Is the default password on apps a risk?

moneyprintergobrr is the default password on most apps in Umbrel. In what scenarios is this is a security risk, if any?

Is there a plan to change this default functionality in the future?

Bump - I noticed some apps are allowing me to change the password but not all.

I think only RTL allows it. What other?

My mistake, you’re right it is just RTL currently.

1 Like

Still fairly concerned here: sharing a network with roommates or a group of people is very common. and it seems as long as someone knows you have a node running with umbrel, they can just try umbrel.local:300x and try to find thunderhub or other apps. Accessing them this way does not seem to require you be logged in to umbrel.local first.

1 Like

@freshmozz is correct. Anyone on the same network can just add the correct URL and log in via the default password. Gives full access to any feature in the app. This is very concerning for anyone running an Umbrel on a shared network.

2 Likes

Yeah, for now, uninstall any apps that use the default password.

I’m out of my depth here, but is there a way to limit access of umbrel.local (and by extension umbrel.local:300x) to a single source? either from IP or MACID of the device?