Profile Applicability:
Level 1
Description:
Default passwords provided by hardware or software vendors must be changed before deployment or use in any environment. Using default passwords poses a significant security risk as they are widely known and can be exploited by attackers to gain unauthorized access to systems or applications.
Rationale:
Default passwords are commonly targeted by attackers due to their predictability and public availability. Ensuring that all default credentials are changed to strong, unique passwords mitigates the risk of unauthorized access, reduces the attack surface, and supports compliance with security best practices and standards.
Impact:
Pros:
Reduces the likelihood of unauthorized access due to known default credentials.
Enhances overall security posture.
Helps comply with industry standards and regulatory requirements.
Cons:
Requires additional effort during system setup and maintenance.
May cause operational delays if password change processes are not streamlined.
Default value:
By default, many devices and applications come with default credentials that are publicly documented and easily exploitable.
Audit:
Review systems and devices to verify that no default passwords remain in use. Check configuration settings, password policies, and authentication logs for indications of default credential usage.
Remediation:
Change all default passwords to strong, unique passwords before deploying systems. Establish policies and procedures that mandate password changes and periodic reviews to prevent default credential use.
References:
NIST SP 800-63B Digital Identity Guidelines - Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration/
OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html