Default Passwords and What You Can Do About Them - Page 2

By Kurt Seifried | Posted Oct 16, 2000
Page 2 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

So, these are the existing solutions:

Assign no password and make the user login and create a password. Maybe configure the product so that it does not function until a password is entered. This would be quite effective and would definitely encourage people to put a password in. It would also cause problems, though, when users plug it in and it doesn't work immediately.
Assign a default password and make the user login and change the password. Maybe configure the product so that it does not function until a password is entered. This would be quite effective and would definitely encourage people to put a password in. It would also cause problems, though, when users plug it in and it doesn't work immediately. This is no better then the no- password option since the default password will be widely published at some point. Many vendors opt for this solution, assigning a default password and (usually) telling the user to log in and change it.
Assign a random password and make the user login and change the password. Maybe configure the product so that it does not function until a password is entered. This would be quite effective and would definitely encourage people to put a password in. This would also cause a lot of grief to users, though, since they may lose the paper with the serial number. Some vendors that sell servers with the OS pre-loaded do this to the admin accountsa good idea. One variation would be to put the database online, so when you plug in the serial number, out pops the default password that was assigned. This assumes the serial number was stamped onto the product physically, and cannot be found via the network, etc. This would be a relatively safe option.

Use some other mechanism, such as a token. For a product such as a router, design the authentication to support tokens and preload the product and the token with the same "secret". To login, the user needs the token to create the response to a challenge. This would be expensive, and somewhat difficult for many users, but it would make breaking into the equipment via the network exceedingly difficult.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter