Update wled.h regarding OTA Password

[gsieben]

All important settings can be set in my_config.ini. Except the OTA password. This is always the default password. Here is the suggested correction.

[blazoncek]

There was a talk on Discord about that possibility a while ago and the conclusion was to not implement it. That is due to the fact that many new/inexperienced users are unaware of the possibility of different builds and it would make troubleshooting when you need AP mode difficult and frustrating for them if the default AP password was changed..

[gsieben]

Yes, that's understandable.

But without setting the variable OTA_PASS either in my_config.h or in the build flags, nothing happens with the default OTA password. Anyone who deliberately uses the OTA_PASS variable certainly knows what he is doing.

The problem is that you can neither set the DEFAULT_OTA_PASS in my_config.h nor in the build flags, as it will be overwritten afterwards.

[blazoncek]

Exactly the point!

As far as WLED goes there is no need for custom passwords. That's how I see it from the support POV.

What you do in your custom build/fork is up to you. The problem arises when random people try random build and then request help on the official channels with no clue what factory reset will do.

[gsieben]

For me, the proposed change is not important as I have changed it for myself anyway. I need this for my batch updates of my multiple WLEDs.

But guys. Other developers might be happy. That's why I suggested the change. The proposed change does not change the default password or the releases. It only changes the fact that a developer can change the default value in my_config.h or in the buid flags as with the CLIENT_SSID or the CLIENT_PASS. He can also do this if he simply changes the default in the main code. Logically, it makes sense that this can also be changed for the OTA password like the other parameters using the same function. And having the same OTA password everywhere is not recommended anyway. You don't even need a password. Easy for hackers.

[blazoncek]

I am just debating why it wasn't already implemented. I am not saying that PR is not being considered. You chose to close the PR, not me.

And having the same OTA password everywhere is not recommended anyway.

And how do you propose to do that on default installations while keeping uneducated users "happy"? AFAIK changing passwords from default ones is the first security minded task anyone should do.

Other than that, WLED is not intended to be used on public networks (and that's clearly stated). OTA lock, PIN or settings lock are there to prevent accidental change or firmware updates, they are not meant to "secure" the device as WLED lacks any kind of SSL or TLS implementation to encrypt the transmission of sensitive data.

[gsieben]

Sorry. It was automatically closed because I renamed the branch. Something must have gone wrong.