Full Series | Previous | Next
Hello, It’s Passwords Again.
If you have been following along with this series, you might remember that in Part 2 of this series, we discussed the importance of password managers. Back by popular demand, we are here to discuss the passwords themselves. More specifically, the default usernames and passwords of all your accounts and devices.
“When targeting companies, typically small businesses, the criminals access victim networks via … weak passwords. 80% of breaches are due to stolen credentials.”
Verizon DBIR Report 2022
It’s Worth Repeating
Again, you might realize that this quote was used in the header section in Part 2 of this series. It is that important that businesses recognize that bad passwords, shared credentials, weak passwords, and default passwords are a massive part of data breaches. So, it is worth repeating for a second time in this series.
What are “Default” Credentials?
Consider default credentials as login information that comes with a new device or software like a wireless router, modem, or smart TV. These credentials are equivalent to a door that a widely available “skeleton key can initially unlock.” Anyone with entry-level knowledge can easily unlock the door with minimal effort. These default settings are often a simple combination like “admin” and “password” that others can easily find online.
Why Changing the Credentials is Crucial
In the door scenario above, you can see how important it is to change the default login information to something unique and strong to protect your personal information and devices from unauthorized access. Hackers can use automated tools to find and access devices with default login information. Once they have access, they can steal personal information or use your device for illegal activities, often completely untraced.
By changing your login information and regularly updating it, you can significantly reduce the risk of unauthorized access to your devices and the sensitive data stored on them.
How do I know if I have Default Credentials?
This one can be a little tricky because it requires you to inventory almost everything connected to the internet at home and in your business. However, don’t succumb to paralysis analysis! Getting even a few done per week is better than never starting.
Start a list
The most important part of getting something done is starting. The list doesn’t need to be formal and can be kept on paper, notes app on your phone, or in a wiki such as Confluence (our favorite). Important to note that any login information should be kept in a password manager and not in this list.
Below is a format that you help get you started. Simple right?
Linksys home WIFI router
Jan 16, 2023
Smart TV (Living Room)
Check the device
Most of these devices have the default login name and password on the device itself. You can also check the device user manual for any default credentials. When in doubt, type the device model into a search engine with “Default Login.” For example, Linksys wrt54gl default login.
This type of search will help you identify everything with a default credential.
Don’t forget your internet modem. This is the most often overlooked piece of hardware due to its nature as a utility, like the electric panel in your home or business.
Try Logging in
Once you have obtained a default credential for your device, try logging in. If you are successful, then you need to follow the vendor instructions on changing the login.
It is also important to note that even if you have a login that is not the default, the default can still be active. Many devices can have multiple logins, and it is important to make sure the default login has been changed, even if you have a separate login.
Now you know why changing default passwords is a significant step in making you and your business more secure. In addition, we wanted to highlight a few more bonus strategies that can help you manage these accounts and risks.
Use a Password Manager
This bears repeating. A Password manager is the best way to ensure the passwords you set are secured. There is little benefit to changing passwords if anyone can walk by, open your drawer or lift up your keyboard and take them.
Change the default login name.
In addition to the default password, it is also recommended to change the default login name. Or, if the device does not support that, you can create a new account as outlined below. If available, it is beneficial to disable the default account and use another named account to log in as an admin on the device. If the bad guys try an account that is disabled or an account name that doesn’t exist, it helps thwart those brute-force attacks.
Create a read-only user account for you
If your device supports it, create another account for you that is a read-only or low-level account that does not have admin access. This is your “daily driver” account that allows you to check in on the device or make minimal changes but doesn’t allow you to do things like wipe the device, register the device, reset passwords or create additional accounts. This is beneficial in case you are compromised. At least in that case, the bad guys won’t be able to make any changes.
Make an admin account to sign up.
When signing up for a new service online, one strategy is to make an admin account for management. For example, when signing up for a marketing email service for your business, sign up as Admin-MailChimp@yourcompany.com. You will need to ensure that it is an email address with members that can receive admin emails. Then, once that account is created, add people individually to roles in the application. Ensure the admin account is the only account with admin rights to the platform.
This is beneficial because if the person signing up for the service leaves or their email is compromised, the service is unaffected. It also creates a method in which when new people come on board or leave, they can be added or removed from the group as needed to continue receiving critical account alerts for the service. We have seen on many occasions that someone left an organization and has many services linked to their email, and it becomes a struggle to get those services moved to someone else.
Make sure when signing up for a service and using the strategy above that between 3 and 5 people have access to that admin signup. These numbers are a general guideline but allow for redundancy without too many people having administrative access. Having only a single person becomes a liability, as does twenty people. A single person creates a bottleneck, and twenty people are a security risk.
We hope you found this article insightful on how you can increase the security posture of your business and your personal life by implementing these strategies for default credentials. Each strategy can severely reduce risk while taking only a short time with almost no cost commitment.
How StrataNorth Can help.
If you are ready to transform your business’s security landscape and are looking for experts to guide you, StrataNorth has security consultants with decades of experience. We can help you reach security nirvana and give you a roadmap for success. Reach out for a no-cost, no-obligation chat with a security expert today.