Changing passwords

HoneyBadger · May 13, 2021, 2:02am

Anyone know how to change the default passwords in lightning labs app and thunderhub? It is easy to change and enable 2FA in RTL

DarthCoin · May 13, 2021, 8:34am

Those are hardwritten into each app conf file.
You will need to enter into the belly of each docker container and is not easy.
Also after each update will be overwritten.
I suggest to just wait until a fix will be made. Is not a big deal.
Digging into software’s configuration can do more damage than good.
99% of the time you are accessing your node form your own LAN, so why so much paranoia?
If you access your node using onion address from outside, you will acessing also from your own devices not from random computers that are not yours.
So the chances that somebody will access your node with default password will be ONLY when you give them your onion address… otherwise they just suck it.

1GLENCo · May 13, 2021, 10:20am

I would like to see an easier way to update default passwords for installed apps.

inna · May 14, 2021, 7:39pm

Well, the onion address is usually bookmarked in the tor browser, so whoever gets access to my machine can spend stuff from thunderhub. Exact reason why I have uninstalled it.

DarthCoin · May 14, 2021, 7:41pm

Then why are you still running a node?
Anybody can steal your node too, if they can take your PC…
Why are you going out? Anytime something can fall onto your head…
This is life, taking risks is part of it. Secure it is your duty.
That part with “somebody can access my bookmarks and for that I remove it” make me laugh…

HoneyBadger · May 14, 2021, 9:46pm

No reason to argue about this. I think both of you are right. On one hand this is new tech and carries risks with it. On the other hand, one purpose of this site for users to express desired upgrades. I think an upgrade that includes the ability to change passwords on apps is reasonable.

inna · May 15, 2021, 5:34pm

The whole point of this thread is that while RTL is protected by two or three secrets (tor url, password and optionally 2fa), ThunderHub is protected bu one (tor url). As such, it is an order of magnitude more risky to have installed than RTL, if ThunderHub developers care they should beef up the security. Personally, I think ThunderHub is not as good as RTL, though it has some nice features (f.e. sending sats via selected channel, routing graph, etc.). So no regrets uninstalling it.

inna · May 15, 2021, 8:35pm

BTW, good approach would be an option for Umbrel to match all passwords to one from Umbrel itself. Simple and secure enough.

btc_ln · May 16, 2021, 12:26pm

I thought onion addresses are often public, are they not?

For example here, you can see the onion address as: 02045f289f0de16b275e925aff584bc6c626dddc0f29e15b367d68a35de445d98b@dt7xgfkbudhgiyxgpapfta3xnoaicnflcmqxrdtnty67r7ealxz5mgid.onion:9735

What am I misunderstanding here?

The_Lorax · June 23, 2021, 5:14pm

This is a different Tor address, not the one you would log in to, and it’s for the LN nodes to connect to each other, if I’m not mistaken.

btc_ln · June 24, 2021, 9:35am

You’re correct I learned since.

dantesk · July 9, 2021, 11:04am

To change thunderhub password:

ssh to umbrel
open file /home/umbrel/umbrel/apps/thunderhub/data/thubConfig.yaml
replace password value on first line. Keep the single quotes ', e.g. masterPassword: my new password
Install or restart thunderhub

btc_ln · July 9, 2021, 2:51pm

Do you have to do this after each upgrade or just once?

dantesk · July 9, 2021, 9:35pm

No idea

ClarionChain · August 26, 2021, 8:44pm

Same. Just installed Thunderhub and there are loads of things to click on and none of them are change default password. Come on…let’s work together…but this is fucking stupid.

Dav · September 25, 2021, 10:34pm

Looking forward to ThunderHub offering (hopefully forced) password change. Pretty risky at the moment if you accidentally enter your Tor url somewhere you shouldn’t eg in a non-tor browser address bar as it will go to search and anyone who sees your search history, browser history or someone working at the search engine can have access to all of your lightning and on-chain bitcoin.

captainm90 · November 1, 2021, 6:28pm

@DarthCoin - this is just the best reply ever man! keep doing what you are doing for the community… it’s really appreciated.

danonthemoon · November 26, 2021, 4:31pm

I just deleted the app temporarily until I understand how to make it more secure.

For the line I’m supposed to edit in the file thubConfig.yaml

This is what I see:
masterPassword: ‘$APP_PASSWORD’

Am I supposed to replace the value between the quotes with a new plaintext password, and is that secure enough?

Eluc · December 20, 2021, 3:52pm

Hello, has the situation changed for ThunderHub? I see now that it give you a very long, what looks random, default password at install. Is it then more safe to use? Should I still change it or can I use it with the default random password given by Umbrel app install page?
What about 2FA? is it planned for ThunderHub, is anyone involved in this app here?

Dav · March 20, 2022, 11:03pm

Yep they’ve fixed it now. Everyone gets a unique password that’s safe to use

Topic		Replies	Views
ThunderHub login password cause node to be compromised Bitcoin and Lightning	5	1116	November 11, 2021
Please help with Thunderhub Support and Troubleshooting	23	2341	November 8, 2022
Changing password for RTL Support and Troubleshooting	0	64	January 21, 2024
RTL Password Change	6	1083	July 2, 2022
Is the default password on apps a risk? General Discussions	7	1104	June 10, 2021

Changing passwords

Related Topics