Department of Homeland Security Issues Alert on the Risks of Factory Default Passwords
US-CERT recommends replacing factory default passwords before connecting systems with the internet, and using strong authentication like two-factor authentication.
The reputation of passwords as an effective security tool took another hit yesterday when the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) issued an alert on the risks of vendor supplied default passwords.Stating that it is crucial to change default manufacturer passwords since “Attackers can easily identify and access internet-connected systems that use shared default passwords,” the alert goes on to point out how simple it is for attackers to discover default passwords. Manufacturer default passwords can be ferreted out from product documentation or found posted on countless internet forums. Vulnerable systems can also be uncovered using search engines like Shodan, or even by scanning the entire net.
For most security professionals this isn’t news. For instance, in 2010 Dark Reading reported on the vulnerability of systems using manufacturer default passwords. However, the Homeland Security Alert may be just what it takes to make small and medium sized organizations aware of the threat of account takeover from default passwords. Too many businesses are unaware of the weaknesses of passwords in general and are still giving the bad guys a free pass by using passwords as their only method of authentication.
US-CERT suggests you use multi-factor authentication whenever possibleTwo-factor authentication is the logical first line of defense against attackers using default manufacturers passwords. By utilizing two-factor as a first line of defense on external servers, you can prevent an attacker with stolen credentials from breaking in via a remote login like a VPN or SSH. If an attacker is already on your network, though, they may be able to man-in-the-middle credentials. In this case, two-factor may be your last line of defense from a total compromise of your internal hosts, greatly mitigating the amount of damage an attacker can cause. If you’re considering two-factor (and if you don’t have it you ought to be) keep in mind that Duo offers you the most secure, easiest to deploy two-factor authentication on the market.
Other solutions recommended by US-CERT include:
- Change default passwords before deploying any system, especially if the system is to be used on the internet
- Vendors should consider using unique default passwords
- Forcing Default password changes
- Restricting network access to trusted hosts
- Identify affected products