Default Passwords Pose Security Problems for Many Organizations

Much to-do is made about people choosing poor passwords to protect sensitive information in their care. Just this week, for example, a company that could well serve as the poster child for password worst practices paid the U.S. Federal Trade Commission US$250,000 for its security sins.

The company, RockYou, exposed the personal information of about 32 million of its customers to hackers in 2009. A subsequent study of that information revealed that the passwords chosen by those customers were so weak, a brute force attack using a dictionary containing 5000 of the most commonly used passwords could crack 1000 accounts every 17 minutes.

However, administrators can be as careless as the members of their flocks when it comes to password practices. In its annual data breach report [PDF] released earlier this month, Verizon discovered that only 42 percent of the 855 companies contributing information for the study said they do not use vendor-supplied defaults for system passwords and other security parameters. That means 58 percent of the companies use passwords that are publically available on the Internet.

That 42 percent, by the way, is an increase over 2010 (33 percent) and 2009 (30 percent) but a decline from 2008 (49 percent).

Point Of Sale (POS) systems are particularly egregious when it comes to password vulnerabilities, the report said.

“In the 2011 caseload, we observed that for the vast majority of incidents (85%), attackers are able to compromise the victim very quickly (minutes or faster),” it said.

“This result is largely (but not exclusively) the byproduct of the many automated, quick attacks against smaller organizations in the 2011 caseload,” it added. “It just doesn’t take that long to pop a POS system using a scripted list of known usernames and passwords.”

Lists of logins and passwords may be published to the Web with good intentions. For instance, the poster of one such list observed:

“This listing is only provided as a resource to network administrators and security professionals. It is also meant to remind people that a serious problem exists when people configure a network or a computer system and do not change these passwords.”

The list contains logins and passwords for almost 400 devices and software programs from companies such as 3Com, Alcatel, Apple, Cisco, Dell, HP, IBM, Lucent, Microsoft, Netgear, Novel, Oracle, Sonic Wall and TrendMicro.

With IT budgets what they are, some administrators may be hard pressed to hunt through the backwaters of their networks searching for default passwords. A promising solution to that problem was unveiled recently at the RSA Conference for security professionals held in San Francisco.

Lieberman Software, a maker of password management software based in Los Angeles, has incorporated into the latest version of its Enterprise Random Password Manager a “known password discovery” feature. It can scan a network and detect and secure default and well-known privileged logins that make it easy for unauthorized individuals and malware to gain control of sensitive data.

The software has the ability to discover factory default passwords and alert an IT department to their existence, which can be a significant security enhancement for many large enterprises.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

2 Comments

  1. R. Pauls · April 1, 2012

    Poor passwords should be blame to the user. He or she alone has the sole responsibility for keeping his or her account protected at all times. Being ignorant or not knowledgeable enough about the woes of the World Wide Web is not a good excuse.

    For the platform’s part, it can add more feature to augment their security. For instance, aside from forcing the user to make a very strong password with a combination of three or more special characters + texts + numbers, it can add PIN. Yes, just like an ATM. So the next time the user accesses an account, he or she must input a password and the PIN.

  2. Shane Briggs · April 13, 2012

    In an organization there has to be a give-and-take procedure. Like in this case on the safety of one’s network and passwords, I believe both users and system administrators must be strict in dealing with it. The administrators must be obliged to change passwords that were given as defaults for the safety of their system. On the other hand, the users must also know the risks when creating passwords. Users have to be constantly reminded that their passwords should be unique and be kept to themselves only.

    It is recommended for the organization to conduct orientation and regular meetings to create a mutual understanding among the key players on the importance of having a secured network.

Leave A Reply