Issue:
Syncthing suddenly started requiring a password, despite never setting one initially. This occurred on a fresh installation that was only installed 10 days ago. I opened without problems the page at https://127.0.0.1:8384/# for several days prior to today.
My friend, who also installed Syncthing 10 days ago, has encountered the same issue (we share folders via Syncthing).
System Info:
Version: v1.28.1 “Gold Grasshopper”
Build: go1.23.3 windows-amd64
Build date: 2024-11-24 21:55:12 UTC
OS: Windows 11 (my PC)/ 10 (my friend PC)
Workaround Applied:
We resolved the issue by:
Navigating to C:\Users\user\AppData\Local\Syncthing\config.xml
Locating the section
Removing the content of the user and password fields (kept API key intact)
I saw this thread Authentication required? · Issue #9204 · syncthing/syncthing · GitHub mentioning that this problem could be related to an update, but that is not the case as the installation was already on v1.28.1, based on the log in C:\Users\user\AppData\Local\Syncthing\syncthing.log (as asked by acolomb, I didn’t comment there but created a thread here instead).
I’ve spent a lot of my career in cybersecurity, including incident response. I would be looking very closely for signs that the devices in question have been compromised. And I would start with whatever your device and your friend’s device have in common that aren’t Syncthing.
For the sake of clarity: I have no reason to suspect that Syncthing itself is a source of compromise.
As far as I know the default behaviour is to not use user and password as we bind to localhost. When binding on a public IP instead of localhost the user gets a warning it must set a username and password. But things never happen by itself, especially when user input is needed like setting username or password.