Default, Blank and Weak Username and PasswordsTeam Shatter Exclusive

TeamSHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities and Misconfigurations in order to you with the most up-to-date vulnerabilities, risk and remediation information.

Today’s topic is Default, Blank & Weak Username/Passwords.

It has been a long standing practice in the software industry to create default accounts during the installation of software packages. Some are required to complete the actions required during installation.

Others are present to provide users with a convenient means to start testing the software out of the box. Many are part of demo packages and others get created during the installation of 3rd party software.

For example, a CRM package might create several accounts in the backend database, for install, admin and regular users. The database management system or DBMS industry has not been excluded from this practice.

For a long period of time, Oracle created the username/password of ‘SCOTT’/’TIGER’. SQLServer had ‘sa’ with a blank password.    DB2 came with ‘db2admin’/’db2admin’ as a default.

The list goes on. Other default accounts are installed by 3rd party products.

For example, SAP creates a slew of default database users at the time of installation.Attackers are constantly looking for an easy way to steal sensitive data.

By undertaking the simple task of creating customized username/password combinations and ensuring DBMS do not have default, blank, and weak username/passwords you can easily mitigate internal and external threats to your sensitive data.

Recently, things have improved. Most DBMS’s now ask for custom usernames and/or passwords in the installer screens. Nonetheless, the risk has not been eliminated. At present, Googling ‘Oracle default users’ produces more than 3 million pages, with more than 1,000 default username/password combinations.

To create a strong password:

  • Don’t use words that can be easily guessed or found in the dictionary
  • Use a combination of letters, numbers and characters
  • Create a complex sentence instead of a word
  • Do not share your password with anyone or write it down and leave it in your desk drawer
For a comprehensive list of default passwords, check out the TeamSHATTER Threat Finder and run a search or check out  the recent search that I performed.
Vulnerability 1 of 10.

Leave a Reply

Name (required)

Mail (will not be published) (required)


Please note: JavaScript is required to post comments.

Powered by