The recent ruckus over MySQL on Windows was largely due to those who have installed the application and left the default root password untouched m(which in MySQL’s case – is no password at all).
I have never invested time thinking about default passwords as I change authentication configuration by ‘default’ on any devices entering one of my networks — from routers and switches and servers to software applications and mobile devices.
This past week I started doing a little digging to see how frequently a vulnerability is in part due to default password management. I did not find much in hard content on surveys of system administrator standard practice — probably as in my humble opinion it should be assumed all user / password combinations will be modified at setup by any sys admin worth their salt.
What I did find were numerous sites cataloguing thousands of devices and applications by brand name listing the default user and password combination and what levels of access are enabled by the credentials. On the one hand this data is handy when inheriting or resetting old hardware/software — on the other hand it is a free library of cracking credentials for those with no life who pursue the intrusion of other’s networks for fun or theft.
The MySQL vulnerability should be a wake up call for both new and veteran system administrators and cause for a comprehensive inventory of all the devices/applications under your care. Auditing authentication should end up providing a detailed matrix of credentials and levels of access.
If you lock the front door and windows and leave the back door ajar, someone will certainly come in uninvited.
Blane Warrene
