A recent vulnerability found in the popular open-source database MySQL revealed a persistent problem for IT managers: password management among administrators.
Most talk about password security traditionally centers around end users and the use of weak, easy-to-guess passwords. In companies where administrators have policies dictating more difficult passwords, one can stroll around and find passwords on sticky notes hanging from monitors.
What may go ignored are the passwords of administrators who have access to the most critical systems in a business, often containing the most sensitive data. While at a minimum administrators should be required to use more complex passwords, it is the default password on hardware and in software applications that may slip through the due diligence of installation and deployment.
System Default Passwords
Most software and hardware comes with some sort of default administrative account to enable initial setup.
A cursory online search will reveal numerous sites giving the default user and password combinations for thousands of devices and applications.
This data is handy when inheriting or resetting old applications or devices. But it is also a free library for those who pursue the intrusion of others’ networks for fun or theft.
Thomas Kristensen, chief technology officer for security firm Secunia, said his firm does not usually make a big deal about default passwords, because they expect administrators will change them.
“However, we do write about certain types of these issues when the user names and passwords are undocumented, hidden or not easily changed,” he said.
Larry Rogers, senior technical staff member at the CERT Coordination Center at Carnegie Mellon University, believes failing to change default passwords is a symptom of a larger problem among system administrators.
“It seems that defaults of many kinds are not changed by system administrators when they install systems. Passwords are only one good example,” he said.
Forcing Password Change
Kristensen thinks the best approach is to have default accounts either disabled by default or to force password changes during configuration.
“At the very least, the documentation should clearly list and identify the default accounts and how to change them,” Kristensen added.
CERT’s Rogers agrees that it is a better practice to enable technology, where present, to force password changes, especially if that technology remembers previous passwords and disallows their reuse. However, that comes with a caveat.
“On the downside, this practice can force [administrators] to manufacture hard-to-remember passwords. These in turn may force them to commit those passwords to paper which at times is attached to a monitor or hidden under a keyboard.”
Rogers said one has to decide if the cure is worse than the disease.
The Pass Phrase
The concept of the pass-phrase replacing the password has been an item of discussion in many circles. Instead of using “P@ssworD” one could use “My favorite book is Fahrenheit 451,” for example.
Rogers suggests that a pass-phrase slows down a cyber-intruder by being less guess-able than a traditional six or seven-character password. However, he sees this as a short-term fix.
“If those pass phrases traverse a network whose traffic can be captured and therefore reused, the difference between a password and pass-phrase is negligible,” Rogers said.
Kristensen suggests that administrators migrating to pass-phrases would improve security to some extent.
More important to Kristensen is using a variety of passwords. “While it may be tempting to use the same password or slights variants of the same for many different places and systems, it could lead to an easy and wide-scale intrusion if the password was compromised.”
The MySQL incident very likely caused systems managers to step back and consider evaluations of the hardware and software in production for other possible weak default accounts.
In his view, Kristensen encourages a best-practice policy of ensuring proper configuration at deployment. And a regular audit of system credentials is a good habit, with the frequency decided based on the sensitivity of the systems and available resources.
“A regular scan or audit using a good vulnerability scanner ought to aid in the detection of default accounts and accounts with weak passwords,” Kristensen added.