CISA Pushes for the Removal of Default Passwords
The government agency has warned against Iranian threat actors for leveraging default passwords to access U.S. infrastructure.
- U.S. government agencies are pushing manufacturers in the tech industry to stop using default passwords in the devices they build.
- The CISA has stated that reliance on device customers to change the default password is insufficient to meet critical end-use setups’ security standards.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned tech manufacturers to stop providing devices and software with default passwords, particularly for systems exposed to the internet. The government organization has cited critical risks for threat actors to leverage to access and operate in targeted organizations.
The warning comes with an alert that was published calling out Iranian state-backed hackers for exploiting tech devices of critical infrastructure services within the U.S. using default device and software passwords. Default passwords are easily available on public forums, often data mined for malicious operations.
Default credentials such as ‘admin,’ ‘1234’, etc., are widely used by system administrators in organizations or device manufacturers to streamline operations. In addition, these passwords are often left unchanged by the end user. Consequently, they can be used to create backdoors and gain access to vulnerable devices that are open to the web.
See More: Meta, Google, and Qualcomm Collaborate To Promote Digital Openness
The CISA has recommended that manufacturers push to provide their customers with unique passwords for setup for every instance of a product instead of using a single default password for all products and versions. Alternatively, the organization has suggested using time limits on passwords used during setups, with a transition to better security alternatives such as multi-factor authentication.
The warning highlights the importance of default passwords being used only for initial testing, installation, and configuration operations and the need for better accountability among end users and IT and system administrators in organizations.
What best practices does your organization use to protect password credentials? Let us know your thoughts on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock