> Actually, and fairly recently, this IS a default password in IOS. New
> out-of-box 28xx series routers have cisco/cisco installed as the default
> password with privilege 15 (full access). This is a recent development.
This is hardly only cisco's problem. Most office routers I've dealt with
also come with default username/password and on occasions when I dealt
with existing installation those passwords have rarely been changed.
What should really be done (BCP for manufactures ???) is have default
password based on unit's serial number. Since most routers provide this
information (i.e. its preset on the chip's eprom) I don't understand
why its so hard to just create simple function as part of software to
use this data if the password is not otherwise set.
Ex: Thot's how a Netscreen 5 works after a reset. The password is the
serial # if I remember correctly.
-M<
How much entropy is there in a such a serial number? Little enough
that it can be brute-forced by someone who knows the pattern? Using
some function of the serial number and a vendor-known secret key is
better -- until, of course, that "secret" leaks. (Anyone remember how
telephone credit card number verification worked before they could do
full real-time validation? The Phone Company took a 10-digit phone
number and calculated four extra digits, based on that year's secret.
Guess how well that secret was kept....)
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
How much entropy is there in a such a serial number? Little enough
that it can be brute-forced by someone who knows the pattern? Using
some function of the serial number and a vendor-known secret key is
better -- until, of course, that "secret" leaks. (Anyone remember how
telephone credit card number verification worked before they could do
full real-time validation? The Phone Company took a 10-digit phone
number and calculated four extra digits, based on that year's secret.
Guess how well that secret was kept....)
Hi Steven,
I believe the Netscreen default password of a serial number can only be
entered over the console (and possibly modem/aux) port(s).
That works for me. But note William Leibzon's issue:
That works too and is most secure way.
But its often enough that small offices would not have person who can fix
the system and its not always possible to get network guy to come in right
a way. It is good for those cases to be able to ask somebody onsite to just
look at the back and dictate the serial# by phone.
If you have physical access, the root password matters a lot less (and
if it's the serial number, the local attacker can just peer at the
back). If you need secure remote access -- well, it's not easy with
clueless local administrators. But there's much less excuse for
clueless developers, like the ones who created the login/password pair
that started this thread -- credentials that, according to one posting,
are acceptable for remote access.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb