Skip to main content

Default Passwords and Password Reuse

This section will cover default passwords and password reuse.

Table of Contents
  • Overview
    • Default Passwords Found
    • Password Reuse
  • Credential Stuffing
  • Mitigations

Overview

It is common to find users and administrators leaving the default passwords in place in an application. If default password credentials are found, the finding name would be "Default Passwords Used".

It is also common for users and administrators to reuse the password set for one applications on other applications as it will be "convenient" for them due to having to remember and keep track of lesser passwords. If password reuse is found, the finding name would be "Password Reuse".

Default passwords and password reuse makes the accounts open to attacks such as credential stuffing.

Default Passwords Found

An example of a default password finding will be where if the system has a login page. This example will use Nginx Proxy Manager.

The default credentials for Nginx Proxy Manager is admin@example.com:changeme. If an attacker navigates to the login page and is able to login using the default credentials, this can be flagged as a finding.

Password Reuse

If the server has two services such as SSH and FTP running and the password is the same for the two applications.

An example will be where the SSH credentials are myuser:secretPW. The username may change but if we manage to identify the same user on the FTP service and login using the SSH credentials of myuser:secretPW, this can be flagged as a finding.

Credential Stuffing

Attacks such as credential stuffing is where we use a wordlist of known credentials and use them to login into other services.

An example will be using a wordlist of default passwords for different services. Using tools such as Hydra, we can specify the wordlists or credentials to use and run them against different services.

Another example is where an attacker uses credentials from a data breach and use them against other services. If the attacker is successful, this would indicate that the user has reused their passwords across different services.

Mitigations

Do not use default credentials. Ensure that default credentials are changed.

For password reuse, do not reuse passwords across different applications. Ensure that each password is unique between applications.

References: