Default passwords: The hidden enterprise risk


*This is a guest post written by Piyush Pandey, CEO at Appsian, full bio follows this post.

In an old Simpsons episode, Homer Simpson says, “De fault! Woohoo! The two sweetest words in the English language!”  Unfortunately, cybercriminals are often the default winners when it comes to enterprise password hygiene. Every year, organizations spend millions of dollars to secure their software, services, and networks. Meanwhile, they often fail to realize that the default vendor or manufacturer-supplied passwords place their entire IT ecosystem at risk. As we celebrate National Password Day, let’s think about more than just how to create a strong password and take a look at where organizations need to set passwords. 

Boots on the ground: on-premises devices

Whether it’s an on-premises server, localized router, or connected Internet of Things (IoT) device, hardware that retains manufacturer supplied passwords create a data breach risk. A quick internet search for “typical default passwords” filtered by “within the last 12 months” shows a plethora of website touting the most used passwords supplied by vendors and manufacturers.

For example, the lists include:

HOW TO: Change system date in OS X ...
HOW TO: Change system date in OS X from Terminal
  • Top router models that most often use admin/Admin as the user ID and admin, Admin, password, or Password as the default password.
  • Top Cisco router default passwords that are either cisco or admin user ID and cisco or Admin for the password.

Identifying all enterprise devices and ensuring that they have unique administrative passwords acts as the first step toward creating a culture of password hygiene within the organization.

Watching the watchers: localized admin passwords

Problematically, organizational Admins often have a single password that they share with users so that users can install important device updates such as security patches or software needed to complete job functions.

For example, according to Broadcom, the CA Client localized administrator password defined as part of a PC’s configuration build is “default.” Every organization needs to specifically configure endpoint localized administrative passwords to secure their ecosystem.

No matter how healthy end user password hygiene is, an insecure localized admin password can allow cybercriminals to gain access to the device then move across the IT environment. Moreover, these accounts often have privileged access, meaning if one of them is compromised then the malicious actor can gain access not just to a single device but to all the information these accounts can access.

passwords default enterprise risk
At first glance, changing default passwords may seem simple. After all, it’s just a matter of a few clicks here and there.

Look to the cloud: service accounts

Service accounts tend to be non-human user accounts that access APIs or operating systems. Often, they enable organizations to automate security patch updates. Because they manage systems and software, they also have privileged access within your cloud ecosystem.

While localized admins are human users that need passwords to update devices, service accounts connect through your network to devices or cloud services, such as Software-as-a-Service (SaaS) applications. These accounts, therefore, need privileged access as well.

However, as with localized admin and manufacturer-supplied passwords, vendor-supplied service account passwords are often readily available online. Malicious actors continuously attempt to “brute force” these accounts or use software that inserts the most popular default passwords in an attempt to “guess” correctly. If organizations are not changing these vendor-supplied passwords or monitoring service accounts’ access to the IT ecosystem, malicious actors can gain unauthorized access to sensitive information, leading to a data breach.

Steps to mitigating default password risks

At first glance, changing default passwords may seem simple. After all, it’s just a matter of a few clicks here and there. Problematically, many organizations incorporate hundreds or thousands of devices, services, and applications that need monitoring. What, then, can an organization do?

Identify all devices and privileged user accounts

Identifying potential risky access points is often the most difficult step. Depending on the organization’s size and the types of data it collects, stores, and transmits, identifying all devices and privileged user accounts can be time consuming.

Start by identifying all the devices that connect to your network. Once you know all the locations, make sure that your IT staff have changed all localized admin passwords and all manufacturer supplied passwords.

Next, review your catalog of cloud services. Many companies offer free service account discovery tools that can help you identify these access risk points. Once you’ve identified them all, you can start the process of changing the passwords and securing the access.

Set conditional access policies

Particularly important for service account protection, conditional access policies apply additional attributes to the account IDs that enable the organization to control them and mitigate risk. Changing the passwords only provides one level of defense against cybercriminals. To ensure a layered approach, conditional access policies that incorporate multiple attributes act as a “Plan B.” For example, an organization can set a location as an attribute, allowing a service account to access its systems only from a specific data center IP address.

Mask the data

A third layer of protection is data masking. Identifying all of the accounts that need to have default passwords changed can be difficult, and your organization may not be able to locate every single login ID. When creating access policies, you can better protect data by “masking,” or hiding, information based on a series of attributes. For example, whether it’s a service account or a router, you can apply a “mask” to any systems or software that account accesses. Devices and service accounts need access to networks and applications, but they do not need to read the information stored, collected, and transmitted there. By applying attribute-based access controls (ABAC) that limit what these identities can read in the environment, you ensure that even if the default password remains active and malicious actors leverage the account to move within your IT ecosystem, they cannot access or acquire sensitive data.

Passwords + Access Controls = Stronger Security

Many organizations recognize the impact poor human user password hygiene has on their security. However, as more organizations move to the cloud, they also incorporate a variety of non-human user identities that they need to monitor. Changing passwords associated with human and non-human privileged access creates the first line of defense against cybercriminal activity. Incorporating a defense in depth focused on multiple user identity attributes to limit what resources these identities access and what data within those resources ensures a holistic approach to data privacy and security.

What do you think? Let us know in the comments below or on Twitter, or Facebook. You can also comment on our MeWe page by joining the MeWe social network.

About the author: Piyush Pandey, CEO at Appsian ( ) is a technology executive with 18 years of global experience in strategy, sales, mergers & acquisitions, and operations within software companies. Over the last 10 years, he has worked with enterprise software companies including Oracle, Epicor, Concur, Citrix, and Microsoft on various transactions. He has held various leadership positions at Procera, Deutsche Bank, Stifel, Wipro Technologies, and a wireless startup.

Last Updated on February 3, 2021.


Lights, camera, Crackle… new for May 2020

HyperX collaborates with Ducky for limited edition mechanical gaming keyboard


Latest Articles

Share via
Copy link
Powered by Social Snap