CISA Urges Tech Sector to Move Beyond Default Passwords

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an alert urging technology manufacturers to change the passwords that come as default on their products.

Software and hardware products are often shipped with default credentials to customers, putting them at significant risk, especially once threat actors get wind of the passwords.

Default Passwords are Vulnerable

“Malicious cyber actors continue to exploit default passwords (e.g., “1234,” “default,” “password”) on internet-exposed systems to gain initial access to, and move laterally within, organizations,” reads CISA’s announcement.

Perpetrators often use default credentials as a convenient backdoor that lets them breach vulnerable devices connected to the Internet with little effort. While default passwords are important to streamlining manufacturing and deployment operations, they could expose customers to significant risk.

Mitigation Recommendations

CISA urges tech manufacturers to mitigate the risk of default password exploitation and proposes two principles:

• Taking ownership of customer security outcomes
• Building organizational structure and leadership

“By implementing these two principles in their design, development, and delivery processes, software manufacturers will prevent exploitation of static default passwords in their customers’ systems,” CISA explained.

Unique and Temporary Passwords

Manufacturers could take different paths to address this situation. For instance, customers could receive unique setup passwords for each product instead of using a default password valid for an entire line of products.

Alternatively, they could implement temporary setup passwords that become obsolete once the product has been configured, prompting system administrators to rely on more secure authentication methods.

The importance of a strong password cannot be undermined, especially in today’s climate. Considering that even a strong password slowly weakens in our ever-evolving threat landscape, users must strengthen their defenses to preserve their digital well-being.

Additional Steps to Keep Safe

Using password managers, for instance, lets users generate, manage, and store strong passwords, relieving users from the burden of remembering and inputting them. It also addresses the password recycling phenomenon, which invites nefarious credential-stuffing attacks.

Enabling multi-factor authentication (MFA) is another highly recommended step to keep accounts and devices safe against various types of attacks, including phishing and brute-forcing.