Risks of Default Passwords: Why Passwords are a Relic of the Past

Artificial intelligence (AI) is pervasive in today’s world, especially in the domain of cyber security. AI enables us to detect and prevent cyber threats, enhance our online privacy, and improve our digital experience. However, despite the advances in AI, passwords remain one of the most primitive forms of security, and are still widely used in industrial control systems and enterprises. Passwords are vulnerable to various types of cyberattacks, such as phishing, brute-force, and dictionary attacks. Moreover, many people do not follow the best practices for password security, such as using long and random passphrases, changing them frequently, and avoiding password reuse. Many people also neglect to change the default password that comes with the device or software from the original equipment manufacturer (OEM), which makes it easier for hackers to access and compromise them. This problem is exacerbated by the fact that many industrial control systems and enterprises have legacy systems that are not compatible with modern security solutions, such as multi-factor authentication. Therefore, passwords pose a serious risk to the security and integrity of our digital assets and infrastructure.

The Pervasive Threat of Default Passwords from Water Utilities to SolarWinds

A recent article from Fox news reported that several US water utilities, including the Municipal Water Authority of Aliquippa in Pennsylvania, were targeted by foreign hackers, who exploited vulnerabilities in their industrial control systems. The hackers left a message on the screen of a device, claiming to be Cyber Av3ngers, a group that opposes Israel and has allegedly attacked water treatment stations in Israel before. The cyberattack caused a temporary halt in pumping at a remote station, affecting water pressure for nearby towns.

It seems that some of the compromised devices had been connected to the open internet with a default password of “1111”, making it easy for hackers to find them and gain access. This is a serious security lapse that could have been prevented by following basic cybersecurity practices, such as changing the default passwords and limiting the exposure of critical devices to the internet.

This incident is not isolate according to experisignts.com there are many examples of systems that were compromised due to default passwords:

• SolarWinds: SolarWinds, a software company that provides network management tools to many government agencies and Fortune 500 companies, was hit by a massive cyberattack that compromised its Orion platform. The attackers were able to access the platform using a password of “solarwinds123” that was publicly available on GitHub.
• Verkada: Verkada, a cloud-based security camera company, suffered a breach that exposed live feeds from over 150,000 cameras in schools, hospitals, prisons, and other facilities. The hackers claimed that they were able to access the cameras using a “super admin” account that had a default password.
• New York City Law Department: The New York City Law Department, which handles legal matters for the city government, was hacked by an unknown group that gained access to its network. The hackers reportedly exploited a vulnerability in the department’s Pulse Secure VPN software, which had a default password of “123456” that was never changed.

Why Default Passwords Are a Hacker's Dream

Using default passwords can expose your devices and data to various cyber threats, such as unauthorized access, data theft, ransomware attacks, and more. Some of the risks of using default passwords are:

• Attackers can easily find and access internet-connected devices that use shared default passwords, such as routers, cameras, printers, etc. This can compromise your network security and privacy.
• Attackers can use brute force or cracking tools to guess your passwords, especially if they are weak or common. This can allow them to access your accounts and data, such as email, social media, banking, etc.
• Attackers can use phishing, sniffing, or keylogging techniques to steal your passwords, by tricking you into entering them on malicious websites, intercepting them on insecure networks, or recording them on your computer. This can also lead to identity theft, fraud, and other malicious activities..

Using default passwords is a serious and widespread issue that affects many users and organizations. Some statistics are:

• More than 80% of confirmed breaches are related to stolen, weak, or reused passwords
• An estimated 81% of data breaches are due to poor password security
• 49% of employees only add a digit or change a character when updating passwords
• A new study found that 81% of all data breaches are caused by so-called ‘weak’ passwords being compromised

Therefore, it is essential to change default passwords as soon as possible and use strong and unique passwords for different devices and accounts. You should also follow other password security best practices, such as using multi-factor authentication, encryption, and password managers.

Breaking Free from the Password Trap with Revolutionary Authentication

Passwords are no longer a viable solution for securing online accounts and data. They are prone to various types of cyberattacks, such as phishing, cracking, and stealing. They also create user friction and frustration, as people have to remember and manage multiple passwords for different services. Moreover, many people and organizations do not follow the best practices for password security, such as changing default passwords, using strong and unique passwords, and enabling multi-factor authentication (MFA).

Therefore, vendors and OEMs should move away from passwords and adopt passwordless and MFA solutions, such as biometrics, passkeys, and OTAC. These solutions offer many benefits, such as:

• Enhanced security: Passwordless and MFA solutions are more resistant to password-based attacks, as they rely on factors that are harder to compromise, such as the user's device, biometric traits, or physical tokens. They also eliminate the need to store and transmit passwords, which reduces the risk of data breaches and leaks.
• Improved user experience: Passwordless and MFA solutions simplify the login process and remove user friction, as people do not have to enter or remember passwords. They also provide authentication flexibility and choice, as people can use the method that suits their preferences and context.
• Increased productivity and efficiency: Passwordless and MFA solutions reduce the time and cost associated with password management and support, such as password resets, recovery, and helpdesk requests. They also enable faster and smoother access to online services and resources, which boosts user productivity and efficiency.

By moving away from passwords and adopting passwordless and MFA solutions, vendors and OEMs can provide a more secure, convenient, and user-friendly authentication experience for their customers and users. This can also help them gain a competitive edge, increase customer loyalty, and comply with regulatory and industry standards. Passwordless and MFA solutions are the future of authentication, and vendors and OEMs should embrace them as soon as possible.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.