{
	"id": "f801290d-9483-42de-82e3-af510629dbca",
	"created_at": "2026-04-06T01:30:13.875699Z",
	"updated_at": "2026-04-10T13:11:50.024384Z",
	"deleted_at": null,
	"sha1_hash": "cdba571fc1f0f3e9d15b6b869633f8919a95fba5",
	"title": "Risks of Default Passwords on the Internet | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71739,
	"plain_text": "Risks of Default Passwords on the Internet | CISA\r\nPublished: 2016-10-07 · Archived: 2026-04-06 00:51:36 UTC\r\nSystems Affected\r\nAny system using password authentication accessible from the internet may be affected. Critical infrastructure and\r\nother important embedded systems, appliances, and devices are of particular concern.\r\nOverview\r\nAttackers can easily identify and access internet-connected systems that use shared default passwords. It is\r\nimperative to change default manufacturer passwords and restrict network access to critical and important\r\nsystems.\r\nWhat Are Default Passwords?\r\nFactory default software configurations for embedded systems, devices, and appliances often include simple,\r\npublicly documented passwords. These systems usually do not provide a full operating system interface for user\r\nmanagement, and the default passwords are typically identical (shared) among all systems from a vendor or within\r\nproduct lines. Default passwords are intended for initial testing, installation, and configuration operations, and\r\nmany vendors recommend changing the default password before deploying the system in a production\r\nenvironment.\r\nWhat Is the Risk?\r\nAttackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be\r\nfound in product documentation and compiled lists available on the internet. It is possible to identify exposed\r\nsystems using search engines like Shodan , and it is feasible to scan the entire IPv4 internet, as demonstrated by\r\nsuch research as\r\nShiny Old VxWorks Vulnerabilities\r\nSecurity Flaws in Universal Plug and Play: Unplug, Don't Play\r\nSerial Offenders: Widespread Flaws in Serial Port Servers\r\nThe Wild West\r\nInternet Census 2012\r\nAttempting to log in with blank, default, and common passwords is a widely used attack technique.\r\nImpact\r\nAn attacker with knowledge of the password and network access to a system can log in, usually with root or\r\nadministrative privileges. Further consequences depend on the type and use of the compromised system.\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA13-175A\r\nPage 1 of 4\n\nExamples of incident activity involving unchanged default passwords include\r\nInternet Census 2012 Carna Botnet distributed scanning\r\nFake Emergency Alert System (EAS) warnings about zombies\r\nStuxnet and Siemens SIMATIC WinCC software\r\nKaiten malware and older versions of Microsoft SQL Server\r\nSSH access to jailbroken Apple iPhones\r\nCisco router default Telnet and enable passwords\r\nSNMP community strings\r\nSolution\r\nChange Default Passwords\r\nChange default passwords as soon as possible and absolutely before deploying the system on an untrusted network\r\nsuch as the internet. Use a sufficiently strong and unique password. See US-CERT Security Tip ST04-002 and\r\nPassword Security, Protection, and Management for more information on password security.\r\nUse Unique Default Passwords\r\nVendors can design systems that use unique default passwords. Such passwords may be based on some inherent\r\ncharacteristic of the system, like a MAC address, and the password may be physically printed on the system.\r\nUse Alternative Authentication Mechanisms\r\nWhen possible, use alternative authentication mechanisms like Kerberos, x.509 certificates, public keys, or multi-factor authentication. Embedded systems may not support these authentication mechanisms and the associated\r\ninfrastructure.\r\nForce Default Password Changes\r\nVendors can design systems to require password changes the first time a default password is used. Recent versions\r\nof DD-WRT wireless router firmware operate this way.\r\nRestrict Network Access\r\nRestrict network access to trusted hosts and networks. Only allow internet access to required network services,\r\nand unless absolutely necessary, do not deploy systems that can be directly accessed from the internet. If remote\r\naccess is required, consider using VPN, SSH, or other secure access methods and be sure to change default\r\npasswords.\r\nVendors can design systems to only allow default or recovery password use on local interfaces, such as a serial\r\nconsole, or when the system is in maintenance mode and only accessible from a local network.\r\nIdentify Affected Products\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA13-175A\r\nPage 2 of 4\n\nIt is important to identify software and systems that are likely to use default passwords. The following list includes\r\nsoftware, systems, and services that commonly use default passwords:\r\nRouters, access points, switches, firewalls, and other network equipment\r\nDatabases\r\nWeb applications\r\nIndustrial Control Systems (ICS) systems\r\nOther embedded systems and devices\r\nRemote terminal interfaces like Telnet and SSH\r\nAdministrative web interfaces\r\nRunning a vulnerability scanner on your network can identify systems and services using default passwords.\r\nFreely available scanners include Metasploit and OpenVAS.\r\nReferences\r\nThe Risk of Default Passwords\r\nSHODAN - Computer Search Engine\r\nShiny Old VxWorks Vulnerabilities\r\nSecurity Flaws in Universal Plug and Play: Unplug, Don't Play\r\nSerial Offenders: Widespread Flaws in Serial Port Servers\r\nThe Wild West\r\nInternet Census 2012\r\nZombie hack blamed on easy passwords\r\nSecure EAS Codec s Prevent Zombie Attacks\r\nSCADA System's Hard-Coded Password Circulated Online for Years\r\nAfter Worm, Siemens Says Don't Change Passwords\r\n\"Kaiten\" Malicious Code Installed by Exploiting Null Default Passwords in Microsoft SQL Server\r\nWeb Interface - DD-WRT Wiki\r\nPenetration Testing Software | Metasploit\r\nOpen Vulnerability Assessment System\r\nRevisions\r\nInitial release\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA13-175A\r\nPage 3 of 4\n\nSource: https://us-cert.cisa.gov/ncas/alerts/TA13-175A\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA13-175A\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/TA13-175A"
	],
	"report_names": [
		"TA13-175A"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439013,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdba571fc1f0f3e9d15b6b869633f8919a95fba5.pdf",
		"text": "https://archive.orkl.eu/cdba571fc1f0f3e9d15b6b869633f8919a95fba5.txt",
		"img": "https://archive.orkl.eu/cdba571fc1f0f3e9d15b6b869633f8919a95fba5.jpg"
	}
}