Increase default security settings! Temp password must change after a session!

Hi,

as default settings seems Team Viewer never let temp password expire / change after a remote session ends.

This is a bad security idea on my point of view. Asking you to increase security so add as default settings temp password change after a remote session!

Discussions related to this:


https://community.teamviewer.com/English/discussion/112541/why-team-viewer-doesnt-use-secure-settings#latest

2
2 votes

Active · Last Updated

Comments

  • By default Team Viwer

    1. doesn't change the temporary password after a remote session
    2. doesn't require, with a pop up window, to allow the remote connection once the temporary password is used

    This two choices made by default by the program to create, on my point of view, two security vulnerability.

    The first is done by me thinking after a remote session ends I'm secure but is not because I can leave the PC and without I know it the other interlocutor can connect again with a full access to my unmonitored device. In this situation data can be stolen or erased because no one is on the monitor to check or stop this.

    For made an example Google Remote Desktop require every time a different temp password that stop to work after be used or after a long inactivity, this avoid anyone to connect to our PC without we don't know it. Allowing a temporary password to work until the PC is not restarted or until user never ask to the program, manually, to change the temporary password creating a situation that can be exploited.

    For resolve this situation user have to remember to change every time the temporary password but also to change it in the case it give the temporary password but for some reason the other person did not connected to our device maybe telling us internet connection was not working, etc. The risk is we can leave the PC, forget someone know now our temporary password and without any other permission needed, are able to connect to our device.

    The first point can be solved going in the Team Viewer settings and activating the relative option to change the temporary password after a remote session. This will not resolve the case where we can give to someone our temporary password and no connection are done. If we do not change the password and leave the PC we can be exposed to an attack. This can be possible when we found a person that are interested in stealing or damaging our device informations and invent a situation than wait we forget about this and leave the PC to take full control.

    [quote]

    Random Password after each session

    You can select whether or when you would like Team Viewer to generate a new random password for incoming sessions. 

    Under Extras --> Options --> Advanced--> Under Advanced settings for connections to this computer --> Random password after each session --> Choose your option --> Click OK

    [/quote]

    Team viewer guide: https://community.teamviewer.com/English/kb/articles/28442-all-about-passwords

    The second point where no pop up windows require permission to remote connect to our device when a temporary password is used, I think it cannot be actually resolved. I don't see any option to require authorization when the temporary password is used.

    Actually I reported this issue to the privacy address of the Team Viewer team. All users should change their settings to avoid the temporary password to be not changed after a remote session and also having to consider once someone know the temporary password are able to connect to our device without any additional permission needed.

    I suggested to the Team Viewer team to change as soon possible this default settings to be more secure in particular:

    • To change, by default the temporary password after all remote session
    • To show always a pop up windows that ask to confirm the connection to a remote device when the temporary password is used

    I have no guarantee the Team Viewer team will care about my report. I'm trying to see security improved by different months but is not easy for a free user get support or report issues.

    Actually seems users need a webinar or a school to be secure with the Team Viewer default settings, on my point of view. Is important so to change the program settings to be more secure and always remember actually there is no pop up that asking for permission once the temporary password is used or someone know it. The only way to secure the account is to change the temporary password and to keep it secret and also change after a remote session or after someone get it and never connect immediately to our device.

  • cquirke
    cquirke Posts: 26

    One way to address this issue, is to explicitly end the session; perhaps via settings to do so when the local side closes TV and/or closes the session window - I'd assumed this would already be the behavior, when "unattended access" is disabled, but one could go further and close the remote side's TV for extra safety.

    This wouldn't avoid creep-back from malicious "remote assistants", but would facilitate better hygiene SOP for legit support who want to reduce risks for the remote client.