Unless I am missing something, it seems like there is a big security problem with the way Plex Homes work. I have a Plex Home with some family and friends. If I login with one of their accounts (username and password), I then select a user and enter that user’s pin. Pins aren’t super secure but good enough for this situation. Except if I select my username and enter my pin, I become admin. If one of my user’s has a bad password, I am at a huge risk. Someone would only need to figure out any user’s password and my pin and they would have admin access. Is there a setting to prevent this from happening that I am missing somewhere? If not, is this a known issue? Thanks.
Plex Home enables Fast User Switching.
That is why you should only include people, who’re living in your own household into your Plex Home.
All other people you share your server with, should be added only as Plex Friends.
To prevent the kids from using the parents accounts ,for movie rating reasons, there should be the option to use a pin or password.
@shemstead said:
To prevent the kids from using the parents accounts ,for movie rating reasons, there should be the option to use a pin or password.
Plex Home does use a 4-digit PIN.
https://support.plex.tv/hc/en-us/articles/204232453-Fast-User-Switching
The problem is again that a 4-digit pin is not very secure. It would be nice if fast user switching could be disabled on a Plex Home. Or if fast user switching did not give admin permissions.
Plex Friends doesn’t give my family members access to my Plex Pass so we would need to buy multiple which is unfortunate. So I had to stick with Plex Home. Unfortunately, this means someone only needs to get the weakest user’s password and my pin. I hope that there is brute force prevention (i.e. max login attempts).
I am paranoid, I know :). I am used to being able to set password requirements for user’s of my systems. So this is just a little off putting to me. I can’t require that decent passwords are used or changed regularly. And then only my pin is needed to give a non-admin user admin access.
Just use the 4 digit pin and set up PlexPy on your server. It won’t prevent your kids from brute-forcing (or shoulder-surfing) your PIN, but it will at least show history of what they/you did and you can talk about it with them.
I use PlexPy but that wouldn’t really help here. I am not so much concerned about family/friends doing bad things but don’t forget the number 1 networking rule “never trust your users”.
Basically every time I add someone to my Plex Home, I am increasing the number of user accounts that have the ability to do fast user switching to the admin account. Let’s say I add a friend who is not very technically inclined and they decide to use “password” as their password for Plex. Someone bad gets into their Plex account and see’s that I am the admin (this is easily shown). All this bad person has to do is guess my PIN and they have admin access.
This seems kind of like a design flaw to me. I can’t think of another system were all it takes is a 4 digit PIN to make a non-admin user an admin user. It would be great if it was possible to disable fast user switching on a Plex Home. Ideally it would be best if fast user switching could just be disabled for the admin account.
My Plex server is open to the internet as I am sure most Plex servers are. This means botnets doing brute force attacks are eventually going to find you. I would disabled admin access from the internet and only allow it from LAN if it was possible. Again, I am paranoid, I know. It just seems like it would be fairly easy to make some small changes that would greatly decrease this security risk.
Agree, has this been a feature request? I can request it if necessary.
