I see that in the "enter Master Password" dialog box there is a link to "Reset Master Password". The point of having a master password is to thwart unauthorized attempts to modify the backups so as to destroy the ability to recover from Ransomware attacks. If the attacker can just reset the master password then it kind of defeats the whole thing. I was going to test resetting the password on our server to see what happens, but in the Help I saw the following: With a master password reset, all other passwords used in CloudBerry Backup (for example, passwords for storage destination access), will be reset for security reasons.
Not wanting to wipe out any of my credentials for Amazon or Google storage, I opted to not go ahead with my testing on our server.
So can you explain to me how the password reset works, and exactly what other passwords might be affected? Also, I would prefer that a Re-branding option checkbox be added that would allow us to not show the reset password option in the client console.
This button basically logs out your current user disabling any interaction with cloud storage accounts until the correct user credentials are provided again.
I'll transfer your feedback regarding disabling reset button to our R&D.
Thanks for the reply. I tested it and it does as you stated - clears out the password for the User account. So if someone knew that password, they could bypass the Master console password altogether. (I assume that the account password is not stored locally on the machine anywhere).
My thoughts:
For the MBS version, why not just put up a dialog box that says - "Please contact your administrator/storage provider" like you do for the "forgot password" in the User account credentials screen?
We can change the master password for any machine from the MBS console so I do not need a password reset button in the device console, and the few clients who actually use the console themselves can always call and have us reset it (or tell them what it is).
While the suggestion is interesting there is one but: if someone knows the User password (and get his hands on the installer package) he can do stuff on a fresh installation of the backup client.
So the Master PW is bypassed anyway if the User creds are known.
Master password is to prevent unintended access if someone gets his hand on the machine, not on the creds.
So I don't quite understand what does it give you, having the "please contact provider"?
I don’t want to make a big deal of this, but if the Master Password reset button does not really do anything useful, what is the point of having it? I don’t understand the use case for it. The Master Password itself is great, as are the recent improvements to protect / encrypt it, but I cannot think of a situation where anyone would need to use the password reset button that you provide. There perhaps should be a “forgot password” link so that if our clients forget the Master pw, they know what to do - “contact your Backup Service provider”.
If one of our clients does reset the password, they will not know that the account password was cleared. And if they don’t call us right away and tell us what they did, all of their backups will fail with the “object reference not set to an instance of an object” error.
Since very few of our clients use the console, this is not likely to be an issue for us. But other MSP’s might run into the above scenario, where the client expects the reset password link to operate like a normal reset does - sending an email with a link, etc, etc.
So unless I am missing something, ( very possible), I would ask that you consider replacing the “reset pw” link with a “Forgot password” link that does nothing but popup the “contact your admin” dialog box.
If you decide to leave it, please change the warning popup to say something to the effect of : Your backup account password will be cleared, and will need to be reentered to resume backup operation.
And I will hope to see a setting in the rebranding options at some point to allow us to hide the “reset master password” link.
Thank you.
<The Master Password itself is great, as are the recent improvements to protect / encrypt it.>
I added a master console password, then I went to the enginesettings.list file, I removed the master password setting and I opened up Cloudberry and it asked me to accept the changes (which of course any malicious actor would do) and I was able to open the console after that just fine.
Now, I wasn't able to run a backup when I did that as it just gave an error, which isn't necessarily a bad thing and it would prevent someone from running a backup of encrypted data.
And the reset password would basically remove any account information from the backup data store so malicious actors could not then get into the backups, whereas an authorized person could then go re-setup the storage account again,
We already use advanced to remove the ability to delete files from backup storage as well as no ability to edit plans on the console, but my assumption is that with no valid license, even if I edited the backup plan to delete all versions on next run, I couldn't as the job won't run?
I would suspect that changing the error message about the license would make alot more sense though....then Object reference not set to an instance of an object.
2019-09-14 17:06:39,871 [PL] [1] INFO - Repository version: 6.1.1.37, created by product version: 5.1.0.135, date: 10/23/2016 13:28:55
2019-09-14 17:06:39,900 [SERV] [1] ERROR - MBS password is empty in plan engine
2019-09-14 17:06:39,905 [PL] [1] INFO - Refreshing plan list
2019-09-14 17:06:39,959 [PL] [1] INFO - Plan created: Plan name: Consistency check plan for Modular Technologies Inc. Account, plan id: 13da082a-1576-46d6-942d-72b9d9428280
2019-09-14 17:06:39,960 [PL] [1] INFO - Plan created: Plan name: File Backups, plan id: 7a517304-771e-480f-847d-1395129f36a8
2019-09-14 17:06:39,960 [PL] [1] INFO - Plan created: Plan name: Restore plan, plan id: 4c01950b-2f4d-4953-8aba-0e8f15c3a526
2019-09-14 17:06:39,987 [Base] [1] INFO - OS ProductType: 2
2019-09-14 17:06:39,989 [SERV] [1] ERROR - Unexpected error on checking license
System.NullReferenceException
Object reference not set to an instance of an object.
at ra.A(String , String )
at b.E()
2019-09-14 17:06:39,994 [SERV] [1] FATAL - Engine failed.
System.NullReferenceException
Object reference not set to an instance of an object.
at ra.A(String , String )
at b.E()
at C.E()
at b.ac()
I need to bring "Object reference" error message to the attention of our developers. Could you please send us the logs with step-by-step instructions on reproducing the problem?
Oh, and make sure you're doing all that on version 6.1.3.11.