NAS server

The most important security setting for your Synology: The reset option

I received this comment on  my article on how to reset the synology password article last week:

“Hello! Very interesting article and very interesting blog.
In DSM I have recently seen an option:
Control Panel —> Update & Restore —> Reset —> Reset Option
There is an option to tick:
“Keep current admin password unchanged”
With the following explanation:
“You can keep the current admin password unchanged if you press and hold the RESET button on your DiskStation for 4 seconds for system reset”.

Does it mean that if I tick this option and in the future I will forget the admin password I will be locked out my Synology even if I will press the reset button for 4 seconds? The DSM help doesn’t mention this option and I couldn’t find info of it on the internet. Thanks again.”

Reset Option on your Synology

I wasn’t aware that the option was there, but after I checked my synology, there it is:

  1. Control Panel
  2. Update & Restore
  3. Reset
  4. Keep your admin password unchanged

control panel reset synology.jpg

So, what does that mean?

I googled it and I couldn’t find anything, so there was only one thing left to do: try to do some thinking of my own 😉

So, what is going on? Why and when would you not want to be able to recover your password?

And then it hit me: what if somebody breaks in your office or home?

The dangerous back door….

So if a thief breaks into your office or home, and knows a little bit about synologies, to be able to get access to all your files and the system, the only thing they need to do is to press the reset button.

Suddenly what it was a great feature it is a huge security risk.

So all my synologies have now that option ticked. If they break into my office I wont make it that easy for them to steal my data and I recommend you do the same.

Suggestion to synology

This is a big flaw in the synology system. The design of this feature is flawed and dangerous.

This is a suggestion to synology to improve this.

I forgot my password or the admin left the company or….you know, you need the admin password, then yes, reset the password, but before you can access it again, you need to go through the 2-step authentication, so if they want to get my data, they need to steal my NAS and my phone. Not impossible, but harder to do.

Next post it will be on the configuration series and I will talk about moving files to your brand new synology.

Have a nice day 🙂

4 thoughts on “The most important security setting for your Synology: The reset option

  1. Hi! I searched for “keep current admin password unchanged” on Google on found your article. My question to you is, have you tested this? What is it exactly that it does that doesn’t allow the password to be reset by a lost configuration or reset?

    1. Hi,
      I haven’t tried it , but I can only assume it works?
      I have no idea how synology has implemented this, test asking in the forums, maybe somebody more technically advance can help you.

  2. This whole problem is a big deal and I’m surprised no one talks about it. We should be able to keep boot-level partition (where DSM and all settings are stored) encrypted and disable the reset button, aside from holding to wipe entire OS. It’s a glaring vulnerability. Encrypted shared folders aside, someone could steal a unit and glean confidential data like remote backup details, email addresses, SSH keys, etc. Server blades and even my one MacBook have entire disk encryption that requires a master key or user account to decrypt during boot time, Syn should have the same.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.