[ENHANCEMENT] Redesign PrusaLink login/password credentials and interface

[neuron-whisperer]

Printer type - MK4 built from kit

Optional upgrades - None

Is your suggested improvement related to an existing problem? Please describe.

Currently, PrusaLink is accessible via username/password. The username is hard-coded as "maker" and the password is a randomly generated, fixed-length alphanumeric string that is difficult to remember and type. The UI allows the user to re-roll the password, but does not allow a user to set a preferred password. (Obviously, it is desirable to allow the user to specify both username and password, but that is not really the point of this submission.)

Most modern web applications that require username/password credentials are coded to embed username and password fields in a login web page. Those fields are tagged with metadata that allows password managers (like 1Password) to recognize them, to record credentials when they are first entered, and to inject them for subsequent login. Password managers vastly improve both user convenience (due to not having to remember and type passwords for websites) and security (due to promoting unique passwords for each site, in lieu of reusing passwords across multiple sites).

Problem: The MK4 web interface does not request credentials in the currently standard way. Rather, the MK4 web interface requests these credentials via Basic HTTP Authentication. Most browsers (including Google Chrome and Apple Safari for iOS) handle Basic HTTP Authentication by popping up a separate window or tab with Username and Password fields, and a "Submit" button that transmits entered credentials to the web interface. Unfortunately, Basic HTTP Auth is not compatible with password managers like 1Password - it can neither record entered credentials nor inject them for subsequent login. Because of this design choice, users must manually type in (or, at best, copy-and-paste) both the "maker" username and the randomly-selected alphanumeric password.

This problem is not only a user convenience issue - it is also a security issue: forcing the "maker" username for all user accounts, and forcing all passwords to conform to a fixed-length alphanumeric format, vastly reduce the entropy of user credentials and make intrusion via brute-force password-guessing much more feasible. An attacker who succeeds in brute-force guessing the password could interrupt a print, inject malware that invades the user's LAN, or even start a fire by misconfiguring the heating elements of the MK4.

Describe the expected functionality

(1) PrusaLink must allow users to choose their own username (instead of forcing everyone to use "maker") and also allow users to specify their own passwords (instead of forcing everyone to use randomly generated, fixed-length alphanumeric passwords).

(2) PrusaLink must encode the username and password fields in a login web page like most modern web applications, instead of using Basic HTTP Authentication, which is not compatible with password managers.

[mix579]

Has been proposed before but is as valid as it ever was.

[bolsoncerrado]

I second this!

+1 please!

[ondratu]

I just correct some mistakes in text.

• PrusaLink use HTTP Digest, not HTTP Basic Auth, the Digest is more secure
• HTTP Digest is standard way, it exist RFC: https://www.rfc-editor.org/rfc/rfc7616
• Difference between credentials filled to HTML forms and to this extra browser window is just that HTTP Digest does not sent password in plain text to printer, only special hash generated in defined (in RFC) way. This is ok for TLS connection, which Buddy firmware can't do it.
• That means that LAN malware can get password from HTML Form much more easier.

More secure ways are:

• switch to SHA instead of MD5, which is used in HTTP Digest, but only Firefox can do that.
• switch to TLS connection which is hard to manage on LAN devices and hard to implement to Buddy FW.

[aderusha]

Here's another suggestion: display a QR code with the credentials and the URL of the machine. Being able to do so is another advantage to digest auth! That way the user can scan the code and be brought to the web page already logged in.

eg: http://maker:abcdefg12345678@192.168.1.10

[bolsoncerrado]

Thats nice if you want to quick login with a phone or similar but for a centralized operation like a Farm environment....

[aderusha]

Should be fine for farm use too, just send yourself the URL when you scan it and go to your desktop etc to open it there. That's the magic of digest auth here, you can cook the creds into the link if you like.

edit: This would also be true for things like a dashboard, you can provide links to each target device in your farm monitoring which, when clicked, brings the user directly to the local printer web interface authed and ready. This approach also presents a data leak risk as it's so much easier to accidentally export your creds when used this way.

[nullbreached]

If only for compatibility with password managers! (And hopefully simultaneously fixing issue with Safari https://github.com/prusa3d/Prusa-Link-Web/issues/386

[Liniik]

I second this, when you're doing something like that, why would you ever do that like it is now? More so considering you can't even change the bloody password... To say it's inconvenient is understatement - it's the one and main reason why I don't use the web interface!

[bolsoncerrado]

With the XL debacle and the lateness with their "web admin" thing "competing" with Octoprint they're getting soooo late to the party that I foresee a dark future for this company, VERY sadly! :'(

[atollis]

Yeah this web interface is very half baked...

[bcnine]

Is this for real?! I can't believe there's no way to set the f'ing password! I love this printer, but COME ON Prusa! This is just embarrassing!

[Area5142]

Similar to many others, I encountered difficulties when attempting to get a password manager (LastPass) to save login credentials for PrusaLink. However, a successful workaround involved enabling the "Ask to save logins and passwords for websites" feature in the Firefox browser settings. Once this setting was activated, the browser prompted to save credentials after a successful login, and subsequently, it automatically filled the fields during the next login.

I tested this solution across various Prusa models, including Prusa XL (4.7.2), Prusa MK4 (5.1.0A2), Prusa Mini (5.1.0A2), and Prusa SL1 Speed (1.7.1), and found that it worked seamlessly for all of them.

On a related note, it's worth mentioning that Prusa SL1 Speed provides users with the capability to set their own password on the printer.

(OS: Linux Mint 21.1 Cinnamon)

[QueDuck]

Shouldn't it be up to the business or individual as to whether they want this level of security. Secure login with complex password or none at all? Also how often have we seen passwords written on a sticky note stuck the monitor or on the underside of the keyboard.

[rkrussell]

I completely agree with the OP. This is unnecessarily badly implemented.

[JeremyDWilliams]

As above, QR code to link to website (IP) automatically, ability to turn off password and at the very least ability to edit user name AND password. @neuron-whisperer added label of enhancement, which it would be, but honestly this is more than that. Safety, security and usability are issues that perhaps rank above a mere enhancement imo :)

[Liniik]

As above, QR code to link to website (IP) automatically, ability to turn off password and at the very least ability to edit user name AND password. @neuron-whisperer added label of enhancement, which it would be, but honestly this is more than that. Safety, security and usability are issues that perhaps rank above a mere enhancement imo :)

TBH the things you mentioned, except the QR code, are not an enhancement but they are BASIC FEATURE so currently it's a bug... I really can't believe that there's this thread and we still don't have a reaction from a Prusa dev half a year later!

[TorgeirHolm]

Completely agree! Please change this to make logging in to PrusaLink smoother.

[twshield]

This should be closed, v5.1.2 uses digest authentication with a username and password.

I had to hit F5 to get Chrome to save the username/password.

Note that this means you can script access to the API: curl --digest -u "user:password" [url]

[Liniik]

One would expect they mention this in release notes.... I didn't update because it works and isn't broken but if I knew this, I'd update immediately

[JeremyDWilliams]

This should be closed, v5.1.2 uses digest authentication with a username and password.

I had to hit F5 to get Chrome to save the username/password.

Note that this means you can script access to the API: curl --digest -u "user:password" [url]

I don't feel that writing a script is exactly a solution. It helps. but leaves original issue unfixed. It's more like a work-around.

[twshield]

This should be closed, v5.1.2 uses digest authentication with a username and password. I had to hit F5 to get Chrome to save the username/password. Note that this means you can script access to the API: curl --digest -u "user:password" [url]

I don't feel that writing a script is exactly a solution. It helps. but leaves original issue unfixed. It's more like a work-around.

I said you can use it from a script, not that you have to. The request above was to change to digest based username/password authentication that a browser will save and they have done that.

[jadoglio]

The worst part is once you log into this useless site you have no ability to control the printer you just get some simple data outputs. Pretty pathetic...

[twshield]

The worst part is once you log into this useless site you have no ability to control the printer you just get some simple data outputs. Pretty pathetic...

