Abstract
The recent Mirai botnet attack demonstrated the danger of using default passwords and showed it is still a major problem. In this study we investigated several common applications and their password policies. Specifically, we analyzed if these applications: (1) have default passwords or (2) allow the user to set a weak password (i.e., they do not properly enforce a password policy). Our study shows that default passwords are still a significant problem: 61% of applications inspected initially used a default or blank password. When changing the password, 58% allowed a blank password, 35% allowed a weak password of 1 character.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Actian Ingres, Actian Vector, CA Datacom, CA IDMS, Clarion, Clustrix, Empress Embedded Database, EXASolution, eXtremeDB, GroveSite, IBM PureSystems, Infobright, Linter, Microsoft Visual FoxPro, NexusDB V4 Windows, NonStop SQL, Openbase, Postgres Plus Advanced Server, R:Base, SAP ADS, SAP Anywhere, SAP HANA, SAP Sybase ASE, SAP Sybase IQ, SQL Azure, SQream DB, UniData, Vertica.
References
Booker, L.: Brute force attack targets WordPress sites with default admin username (2013)
Carroll, R.: Breached healthcare.gov server still had default password (2014)
Casey, B.: Network security risks: the trouble with default passwords (2014)
Christey, S., Martin, R.A.: Vulnerability type distributions in cve. Mitre report, May 2007
Gordineer, J.: Blended threats: a new era in anti-virus protection. Inf. Syst. Secur. 12(3), 45–47 (2003)
Grassi, G.: Digital identity guidelines. National Institute of Standards and Technology (2016)
Hypponen, M., Nyman, L.: The internet of (vulnerable) things: on hypponen’s law, security engineering, and IoT legislation. Technol. Innov. Manag. Rev. 7(4), 5–11 (2017)
http://KrebsonSecurity.com. They hack because they can (2014)
Martins, F.: Creating strong password policy best practices (2014)
Northcutt, S.: The risk of default passwords (2007)
Pham, T.: Default passwords: breaching ATMs, highway signs and POS devices (2014)
Duo Security: Utah department of health (UDOH) breach (2012)
Microsoft Customer Support: An unsecured SQL server server that has a blank (NULL) system administrator password allows vulnerability to a worm (2005)
Symantec Security Response. Mirai: what you need to know about the botnet behind recent major DDoS attacks, Oct 2016
Traynor, P., Butler, K., Enck, W., McDaniel, P., Borders, K.: Malnets: large-scale malicious networks via compromised wireless access points. Secur. Commun. Netw. 3(2–3), 102–113 (2010)
Van Heerden, R.P., Vorster, J.S.: Statistical analysis of large passwords lists, used to optimize brute force attacks (2009)
Vijayan, J.: Weak passwords still the downfall of enterprise security (2012)
Vinton, K.: Data breach bulletin: home depot, healthcare.gov, JP morgan (2014)
Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.L.B., Cook, J., Schultz, E.E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. 65(8), 744–757 (2007)
Westervelt, R.: Verizon data breach report finds employees at core of most attacks (2013)
Williams, C., Spanbauer, K.: Understanding password quality (2001)
Wisniewski: Naked security (2016)
Wright, J.: Oracle worm proof-of-concept (2005)
Zanero, S.: Wireless malware propagation: a reality check. IEEE Secur. Priv. 7(5), 70–74 (2009)
Acknowledgements
Special thanks go to Mohammed Nasir who initially started this research project and Matthew Vastarelli for supporting us.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Knieriem, B., Zhang, X., Levine, P., Breitinger, F., Baggili, I. (2018). An Overview of the Usage of Default Passwords. In: Matoušek, P., Schmiedecker, M. (eds) Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 216. Springer, Cham. https://doi.org/10.1007/978-3-319-73697-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-73697-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73696-9
Online ISBN: 978-3-319-73697-6
eBook Packages: Computer ScienceComputer Science (R0)