Changing default credentials

Default credentials are easy to find and are often used by attackers, especially if you have internet-facing systems.

We’ve received incident reports of New Zealand servers which have been included in wide-scale scanning/brute force attacks. These attacks performed scans across large IP ranges to identify open ports. Once identified, attackers used dictionaries of default and common credentials to perform brute force attacks.

Below are some steps that you can follow to start identifying and remediating any default credentials in your environment and some tips on making it easier to manage in the future.

Assess the hardware and software used

To understand all the ways a user can authenticate, assess the hardware and software you use. There are a few ways to do this:

1. If your organisation has an asset management process, you can review each type of IT asset. This means reviewing the authentication methods for your systems including:

  • routers

  • VOIP phones

  • wireless access points

  • any other network devices.

TIP: A configuration management database (CMDB), if you have one, can help identify those IT assets.

2. Scan your internal network to identify what hardware is connected and what software is running. You can scan your network using software discovery and inventory tools, such as software inventory in Windows System Centre Configuration Manager (SCCM), or using vulnerability scanning tools, such as Nessus or OpenVAS.

This step can be time consuming, so prioritise based on risk. Assess internet-facing and business-critical services first. Then check your environment for hardware or software that has known default credentials. For example, you could if products listed on sites like External Link are currently in your environment.

TIP: Some vulnerability scanning tools can actively test default or common credentials. This would allow you to check off this, and the next step. Before performing an active scan, understand the other security policies in your environment, such as account lockout or unauthorised access alerts.

Change and store new credentials securely

After you have identified the different authentication methods, check the credentials. Depending on how you manage credentials, there are a few things to look for:

  • Check the credentials for any default accounts in your password safe or storage. Make sure the passwords are not their default values and are not a commonly used password (like password, admin or god). Test the credentials to see if they’re still valid and change any that have default values on the device and in your safe.

  • If you can’t find the credentials for any of the default accounts, it would be best to reset the password. When in doubt, assume the default account uses the default password and get it changed.

  • When changing passwords, make sure the new password is unique and stored securely. Every organisation will have their own password policy; our advice is to set the value to something long, unique, strong, and not easy to guess (or a common default password value). Passwords should also be stored in a secure location, like a password manager.

TIP: If you can’t find the credentials for a default account, consider reviewing any authentication logs you may have. This will help you understand if the account was ever accessed and if so, when.

TIP: Before changing the password, check the authentication logs to see if the account is being used by other services. Changing the password could cause the services to fail and may impact your operations. This should not prevent you from changing it; it just means you may need to make additional changes after the password is changed.

Embed credential management into other processes

Add a check for default credentials in your onboarding processes. The hardware and software you use changes over time. Adding this step to your existing processes reduces the effort you need to put into ongoing management.

New devices may be built off a standard build or there may be a hardening guideline followed to secure it. Make sure this process includes changing the password to any default accounts and storing it to a secure location. If these default accounts are no longer required after initial configuration, make sure this process also includes disabling those accounts.

Monitoring credentials

Over time new devices may miss the on-board process or get factory reset, resulting in default credentials being left in place.  For example, if a product comes with default credentials and the product is factory reset, the password could revert to its original, default value. If this happens you’ll need to update the credentials again.

To get additional assurance, consider monitoring default accounts. For example you could configure alerts to trigger every time a default account is accessed. Or you could use a vulnerability scanning tool every couple of months to determine if any default or common passwords are in use.

Managing default credentials is one control to strengthen your network security - there are multiple components of authentication and credential management, and default credentials is just one of them. We explain a few of the other controls, like multi-factor authentication, password standards, and principle of least privilege on other sections of the website.