Skip to main content
SpringerLink
Log in

An Overview of the Usage of Default Passwords

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2017)

Included in the following conference series:

Abstract

The recent Mirai botnet attack demonstrated the danger of using default passwords and showed it is still a major problem. In this study we investigated several common applications and their password policies. Specifically, we analyzed if these applications: (1) have default passwords or (2) allow the user to set a weak password (i.e., they do not properly enforce a password policy). Our study shows that default passwords are still a significant problem: 61% of applications inspected initially used a default or blank password. When changing the password, 58% allowed a blank password, 35% allowed a weak password of 1 character.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://digitalcommons.newhaven.edu.

  2. 2.

    Actian Ingres, Actian Vector, CA Datacom, CA IDMS, Clarion, Clustrix, Empress Embedded Database, EXASolution, eXtremeDB, GroveSite, IBM PureSystems, Infobright, Linter, Microsoft Visual FoxPro, NexusDB V4 Windows, NonStop SQL, Openbase, Postgres Plus Advanced Server, R:Base, SAP ADS, SAP Anywhere, SAP HANA, SAP Sybase ASE, SAP Sybase IQ, SQL Azure, SQream DB, UniData, Vertica.

References

  1. Booker, L.: Brute force attack targets WordPress sites with default admin username (2013)

    Google Scholar 

  2. Carroll, R.: Breached healthcare.gov server still had default password (2014)

    Google Scholar 

  3. Casey, B.: Network security risks: the trouble with default passwords (2014)

    Google Scholar 

  4. Christey, S., Martin, R.A.: Vulnerability type distributions in cve. Mitre report, May 2007

    Google Scholar 

  5. Gordineer, J.: Blended threats: a new era in anti-virus protection. Inf. Syst. Secur. 12(3), 45–47 (2003)

    Article  Google Scholar 

  6. Grassi, G.: Digital identity guidelines. National Institute of Standards and Technology (2016)

    Google Scholar 

  7. Hypponen, M., Nyman, L.: The internet of (vulnerable) things: on hypponen’s law, security engineering, and IoT legislation. Technol. Innov. Manag. Rev. 7(4), 5–11 (2017)

    Google Scholar 

  8. http://KrebsonSecurity.com. They hack because they can (2014)

  9. Martins, F.: Creating strong password policy best practices (2014)

    Google Scholar 

  10. Northcutt, S.: The risk of default passwords (2007)

    Google Scholar 

  11. Pham, T.: Default passwords: breaching ATMs, highway signs and POS devices (2014)

    Google Scholar 

  12. Duo Security: Utah department of health (UDOH) breach (2012)

    Google Scholar 

  13. Microsoft Customer Support: An unsecured SQL server server that has a blank (NULL) system administrator password allows vulnerability to a worm (2005)

    Google Scholar 

  14. Symantec Security Response. Mirai: what you need to know about the botnet behind recent major DDoS attacks, Oct 2016

    Google Scholar 

  15. Traynor, P., Butler, K., Enck, W., McDaniel, P., Borders, K.: Malnets: large-scale malicious networks via compromised wireless access points. Secur. Commun. Netw. 3(2–3), 102–113 (2010)

    Article  Google Scholar 

  16. Van Heerden, R.P., Vorster, J.S.: Statistical analysis of large passwords lists, used to optimize brute force attacks (2009)

    Google Scholar 

  17. Vijayan, J.: Weak passwords still the downfall of enterprise security (2012)

    Google Scholar 

  18. Vinton, K.: Data breach bulletin: home depot, healthcare.gov, JP morgan (2014)

    Google Scholar 

  19. Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.L.B., Cook, J., Schultz, E.E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. 65(8), 744–757 (2007)

    Article  Google Scholar 

  20. Westervelt, R.: Verizon data breach report finds employees at core of most attacks (2013)

    Google Scholar 

  21. Williams, C., Spanbauer, K.: Understanding password quality (2001)

    Google Scholar 

  22. Wisniewski: Naked security (2016)

    Google Scholar 

  23. Wright, J.: Oracle worm proof-of-concept (2005)

    Google Scholar 

  24. Zanero, S.: Wireless malware propagation: a reality check. IEEE Secur. Priv. 7(5), 70–74 (2009)

    Article  Google Scholar 

Download references

Acknowledgements

Special thanks go to Mohammed Nasir who initially started this research project and Matthew Vastarelli for supporting us.

Author information

Authors and Affiliations

  1. Cyber Forensics Research and Education Group (UNHcFREG), Tagliatela College of Engineering, University of New Haven, West Haven, CT, 06516, USA

    Brandon Knieriem, Xiaolu Zhang, Philip Levine, Frank Breitinger & Ibrahim Baggili

Authors
  1. Brandon Knieriem
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaolu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philip Levine
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frank Breitinger
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ibrahim Baggili
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Frank Breitinger .

Editor information

Editors and Affiliations

  1. Brno University of Technology , Brno, Czech Republic

    Petr Matoušek

  2. SBA Research Vienna , Vienna, Austria

    Martin Schmiedecker

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Knieriem, B., Zhang, X., Levine, P., Breitinger, F., Baggili, I. (2018). An Overview of the Usage of Default Passwords. In: Matoušek, P., Schmiedecker, M. (eds) Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 216. Springer, Cham. https://doi.org/10.1007/978-3-319-73697-6_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-73697-6_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-73696-9

  • Online ISBN: 978-3-319-73697-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation