Blog / Psst… What’s the Password?
Ah, Passwords! We love them and we hate them! Most people consider them a necessary evil we have, in order to gain Security.
Well, did you know that weak passwords are going to be ILLEGAL?
New legislation in California that becomes effective in 2020 states that Manufacturers will need to put “reasonable Security Measures on their devices.”
This means that things like having the same default Username/Password for all of your devices, will become a big NO-NO.
I’m sure there are a lot of people wondering why that’s such a big deal.
Well, let me tell you a short story: A number of years ago I worked as Technical Support for an international company that manufactured Network equipment (Firewalls, switches, Email servers, etc.)
One day some fellow phones up and says he’s been hacked. So I get some information and bring up his Customer details. I can tell he’s got a big network, because I’m looking at a list of our products that was worth around $500,000, for just the hardware. So he was responsible for a huge amount of equipment.
Anyway, we get to the part of the story where he needs to provide me with access, in order to investigate the logs and see what may have happened. So he gives me the address for one of his outside-facing Firewalls (which was one of ours) and then provides me with the login for it. I paused for a few seconds and asked him to repeat the information, because it was our Default Administrative User Login.
Well, long story short, I found the log entry for when the “Hacker” had logged in and that was that.
The thing is, any device’s default login information is Public Domain information. It’s not a secret; it’s not meant to be a secret and that information is freely available on the Internet, even for Security Appliances, like Firewalls and such. It’s well known doctrine that you’re supposed to change any/all defaults on anything, before you turn on the Internet, but even well paid people in charge of huge amount of equipment and information, don’t always do it.
All it takes is one little slip like that and suddenly every single Security Measure you put in place, is completely useless.
To help prevent this sort of thing, California is forcing the issue. IoT devices are a good example of where something like this is necessary. I’m always seeing articles relating to IoT devices having hard-coded Admin User logins that can’t be changed or shut down. This law will make selling something like that illegal.
It’s easy enough for anyone to implement this. One option would be a unique password for each device, just using its’ Serial Number. Another option would be a setup forcing the User to change password the first time the Admin User logins in.
Setting up good Security is easy. You just need to approach the situation from the point of view of someone trying to exploit things to their own benefit. The trick is knowing when to stop. Have you ever heard the phrase “Acceptable Risk”? Basically, this means that there’s no such thing as Perfect Security, so how much are you willing/able to do/pay to improve what you have? At some point the cost to improve things stops being worth the money and effort that will be paid.
Having good, solid passwords that are changed on a regular basis and supported by a robust Password Policy, will not prevent you from ever being hacked. However, it’s a simple and easy step in the right direction that will make it a lot less likely that you’ll get compromised.
If you have any questions about improving your own passwords, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.