Change the Default Password Please

The recent ruckus over MySQL on Windows was largely due to those who have installed the application and left the default root password untouched m(which in MySQL’s case – is no password at all).

I have never invested time thinking about default passwords as I change authentication configuration by ‘default’ on any devices entering one of my networks — from routers and switches and servers to software applications and mobile devices.

This past week I started doing a little digging to see how frequently a vulnerability is in part due to default password management. I did not find much in hard content on surveys of system administrator standard practice — probably as in my humble opinion it should be assumed all user / password combinations will be modified at setup by any sys admin worth their salt.

What I did find were numerous sites cataloguing thousands of devices and applications by brand name listing the default user and password combination and what levels of access are enabled by the credentials. On the one hand this data is handy when inheriting or resetting old hardware/software — on the other hand it is a free library of cracking credentials for those with no life who pursue the intrusion of other’s networks for fun or theft.

The MySQL vulnerability should be a wake up call for both new and veteran system administrators and cause for a comprehensive inventory of all the devices/applications under your care. Auditing authentication should end up providing a detailed matrix of credentials and levels of access.

If you lock the front door and windows and leave the back door ajar, someone will certainly come in uninvited.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • JeroenvanP

    very true, especially the fact that bad sysadmins don’t always change the default passwords (had some trouble with that in the past as well)

  • Ghandi

    system admins at my university use ‘kansas’ for some and ’12345′ for others.

  • http://kbarts.hu GDA

    “god” is the best (even nowdays) :(

  • Mark Wubben

    Why don’t they force users to set a new password then?

  • Dr Livingston

    i used to always run mysql with defaults for local development but since upgrading to the newer versions i create a new username/password and drop the defaults :)

    just a lazy practice i’ve put a stop to now but it was never a worry for me in the first place :D

    different for live applications though, as you are responsible (and held for) for security during the installation and setup phase – which i feel is not the task of a developer but a sys admin but that’s for another day :)

  • http://www.lowter.com charmedlover

    I also use to run MySQL with defaults, but yet it was private (protected under a router) and I only used it for develpment.

    But I’ve changed the password when I upgraded my MySQL. I thought of this issue and relized that it was a bad practice…

  • hdsol

    It wasn’t untill I started to mess with wireless networking that I relized how many people don’t change security settings. In a 5 block area there are an incredable aray of open networks to choose from. These range from personal to major companies. Why should database apps be any different. This are the fine details that seperate a good developer from the not so good. I agree that the system admin should set the passwords but it is up to us to make sure that they are aware and it gets done. When someone gets in and screws up our hard work, people luck at the developer for not writing secure code. Even though it may not be our error we need to make sure that all the loopholes are secured

  • http://diigital.com cranial-bore

    you should also lock your car when leaving it unattended for several hours.