If you’ve been trying to look for money in your budget to pay for expensive hardware and software to improve your company’s security, there’s a simple item you’ve probably overlooked that won’t cost you a cent.

Every month or so, some huge security story hits the papers. Either somebody actually got hacked, or the vulnerability is there for them to get hacked. Millions of people get stressed out, the vendors look bad, and the credit monitoring services all make a lot more money.

And more often than not, it’s because of one really dumb thing. We’ve seen evidence of this one really dumb thing several times this year already.

When you buy hardware such as routers, and some kinds of software, it comes with a factory-set password. The password is documented in all sorts of places, so that you can set up the hardware or software in the first place. Then, the theory goes, you change the password.

Unfortunately for security, a lot of people skip this step.

The result is, you have devices and software – months and years and decades later – that still use the password defined in the manual, making it easy for malicious hackers to break in. Oftentimes, all it takes is one unprotected router – and once the hackers are in, they can go anywhere.

This happened earlier this summer, when a blogger discovered an administrative account with an easily-guessed password in HP’s StoreOnce storage hardware.  In response, a number of publications  leapt to claim that “HP is putting back doors into its equipment!” That wasn’t what HP was doing; it was simply the default administrative password built into the system to make it easier to diagnose and repair the equipment remotely.

This is not to pick on HP. Every time one of these incidents happens, sysadmins get together and talk about all the other vendors that do it, too.

The default password issue is so common that organizations such as the Computer Emergency Response Team (CERT) periodically issue warnings about it, patiently explaining why it’s a bad thing, listing all the times that malicious hackers have broken in using it, and describing several ways to fix the problem.

Similarly, when people buy or download and first set up hardware and software, they’re supposed to give it a password. And so they do. But they make it something dumb, and easy to remember – which makes it easy to guess.

We’ve most recently seen this with Adobe, which reportedly had up to 150 million accounts breached. As it turns out, according to security consulting firm Stricture Consulting Group, this could be because way too many Adobe users weren’t thoughtful when they set up their systems. The company recently released a list of the top 100 passwords selected by Adobe users.

Number one on the list? “123456,” chosen by almost 2 million users. Number two? “123456789,” chosen by almost half a million. Number three? “password,” chosen by almost 350,000. And it goes on and on.

“With 1.9 million users relying on ‘123456’ there's a better than one in one hundred chance of unlocking an Adobe account with blind luck,” writes Simon Sharwood in the Register UK. Indeed, notes Michael Palumbo in RYOT, the most popular passwords provide a great list for users of how not to choose a password. (“123456” was also the top password chosen by Yahoo! users, which was discovered during a hack of that system in summer 2012, writes Emil Protalinski in ZDnet.)

What makes this a particular problem is that people often reuse the same password on a variety of systems, meaning that if the password can be found in one place, it can be usable in many others.

If you do one thing to improve security, it’s this: Check the factory-installed passwords, and the initial passwords that users provide, and make sure they’re changed.

Now, obviously, passwords can’t be too complicated. An 18-digit password, with at least one letter, one capital letter, one number, and one special character isn’t going to help anyone if it’s so hard to remember that everyone has yellow sticky notes on their monitors with it. So,  until biometrics come along, getting the password right is going to be a headache.

But please. Just don’t make it 123456.

Related Posts