Default, Blank and Weak Username/Passwords

Thursday, July 22, 2010

Application Security, Inc.


By Alex Rothacker, Manager, Team SHATTER, Application Security, Inc.   

Application Security, Inc.’s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities in order to you with the most up-to-date vulnerabilities, risk and remediation information.

Today’s topic is Default, Blank & Weak Username/Passwords.

It has been a long standing practice in the software industry to create default accounts during the installation of software packages. Some are required to complete the actions required during installation.

Others are present to provide users with a convenient means to start testing the software out of the box. Many are part of demo packages and others get created during the installation of 3rd party software.

For example, a CRM package might create several accounts in the backend database, for install, admin and regular users.The database management system or DBMS industry has not been excluded from this practice.

For a long period of time, Oracle created the username/password of ‘SCOTT’/’TIGER’. SQLServer had ‘sa’ with a blank password.    DB2 came with ‘db2admin’/’db2admin’ as a default. 

The list goes on. Other default accounts are installed by 3rd party products. 

For example, SAP creates a slew of default database users at the time of installation.Attackers are constantly looking for an easy way to steal sensitive data. 

By undertaking the simple task of creating customized username/password combinations and ensuring DBMS do not have default, blank, and weak username/passwords you can easily mitigate internal and external threats to your sensitive data.

Recently, things have improved. Most DBMS’s now ask for custom usernames and/or passwords in the installer screens. Nonetheless, the risk has not been eliminated. At present, Googling ‘Oracle default users’ produces 4.5 million pages, with more than 1,000 default username/password combinations.

In our Team SHATTER Vulnerability of the Day series on Twitter, we will provide you with what and how to check for to mitigate these risks.

To stay informed on the Top 10 Database Vulnerabilities follow @TeamSHATTER on Twitter.

Cross-posted from AppSec

Possibly Related Articles:
Network Access Control
Passwords Authentication
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.