Security Advisor warning - plex user weak password

scottohara · April 12, 2019, 6:41am

I’ve been using PMS on Synology for many years; but for some reason (only recently) Synology’s Security Advisor weekly scan has started reporting that the ‘plex’ user has a weak DSM login password.

As I understand it, the plex user is essentially a ‘service account’, and nobody actually knows the password for it (generated at install time?).

Is it safe to change the password of the plex user?

Ideally I don’t really want to mess with anything (as my Plex setup is working nicely), but equally I don’t want to keep being warned by Security Advisor that one of the accounts on my server has (what it considers to be) a weak password.

Has anyone else had this Security Advisor warning for their plex user? If so, what did you do?

Thanks.

ChuckPa · April 12, 2019, 7:07am

DSM’s warning is a false positive.

If DSM strict requirements are scanned for:

DSM requires Upper & lower case passwords (but how would it know the decrypted ?)
DSM requires punctuation. Again, how would it know?

I say this because I use uuidgen to create a 256 bit random password for user plex, which cannot be logged into, for added security. Predicting the output of uuidgen is virtually impossible which makes the password virtually impossible to predict.

Anyone who does manually set the password for user plex is compromising their security and at their own risk.

scottohara · April 12, 2019, 7:09am

Thanks @ChuckPa.

I’ll redirect my query to the Synology folks and get them to comment on why Security Advisor is flagging this user incorrectly.

ChuckPa · April 12, 2019, 7:11am

It sounds like a bug on their side.

For use in your communication with them, here is the script excerpt which creates user plex

You can find this yourself in /var/packages/Plex Media Server/scripts/postinst

# create user with random password
  echo "Creating Plex user."
  synouser --add plex $(uuidgen -c-8) 'Plex User' 0 '' ''

If they are interested in maximal security, I will see what I can do to increase the complexity

scottohara · April 12, 2019, 1:44pm

Thanks again @ChuckPa.

If you’re interested in following along, here’s the link to my post over at Synology’s forums:

ChuckPa · April 12, 2019, 4:00pm

Thanks Scott, Greatly appreciated.

Do you see why I have concerns about how Synology thinks it can determine the password strength by examining the one-way encrypted string in /etc/shadow ?

Are they also storing the plain-text password in their private database (which they do for many things) ?

If this is what’s happening, I can easily increase the complexity.

I can further increase complexity by again disabling the sign-in (if on) and randomizing the Plex password with each update.

system · July 11, 2019, 4:11pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"plex" User Credentials NAS & Devices server-synology	6	4487	January 8, 2020
Does the plex user require access to any Synology applications? NAS & Devices server-synology	8	564	June 4, 2020
Using plex on synology DSM 6.X. Is it allowed to change plex user password? NAS & Devices server-synology	16	195	March 6, 2022
Lost Synology Plex Server after PW Change Plex Media Server server-synology	5	50	December 12, 2025
Crash plex after change password NAS & Devices server-synology	28	329	March 9, 2019

Security Advisor warning - plex user weak password

Related topics