back to article Cisco forgot its own passwords for seven weeks

Someone's palm is digging a hole into their face at Cisco, which has just admitted it shipped a bunch of servers with the wrong default password. “A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller (CIMC) unless the …

  1. Tromos
    Joke

    'password' indeed!

    Good job they changed it to something industrial strength.

    1. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Re: 'password' indeed!

      that's just the default password. if you don't change it within three seconds of using a UCS server, you deserve whatever happens to you

      1. Ilgaz

        €20 ADSL all in one box

        They print a physical pseudo-random password to label, you physically turn the device upside down to read the random(?) Password and enter it.

    2. Bill Stewart

      Cisco123

      Most Cisco equipment used to have a default password of "cisco123", before they started all the mergers and acquisitions and decided that they should be able to handle longer than 8-character passwords. A password of "password" suggests an acquired product (like their Sourcefire products which have a default password of "Sourcefire") or else a new standard for factory passwords.

    3. swschrad

      another default password now in script kiddies cookie box

      if this got used anywhere, else, all your net is pwned.

    4. Halfmad Silver badge

      Re: 'password' indeed!

      Problem is if they auto create passwords on these and put them on with stickers (like many home routers) some idiot won't change them and CISCO will get the blame when random contractor X looks at the back of it and takes a note of the password.

      At least with an obvious temporary password even the most stupid admin will change it to something they know.. like letmein.

  2. RIBrsiq

    When it comes to default passwords, I would quite like a variation of TP-Link's -- of all people -- practice adopted everywhere.

    TP-Link clearly mark the default password on the label with the serial number and so on, you see. Which makes it easy to service stuff for which, naturally, the documentation has long since been lost without asking Google.

    Now what I would like is for the password to be a derivative of the serial number -- or MAC address, etc. Whatever is appropriate for the type of gear in question -- so that it cannot easily be guessed by a remote attacker.

    Well, a way to clear just the password such as on proper network gear would be best, I guess. But not everything has a readily-accessible serial port, and this does not make sense in every case, anyway.

    1. Oengus

      Unless you know the algorithm used to generate the default password you will need physical access to TP-Link device to be able get the password to do anything with.

      If the password is a derivative of the MAC address it can be determined remotely, if the algorithm is known, because the MAC address will be in the data frames. The default password needs to be generated by something internal to the device that is never communicated to the outside world.

      I have various devices with the default password on the label. If I keep the device in my custody there is no risk that anyone can use the default password to access the device. Mind you, I still change the default settings (including password) most of the time...

      1. RIBrsiq

        "If the password is a derivative of the MAC address it can be determined remotely".

        If the attacker is getting the MAC address then they're not very remote, are they...?

        1. Anonymous Coward
          Anonymous Coward

          Only true is snmp has been disabled, quite often it hasn't!

        2. darkskiez

          Do not assume the mac addresses are private / local.

          There are numerous ways the mac addresses could leak, like IPv6 address without privacy mode, or status web page on said device, or snmp public etc etc

    2. Ian Emery Silver badge

      True of newer kit, but anything more than about a year or so old had Admin/Admin as the Admin name and password.

      1. This post has been deleted by its author

  3. PJF
    Pint

    Atleast

    they changes their default password..

    How many others are admin/.?

  4. Anonymous Coward
    Anonymous Coward

    1234? I have the same password on my luggage.

  5. This post has been deleted by its author

  6. Ian Emery Silver badge

    Cisoc and Plusnet related??

    Had a frustrating day with the idiot bosses new Plusnet router last month "Router is Pre-configured for your".

    Yeah, right, preconfigured with SOMEONE ELSE'S PERSONAL INFO!!!

    Since it takes the stupid box a good 30 minutes just to wake up/reset, then another 30 minutes get an ADSL sync, I wasted 6 hours on the thing (including 90 minutes on hold with their tech support line), before finding a PnP format letter with the correct name/password on it (buried in pages of marketing guff, so no-one realised there was anything important included).

    (Just signing up for a YEAR with Plusnet, because they offered £1 per month off of line rental is enough to qualify as a sub-moron).

  7. allthecoolshortnamesweretaken

    Hmm...

    Mistake or practical joke?

  8. Anonymous Coward
    Anonymous Coward

    how about scott / tiger ?

  9. SquidEmperor

    This can't be right?

    Shurley username "guest" and password "guest"?

  10. Joe Drunk

    What really happened..

    They hired outsourced a new rent-a-tech to configure and ship a bunch of servers to clients. The tech couldn't reach anyone who could tell them what to set the default password to. These units had to be shipped by a certain date or there would have been all kinds of escalations, knee-jerk reactions and cell phones ringing at 2AM. So he made a command decision.

    Been in this scenario too many times in Corporate IT. That's why things like this happen.

    1. chris 17 Bronze badge

      Re: What really happened..

      @ Joe Drunk

      thing is this should be an image that is automatically cloned onto the drives of the machine during manufacturer. The build of the image should be tightly controlled and mistakes like this should not happen.

      If they are this slack when it comes to build images or quality control on devices sent to customers, how can we have any faith in the quality of their other procedures, software or hardware?

  11. ecofeco Silver badge

    Why not ask HP?

    After all, those are just re-badged HP servers.

  12. Anonymous Coward
    Anonymous Coward

    cisco <> borg relation??

    what has cisco to do with the uss raven and the borg?? lol, i dont understand it but its an interesting compare...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019