No, you can upload a gcode file and start it printing or print a file already on the USB drive. Are you using the latest firmware?

[rkrussell]

No, you can upload a gcode file and start it printing or print a file already on the USB drive. Are you using the latest firmware?

You cannot pre-heat the tool or the bed. Also, the Prusa Slicer creates .bgcode files, but the upload tool recognizes only .gcode fies. Aggravating. And, yes, I have the latest.

[jamiebegin]

No, you can upload a gcode file and start it printing or print a file already on the USB drive. Are you using the latest firmware?

You cannot pre-heat the tool or the bed. Also, the Prusa Slicer creates .bgcode files, but the upload tool recognizes only .gcode fies. Aggravating. And, yes, I have the latest.

The web interface allows .bgcode uploads. You just have to change the file extension filter in the upload dialog to show all files, not just .gcode.

But I agree with the sentiment throughout this issue. This is a very poorly designed and built authentication system. All the ultra-high security of hard-coded credentials combined with the convenience of being unable to disable it. Truly the worst of both worlds.

[kevinsaucier]

Just throwing an additional 2 cents on here. I just finished building my Mk4. Been using PrusaLink on a Pi Zero 2 on my MK3S+ for a while now and finally got used to not using Octoprint. Booted up the MK4 and found this nonsense hardcoded name/password. I don't give a crap how secure the PrusaLink interface is on my local network. Why do I need to remember KeYZpcQjk6xuDJz for every time I log in? That's just ridiculous!

And why is the Settings page not available on the MK4? I have to use the tiny LCD to do everything? Sigh.......Prusa makes some amazing printers but it's just pathetic that they've committed what, 1, maybe 2 developers to what is a necessary part of 3D printing nowadays? And still no phone apps to allow for management...... Sigh......

[wafflecart]

Just throwing an additional 2 cents on here. I just finished building my Mk4. Been using PrusaLink on a Pi Zero 2 on my MK3S+ for a while now and finally got used to not using Octoprint. Booted up the MK4 and found this nonsense hardcoded name/password. I don't give a crap how secure the PrusaLink interface is on my local network. Why do I need to remember KeYZpcQjk6xuDJz for every time I log in? That's just ridiculous!

And why is the Settings page not available on the MK4? I have to use the tiny LCD to do everything? Sigh.......Prusa makes some amazing printers but it's just pathetic that they've committed what, 1, maybe 2 developers to what is a necessary part of 3D printing nowadays? And still no phone apps to allow for management...... Sigh......

Are you on the latest firmware? There was a fix a while ago for username and password not working with password managers / auto fill.

I find Prusa Connect (cloud) is great and has all the features you expect but unfortunately Prusa Link (local version) is so dumbed down I was actually surprised first time I booted up, I was like “this is it..”

[wafflecart]

The worst part is once you log into this useless site you have no ability to control the printer you just get some simple data outputs. Pretty pathetic...

Prusa Connect (runs in cloud) allows you to control XYZ of printer, heat up bed and nozzles, queue prints, start stop jobs, cancel objects on bed etc, it’s pretty decent, however as of now Prusa Link (runs locally only) is a dumbed down version of it and is severely lacking 😞

[kevinsaucier]

Just throwing an additional 2 cents on here. I just finished building my Mk4. Been using PrusaLink on a Pi Zero 2 on my MK3S+ for a while now and finally got used to not using Octoprint. Booted up the MK4 and found this nonsense hardcoded name/password. I don't give a crap how secure the PrusaLink interface is on my local network. Why do I need to remember KeYZpcQjk6xuDJz for every time I log in? That's just ridiculous! And why is the Settings page not available on the MK4? I have to use the tiny LCD to do everything? Sigh.......Prusa makes some amazing printers but it's just pathetic that they've committed what, 1, maybe 2 developers to what is a necessary part of 3D printing nowadays? And still no phone apps to allow for management...... Sigh......

Are you on the latest firmware? There was a fix a while ago for username and password not working with password managers / auto fill.

