November 24, 2004
Why Default Passwords Are a Bad Idea
I have never been a supporter of default passwords in a 'manufactured shipping state' piece of hardware. Why? Because most people are either to lazy to change it, or don't even know you need to.
The result? People collect the information and post a single list of default security passwords holding MANY of your favorite vendor products in one place so script kiddies can walk right in.
What could you do about it as a developer? Don't use default passwords. But you need them when shipping for first time login. Ok, ok. Well at least force it to a one time password unique to the machine. In the past I have used a unique seed against the hardware serial of the device, which means a SLIGHT alteration may be needed to the build process of the device. At the manufacturer, you would need to have the serial info which is normally added at the end, become PART of the software flashing process. I will leave how you would plan that up to you; it is possible though.
Thanks to Foz for pointing out the list. One of these days I will have to post my list of default BIOS passwords.Posted by SilverStr at November 24, 2004 07:10 AM | TrackBack