Default password
Where a device needs a
Manufacturers of such equipment typically use a simple password, such as admin or password on all equipment they ship, expecting users to change the password during configuration. The default username and password are usually found in the instruction manual (common for all devices) or on the device itself.[citation needed]
Default passwords are one of the major contributing factors to large-scale compromises of
In the real world, many forms of malware, such as Mirai, have used this vulnerability. Once devices have been compromised by exploiting the Default Credential vulnerability, they can themselves be used for various harmful purposes, such as carrying out Distributed Denial of Service (DDoS) attacks. In one particular incident, a hacker was able to gain access and control of a large number of networks including those of University of Maryland, Baltimore County, Imagination, Capital Market Strategies L, by leveraging the fact that they were using the default credentials for their NetGear switch.[7]
Some devices (such as wireless routers) will have unique default router usernames and passwords printed on a sticker, which is more secure than a common default password. Some vendors will however derive the password from the device's MAC address using a known algorithm, in which case the password can also be easily reproduced by attackers.[8]
See also
References
- arXiv:1506.04112 [cs.CR].
- ^ "The Risk of Default Passwords". Security Laboratory: Methods of Attack Series. SANS. Retrieved June 16, 2015.
- ISSN 0736-6981.
- PMID 32486361.
- ISSN 1530-8677.
- ^ "The Risk of Default Passwords". Sans Security Laboratory. SANS Technology Institute. Retrieved 3 June 2017.
- ^ "If your router is still using the default password, change it now!". IT World. IDG Communications, Inc. 7 December 2012. Retrieved 3 June 2017.
- ^ "Reversing D-Link's WPS Pin Algorithm". Embedded Device Hacking. 31 October 2014. Retrieved June 16, 2015.