I find Prusa Connect (cloud) is great and has all the features you expect but unfortunately Prusa Link (local version) is so dumbed down I was actually surprised first time I booted up, I was like “this is it..”

I am on the latest firmware and it does seem to save the password but it's still a crappy password.

To build on your comments, what really sucks is a lot of those controls are available in PrusaLink on my MK3S+ with a Pi Zero. They just aren't available on the xBuddy version. 🤦‍♂️ And entering the URL directly on the xBuddy version just causes the page to save it hit an error. Sigh......

[mix579]

Unless you have some fundamental issues with cloud-based control, I see no reason to even look at PrusaLink. I run my small farm with PrusaConnect, and while there are certainly quite a few opportunities for improvement, it works very well.

[kevinsaucier]

Unless you have some fundamental issues with cloud-based control, I see no reason to even look at PrusaLink. I run my small farm with PrusaConnect, and while there are certainly quite a few opportunities for improvement, it works very well.

Well, you can see in the screenshot that my MK3S is not connecting to PrusaConnect for some reason (currently whining about not being able to get the serial number but that flip flops), so I do indeed have an issue with cloud based control. 🤷‍♂️ It really makes no sense to have to send all my data to Prusa only for them to send it right back to me. I'd prefer to send it local and have it then get uploaded to Connect as a backup/extension. Also, not that it currently affects me, but there is a space limitation on Connect, which means it will eventually cost more money to use Connect that Link.

[github-actions[bot]]

This issue has been flagged as stale because it has been open for 60 days with no activity. The issue will be closed in 7 days unless someone removes the "stale" label or adds a comment.

[jjshoe]

The bot auto closing this issue will add unnecessary noise for everyone who cares about getting this actually enahnced.

[nomike]

Hi!

I want to add a few things here:

I would say the majority of Prusa Users are not expert system administrators.

People will not be able to figure out how to configure TLS properly. Most printers will not have a publicly available domain-name (more something like prusamk4.lan or something similar), so buying a TLS certificate from a publicly trusted CA won't be possible. Also you would have to pay for it annually. I don't want to expose my printer to the public internet, so let's encrypt isn't an option either.

Even less people will be able to setup their own local certificate authority.

So it's safe to say, that TLS is not an option. And just in case you really want that, nobody is preventing you from putting the printer in a separate VLAN, behind a firewall and setting up an nginx reverse proxy in front of it where you can have all the TLS mumbo jumbo your heart desires.

So in light of this, using HTTP digest is the most secure choice and far superior to sending passwords unencrypted through the network by using some custom HTTP-forms. And it's a very mature and quite secure industry standard supported by all browsers.

As to the question about password managers: I'm using KeePass2 as my password manager and I'm using the Kee plugin in both Firefox and Chromium/Chrome to connect to the database. Kee is perfectly capable of auto-filling the HTTP digest password prompt displayed by the browser. So if you are using 1Password or some other service which can't handle these, I would rather recommend filing a bug report or feature request with those. It's not Prusa's fault that some password managers seem to not get this sorted out.

But I'm a friend of taking care of my own valuable data, so instead of trusting some company to keep my passwords safe (and there have been reported data breaches with them over and over, which is no surprise as they are a very valuable target for hackers), I'm using the open source KeePass password manager. I store my encrypted database on a WebDAV folder, so it syncs between all my desktop devices (Linux, Windows, macos) and android phones flawlessly.

And regarding the auto generated password:

As I already mentioned, the majority of Prusa users will not have a background as sysadmins. So they will use weak passwords, will use passwords they re-use on many other systems etc.. Having auto-generated passwords prevents that.

And if you have a proper password manager, you only ever have to type it in once anyway. So IMHO it could be even more complex to further increase security.

And the argument about passwords being written down on sticky notes is not really a strong one. If you have physical access to the printer, you can do whatever you want. You can set the temperature to very high values, connect a USB drive to upload some rogue firmware or simply lookup the password in the settings. I'm not concerned about physical security.

I'm concerned though about network security and this is done quit well so far.

Regards nomike

[Prusa-Support]

Thanks for sharing your feedback.

