Umbrel 0.4.8 is out with cryptographically secure default app passwords

Umbrel 0.4.8 is now out with a new security feature — unique cryptographically secure default app passwords derived from your 24 secret words. This will help protect your Umbrel even if an app’s unique Tor URL gets leaked and you have not changed that app’s default password.

We’re also currently investigating some incidents where funds were drained from users’ Lightning nodes on various node managers and operating systems, including Umbrel.

While there is no evidence that funds were stolen due to leakage of Tor URLs of apps like ThunderHub that use static default passwords, we decided to release this feature on priority and to introduce an additional layer of security.

If you have currently installed ThunderHub, Lightning Terminal, Ride The Lightning, Squeaknode or Code Server on your Umbrel, their default passwords will automatically upgrade to the newer, more secure passwords which can be found on their app store listing pages. In case you have already updated passwords of these apps manually, you can continue to use the same.

Twitter announcement: https://twitter.com/getumbrel/status/1460245730971451392

2 Likes

Take also in consideration this aspect.
Some users were already blaming Umbrel for being “insecure”, but they never look into their own backyard (router)…

2 Likes

Nice!

There seems to be a small formatting problem that I did not see in the previous version (my umbrel server just completed syncing today :).

image

@DarthCoin I’m glad that I don’t even have any of those routers listed on that website, as it’s an authentic Cisco router and I always check for updates weekly no matter what.

Hi, Thanks for this update. My BTCPay server app still lists the old version in the App Store. Is there something I need to do to get it up to the current version? My Umbrel is on the latest version.

How do we manually change the password of thunderhub and lightning terminal? If they are not changed anyone granted access to device will be able to use those applications fully because the default unchanged password will be exposed to them in the app store menu.

As it says in the announcement: Updating to 0.4.8 it will force to create cryptographic all new passwords.
When you enter into your dashboard (with your regular password) and go to the apps, you will see a small box with the new password.
Did you read the announcement? Is right there an image showing you.

Mayank, is it realistic to add WireGuard to the app store?

Hey guys, out of which 24 words is this default app password derived?