Profile Applicability:
Level 1
Description:
Default passwords on systems, devices, applications, and services must be changed before deployment or use. Use of default credentials poses a significant security risk, as they are widely known and can be exploited by attackers to gain unauthorized access.
Rationale:
Changing default passwords is a fundamental security measure to prevent unauthorized access and potential compromise of systems. It enforces secure authentication practices and reduces the attack surface.
Impact:
Pros:
Mitigates risk of unauthorized access due to known default credentials.
Strengthens overall system and application security.
Supports compliance with security policies and regulatory standards.
Cons:
Requires administrative effort to change and manage passwords.
Risk of weak password choices if not properly managed.
Default value:
Many systems ship with default passwords that are unchanged, exposing them to high risk.
Audit:
Review system and application configurations to detect any use of default passwords. Use automated tools where possible to identify default credentials.
Remediation:
Establish policies mandating password changes before deployment. Implement strong password policies and password management solutions. Train administrators on secure credential management.
References:
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/
NIST SP 800-63B Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html