This conversation was quite extensive and rich in valuable opinions and technical details that our developers appreciated. Because the thread is rather long and detailed though, I may be missing something but, for the sake of conciseness, it seems safe to stick to the opening message and the summarized points.

(1) PrusaLink must allow users to choose their own username [...]. (2) PrusaLink [...] is not compatible with password managers.

1 . A user may have missed this issue and fortunately created a second more specific issue, which is proven to be more effective for the large majority of cases (https://github.com/prusa3d/Prusa-Firmware-Buddy/issues/3559). The other issue stayed rather silent but got our developers' attention as a consequence of the stale bot action which we do double check. Our developers are working on this.

2 . This is probably relevant for Prusa Link Web repository where the topic was already addressed - https://github.com/prusa3d/Prusa-Link-Web/issues/465#issuecomment-1961500315. I seem to understand that most common browsers should be able to save credentials but certain password managers will probably require tailor-made workarounds anyway.

.

The bot auto closing this issue will add unnecessary noise for everyone who cares about getting this actually enhanced.

Or... Will make sure that even old issues, if still relevant, get more attention, and this is the case - https://github.com/prusa3d/Prusa-Firmware-Buddy/issues/3161#issuecomment-2212781035. 🙂 There are probably many other potentially obsolete and distracting issues out there so the bot is very necessary at the current time. About that, https://github.com/prusa3d/Prusa-Firmware-Buddy/issues/3559 is another example of how the action of the stale-bot should really have reason to be perceived negatively, whereas it helped draw attention to the issue even so quietly.

.

Sorry for the long message and I apologize in advance if I missed some important details. Please let me know. Other than this, I think these requests could be more efficiently addressed as split in the other two issues mentioned above. In this sense, the current issue could be closed, as it could feel otherwise somewhat overwhelming.

Michele Moramarco Prusa Research

[neuron-whisperer]

@Prusa-Support Thank you for the response. I need to address a few dangling threads:

(1) PrusaLink must allow users to choose their own username [...].

I can live with the notion of not choosing my username. It's a peculiar choice, but a livable one.

The much more important part of suggestion (1) is the part that you edited out:

and also allow users to specify their own passwords

There's still no way to do this. We're stuck with whatever alphanumeric soup the printer auto-generates for us. We can ask it to generate a different alphanumeric soup, but that doesn't help anything.

Look - I have two printers. Needing to store and use a unique alphanumeric password for one of them is a pain. Needing to store and use different passwords for each printer acutely amplifies the pain. I can't even imagine how printer farm managers cope with needing to manager (x) unique passwords for (x) printers.

The kicker is that if Prusa is going all-in on security as has been suggested, fixed-length, alphanumeric-only passwords are terrible! Allowing people to choose arbitrary-length passwords and with the expanded character set of special characters would greatly increase entropy. Please check out this brief xkcd comic entitled "correct horse battery staple" and consider that information in the context of Prusa's auto-assigned passwords.

Bottom line: At the very least, please let users choose their own passwords.

I seem to understand that most common browsers should be able to save credentials but certain password managers will probably require tailor-made workarounds anyway.

I get this general feeling that Prusa is disinclined to consider password manager support as an important feature. And I'm saddened by it.

Look - browsers are terrible password managers:

The Chrome password vault is stuck in Chrome and not available outside of Chrome - it's a Google lock-in mechanism, another reason to discourage people from using mobile Safari, Firefox, Edge, etc.

Consider this: How does Prusa Connect work on iPhones? The Prusa App. Which isn't Chrome. So if I change my password on my workstation and Chrome saves the updated password, I lose access on my phone until I manually type in the password, which is an enormous pain. Password manager support would solve all of that.

For those reasons and others (e.g.: security, transparency, portability, etc.), "just use Chrome as your password manager" is not an acceptable solution here.

Password managers are an invaluable tool in a secure computing environment, and Prusa is standing in the way of that. Please, please encourage your engineering team to reconsider these choices.

[jjshoe]

If being secure as possible is the goal, then let's just move to passkeys while we're at it.