries, then this is a PII data issue - and should be resolved asap.	Security Bug	tbc

[adrianwi 279]

Someone has even made a list to make it easy for the emby devs, although it's missing Multi-Factor Authentication.

[Neminem 1518]

Yet another one that did not know to secure there emby connect accounts with a password.

 

[Neminem 1518]

And another one.

 

[brothom 177]

3 minutes ago, Neminem said:

And another one.

Yeah I was already aware of the issue (I fill in extremely complex passwords anyway) but it would be a nice-to-have still. Thanks for the reference. 

[pigpog8 8]

1 hour ago, Neminem said:

Yet another one that did not know to secure there emby connect accounts with a password.

 

Yes, that's me!  I only noticed that something was wrong when a Library was created in the middle of the night containing photos and videos from some folders on my desktop. Only myself and my wife have admin access, and there were several failed authentication attempts. Thank you Neminem for helping me understand that my server was vulnerable (and hopefully no longer is by setting passwords for all accounts and enabling the Hide user options on all accounts).

[Neminem 1518]

@sa2000 can you update this wiki page.

Emby Connect | Emby Documentation

And add the importance of local password even when using Emby Connect.

Admin think its secure to NOT use password on local user accounts when using Emby Connect.

And this is insane that the documentation does not mention this.

Edit.

Also since Emby DOES NOT enforce a password policy this makes unknowing Admin wide open to attacks.

Edited December 10, 2025 by Neminem

[sa2000 674]

On 10/12/2025 at 15:27, Neminem said:

Can you update this wiki page.

Emby Connect | Emby Documentation

The article has been updated. Also added a paragraph in Secure Your Server article

Edited December 11, 2025 by sa2000