An Overview of the Usage of Default Passwords

Never mind sophisticated and persistent threats, what about simple and opportunistic ones?  Have we closed the door on attacks that require little investment on the part of attackers?  In particular, are we still shipping software without the most basic of security policies ?

B. Knieriem, X. Zhang, P. Levine, F. Breitinger & I. Baggili surveyed 21 open-sourced applications and 41 commercial applications for password policy issues. Specifically they were looking for programs that have a default password or allow the user to set a weak password, or no password at all.   From the  62 applications, they found that:

  • 32 applications used a default user name, which simplifies guessing attacks not only by focussing guessing efforts on the password but also by providing clues as to the permissions assigned to an account (e.g. “admin”)
  • 6 applications featured a default password, which allows an attacker to compromise systems by reading the manual(which is often available online) ,and
  • 32 applications accepted a blank password, which is quite easy to guess.

The full article will be published in Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (LNICST).

A pre-print version is available at: