The emergence of default password problem takes root in the time when manufactures began selling computer systems. The first mentioning of this problem dates back to 1994 when the Computer Emergency Response Team Coordination Center (CERT/CC) formulated their report to Silicon Graphic Irix (SGI) on how to improve their security systems. From then on, the scope of the problem kept extending with Internet users setting either default passwords or such simple passwords as ‘opensesame’ which have no practical value in terms of protection. Needless to explain, the vulnerability of these passwords has been always targeted by malware authors. Thus, the most popular examples of attacks targeting weak passwords include Agobot/Phatbot’s attack in 2004, psyb0t’s attack in 2009, ‘Chuck Norris botnet’ attack in 2010, and ‘lightaidra 0x2012′ attack in 2012. However, not only attackers elucidated the problem of default passwords. Security researchers would likewise hold detailed discussion explaining how default passwords expose the system to external threat and how easily malware authors take advantage of these flaws in systems’ security. In this view, the most remarkable discussion was initiated by David Fifield. In his BlackHat presentation, the researcher demonstrated a step-by-step analysis of how a default or weak password can be compromised. Despite the ambiguity that this presentation entailed from the ethical perspective, it left no space for doubts regarding the acuteness of the default password problem.
The question consequently arises as to why manufacturers do not take any measures in spite of the fact that they are perfectly aware of the default passwords problem. Dittrich, Carpenter, and Karir explain that it happens because manufacturers are not motivated to solve this problem. More specifically, they argue that manufacturers are satisfied with the existing state of things because ‘the current circumstances minimize engineering and support expenses by externalizing the cost of properly securing these devices.’ In this view, the prospects of solving this problem quickly and effectively are rather pessimistic.
Use your promo and get a custom paper on
"Issue Of Default Passwords".
Analysis of the Use of Default Passwords and User Passwords
In order to define the solutions for minimizing the risks of attacks, it is, first and foremost, necessary understand how default and user passwords are used and what makes them so vulnerable to external threats. The first type of password is a default password. This password is provided by manufactures and, in most commonly, it repeats the user name (the most popular couple, in this view, is admin-admin combination). Such passwords are normally used to access the setup or when the system resets to initial defaults. The use of these passwords was relatively secure as long as the devices that they protected could be accessed from local area network (LAN) only. However, when remote access option was introduced, the vulnerability of the systems protected by such default passwords increased exponentially. Thus, it can be concluded that the use of default passwords offers zero protection in the today’s context.
The second type of passwords that needs to be discussed is user passwords. These passwords are designed by users when they finish all the setup operations and seek ensuring additional protection. The problem resides in the fact that, as Dittrich, Carpenter, and Karir explain, most users prefer simple passwords such as ‘12345,’ ‘password,’ or ‘opensesame.’ Such passwords are easily cracked by modern botnets so that their protective value is relatively equal to that default passwords provide.
Recommendation
Once the importance of the default password problem has been defined, the question arises as to what recommendations can be provided to those stakeholders that want to establish a relevant level of security. On the face of it, the simplest answer to this question is to stop using default passwords because they make systems vulnerable to hacking. Meanwhile, a recommendation that imposes restrictions should go on to propose alternative solutions. In this view, one of the best options is to use a multi-factor authentication. This authentication system requires a user to provide several verifications of identity before the access to system will be open. Ideally, the biometric technology should be used as one of the factor controllers. However, not all the devices are equipped with this technology so far which means that it should be purchased separately what will lead to additional expenses. A less sophisticated and a cheaper form of multi-factor authentication is the use of both factors and mobile devices through which SMS-based verifications can be sent. In this case a user is free to choose any password regardless of its complexity because the verification of the password can only be possible through the personal mobile device.
Another alternative to enhance system security that can be considered is enterprise-wide protection. This solution suggests that passwords should be generated by a special password management system which is free to reset a password whenever necessary and define the level of access each user will receive. While this solution allows for an improved password generating, it still entails some threats for it users. Thus, the security of all the data the access to which is protect by the password management system becomes depended on the security of this system. Otherwise stated, if the password management system is cracked, all the passwords will become available to the hackers.
Conclusion
It can be concluded that the default password problem is serious threat that needs to be addressed timely by both organizations and private users. As shown in this report, there are different solutions for how to enhance the security of a system without rejecting passwords completely. Thus, it seems that the most effective way of doing it resides in implementing a multi-factor authentication system which will require users to provide several verifications of their identity.
- Dittrich, David, Katherine Carpenter, and Manish Karir. ‘The Internet Census 2012 Dataset.’ IEEE Technology and Society Magazine (2015): 40-46.
- Everett, Cath. ‘Are Passwords Finally Dying?’ Network Security (2016): 18-19.
- Ganesan, Rajesh. ‘Stepping Up Security with Password Management Control.’ Network Security (2016): 10-13.