Good job they changed it to something industrial strength.
Someone's palm is digging a hole into their face at Cisco, which has just admitted it shipped a bunch of servers with the wrong default password. “A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller (CIMC) unless the …
Most Cisco equipment used to have a default password of "cisco123", before they started all the mergers and acquisitions and decided that they should be able to handle longer than 8-character passwords. A password of "password" suggests an acquired product (like their Sourcefire products which have a default password of "Sourcefire") or else a new standard for factory passwords.
Problem is if they auto create passwords on these and put them on with stickers (like many home routers) some idiot won't change them and CISCO will get the blame when random contractor X looks at the back of it and takes a note of the password.
At least with an obvious temporary password even the most stupid admin will change it to something they know.. like letmein.
When it comes to default passwords, I would quite like a variation of TP-Link's -- of all people -- practice adopted everywhere.
TP-Link clearly mark the default password on the label with the serial number and so on, you see. Which makes it easy to service stuff for which, naturally, the documentation has long since been lost without asking Google.
Now what I would like is for the password to be a derivative of the serial number -- or MAC address, etc. Whatever is appropriate for the type of gear in question -- so that it cannot easily be guessed by a remote attacker.
Well, a way to clear just the password such as on proper network gear would be best, I guess. But not everything has a readily-accessible serial port, and this does not make sense in every case, anyway.
Unless you know the algorithm used to generate the default password you will need physical access to TP-Link device to be able get the password to do anything with.
If the password is a derivative of the MAC address it can be determined remotely, if the algorithm is known, because the MAC address will be in the data frames. The default password needs to be generated by something internal to the device that is never communicated to the outside world.
I have various devices with the default password on the label. If I keep the device in my custody there is no risk that anyone can use the default password to access the device. Mind you, I still change the default settings (including password) most of the time...
Had a frustrating day with the idiot bosses new Plusnet router last month "Router is Pre-configured for your".
Yeah, right, preconfigured with SOMEONE ELSE'S PERSONAL INFO!!!
Since it takes the stupid box a good 30 minutes just to wake up/reset, then another 30 minutes get an ADSL sync, I wasted 6 hours on the thing (including 90 minutes on hold with their tech support line), before finding a PnP format letter with the correct name/password on it (buried in pages of marketing guff, so no-one realised there was anything important included).
(Just signing up for a YEAR with Plusnet, because they offered £1 per month off of line rental is enough to qualify as a sub-moron).
hired outsourced a new rent-a-tech to configure and ship a bunch of servers to clients. The tech couldn't reach anyone who could tell them what to set the default password to. These units had to be shipped by a certain date or there would have been all kinds of escalations, knee-jerk reactions and cell phones ringing at 2AM. So he made a command decision.
Been in this scenario too many times in Corporate IT. That's why things like this happen.
@ Joe Drunk
thing is this should be an image that is automatically cloned onto the drives of the machine during manufacturer. The build of the image should be tightly controlled and mistakes like this should not happen.
If they are this slack when it comes to build images or quality control on devices sent to customers, how can we have any faith in the quality of their other procedures, software or hardware?
Biting the hand that feeds IT © 1998–2019