Default Passwords - Problems in Predictability

default passwordsDefault Passwords are not some series of enigmas that most people cannot hope to understand. In fact, many users interact with default passwords throughout their daily activities – and therein lies the problem. Whether out of habit, defiance, or plain lackadaisical negligence, users still refrain from changing default passwords. This practices introduces additional, wholly unnecessary security risks into an environment that is meant to protect important, sensitive data.

Alongside the usage of a username and password authentication combo comes the desire to make things as simple as possible. This is especially true when onboarding new users to a given environment. However, the danger in this situation arises when usability is created in such a manner that it sacrifices a strong sense of security. The problem with default passwords illustrates just how dangerous usability can be.

Default Passwords Must Always Be Changed

Regardless of what they are being used for, default passwords need to be changed immediately upon being introduced to a digital environment or network. As noted in this article from the SANS Technology Institute, many manufacturers will provide default passwords to enable easy access to additional features, security, etc. However, these default passwords can be found in a whole host of different locations. These resources are typically meant to be used when a user forgets the default credentials – but you can be sure that hackers will use the same resources as well.

Internal Devices

Devices such as printers, routers, and other on-premises hardware often connect directly to a network behind a firewall.  These devices also include default passwords and username credentials to allow for proper configuration and integration with said network.  Unfortunately, users and administrators will often leave default credentials as is: with the same default passwords that the new devices were shipped with.  The general consensus is that surely such devices are safe behind a firewall - but we've all learned that hackers are smarter than that.

If you give them an inch - you can be sure that intrepid hackers will take every mile they can get.

User Credentials

This brings me to my next point: default user credentials.  Think about your daily life for a moment: at work, at home, or even on individual websites - you are bound to come across a password that is standard in one way or another.  Administrator passwords for use around the office, a single password that you use for random websites - the list goes on and on.  We establish default passwords for our own use because it negates the task of having to remember even more passwords than we typically need to.

We've all heard the message: Never reuse old or weak passwords.  It just seems like we haven't taken it to heart.

Advice from Personal Experience – Default Algorithms

It’s not just technology manufacturers and random administrators who trust devices - and even users - with default passwords. Educational institutions often take a similar approach to onboarding new students, faculty, and staff.

I worked for a college help desk once which often dedicated many resources to helping students set up various accounts and hardware during move-in day. It was a hectic time to begin with, but nobody wanted to deal with the added confusion of remembering a complex series of credentials just to setup their room for wireless or wired access. The institution actually used a set algorithm to determine the ‘default passwords’ for various students. It hit many of the marks for a strong password, yet it was still relatively weak and simple to guess.

Typical Algorithm Successes
  • Upper and Lower Case Letters
  • Numbers
  • Longer than 10 Characters
  • No Dictionary Words

At first glance, it doesn’t look half bad. The problem lies in the algorithm itself – the pattern never varied. The idea behind the algorithm was to use data that only the student would know: a unique student ID number. Unfortunately, students are not always careful about where they share certain information, and ID numbers were often simple to find. I found this out myself while working in the call center. I was helping an increasing number of students regain access to their accounts because the  default passwords had been changed without the students knowing.

In retrospect, I wish I would have known then what I know now. If I had, I would have spoken up in order to advocate for change. Eventually, students were encouraged to change the default passwords, and password expiration was implemented. Unfortunately for many, the damage had already been done. When it comes to default passwords, the story is often the same:

User keeps the password because it is simple to use and remember   --->   Hacker figures out the pattern.   --->   Hacker easily guesses the default password   --->   Hacker gains control of the account and any other accounts which use the same default passwords.

It’s sad, but it happens, and default passwords make the process a snap for even a novice hacker.

So, Here's My Advice

 Advice for Administrators: Implement initial password reset based on imported user data. When the user tries to login the first time, force a password reset. Not only that, but be sure the new password meets the requirements of your institution's password policy. The process doesn't have to be difficult, and should take no longer than a minute or two. Making these changes can seriously increase security where it counts.

Advice For Users: Be more security conscious.  If anything uses a variation of 'admin' and 'password' for initial credentials, change them immediately.  You'll end up kicking yourself if and when you get hacked because your password was that simple to guess. I know I did.  If it's super simple for you, chances are that it is super simple for hackers as well.

Human Nature is Predictable

Always remember that major tenant of Social Engineering: people are predictable.  Attackers bank on the fact that many users and administrators will not change default passwords.  Always swim against the grain and refuse to get caught up in the mainstream.  Choosing usability is predictable - don't let default passwords be the reason your environment gets hacked.

strong-pw-reset-c2a

Tags: Authentication Security, batch import, information security, Dynamic Analysis, password best practices, Password Security, Self-Service Password Reset, social engineering, SSPR