Many hardware and software products come with default credentials. These often allow users to have full administrative access to perform an initial setup. Unfortunately many people don’t change from the default credentials. Default credentials are often obtainable online or are easy to guess.
Attackers can use them manually or build them into a script that crawls the internet checking for exposed services. Last year Equifax had a data breach on an Argentinian employee portal which was accessed by using the credentials admin/admin. The Mirai botnet was made up of mostly devices that were accessed via default telnet credentials.
If you are using hardware or software that comes with default credentials, you need to make sure the passwords are changed and stored safely before they are used in your environment.
The intent of this control is to ensure the hardware and software products used within your organisation do not use default authentication credentials and do not use credentials that are often used by default (like admin or password).
Organisations have changed the default credentials to a unique username and password, and stored the new credentials in a secure location.
The goal of this control has been met when:
you’ve identified all different authentication methods used for each type of hardware and software used in the environment
based off the authentication methods identified, you have verified that any default credentials have been changed
you have set new passwords are long, unique, strong, and not easy to guess (or are not a common default or weak password)
credentials are stored in a secure location that is only accessible by people who require access for their job functions (like a systems administrator)
your implementation process includes hardening, which includes changing passwords for default accounts.
Key default credential takeaways
Identifying all the authentication methods used for all the hardware and software in your environment can be hard and time consuming. It is best to prioritise this work by looking at any internet-facing or business critical services first, then working on the rest.
If you don’t know what the passwords are to the default accounts that are enabled in your environment – it is best to assume that they are set to their default values. Change the passwords to a unique, long, and strong password and store them somewhere safe (like a password manager or safe).
Add a step to your hardware hardening and software deployment processes to change passwords for default accounts. If they’re no longer needed, disable the default accounts after doing the initial configuration.