Default Passwords

Re: Default Passwords

This is nothing new. People just don't want to take the time or effort to actually think about security. Changing passwords from the default? Gosh, you have think up the new password. You have to type 8 or more characters. You have to type them twice! Shear madness! OH MY GAWD, THINK OF THE CHILDREN!

As to the SANS's Alan Paller said, while a forced password change on the device power-up might help with a default password issue, it doesn't change the fact that people are really lazy about security. Last week I had a company admin complain to me that having email passwords was "useless" and served no real purpose. As a result of the mail server program requiring a minimum 8-character password, this person uses "password" as a default and doesn't require that users change it. When I explained a quick scenario where a disgruntled employee could easily log in as someone else and cause all sort of havoc by merely sending bitch letters and threats between employees, this admin claimed that it was very unlikely that such a thing would every happen anywhere, never mind at their company.

Re: Default Passwords

I got two messages from the interview/article.

1. That organizations especially large ones need a better way to manage passwords for a lot of different devices. I think a well protected database of router and switch passwords where authorized people could access them is a lot better than default passwords. Also router manufacturers need a way to reset the password without disturbing the configuration.

2. Users need to be taught ways to come up with strong passwords that actually can be remembered, or switch to biometrics. Password generators work, but the sequence of numbers don't relate in anyway to the users lives. So they end up getting written in a phone, under the keyboard or some where a determined or not so determined person could access.

A method that I suggest to end users requires you taking a familiar word, and a familiar number and transposing digits and letters. This way if forgotten the user can figure it out by simply playing with the combinations of a familiar word and number. It at least starts someone on the path to strong passwords. Though this mite not be acceptable for top secret or secret level work it takes into account that as people get older that their not as able to remember complex series of numbers and letters that change every 14 - 30 days. I recommend anywhere from 8 - 16 characters minimum.

Recently I has to use John the Ripper Pro 1.7.2 to crack a Unix password file for the root password; passwd. It took 6 days, brute force, for an 8 character password. John was running on a Dual 1.8GHz Power MAC G5. The password was a strong password consisting of random letters and numbers.

xor

"I don't need to remember my own phone number, I can just look it up in the phone book."; Albert Einstein. He would have written his password under the keyboard no doubt.

Re: Default Passwords

While I agree with your overall premise in your post, I do think it should be pointed out that 6 days is NOTHING to an attacker. root in 6 days== teh gud

Re: Default Passwords

I tell users to write down their complicated passwords and put the piece of paper in their wallets next to their money.