开发者

Should default passwords always be empty?

开发者 https://www.devze.com 2022-12-27 18:47 出处:网络
I\'m currently designing a system that requires an admin to log in using a password. For certain reasons, it is difficult to set this password during installation, but it can be changed later.

I'm currently designing a system that requires an admin to log in using a password. For certain reasons, it is difficult to set this password during installation, but it can be changed later.

My idea is this: If I leave the default password empty, it is so horridly insecure that every admin is going to fix this as soon as possible. If 开发者_运维百科I were to use some kind of predefined password instead, admins may think "ah.. nobody would think I've got 'defaultpassword' as my password so it's not very important to change."

So the basic thought is to make it so terrible that even the most lazy people are going to do something about it.

Edit: In my case, it is impossible to have the password changed on first login. It has to be manually edited in an XML file. It's a bad environment, but it's difficult to change, that's why I'm asking. I'd love to have a solution like for instance Windows does.

Edit: I never touched this topic, so I was not familiar with the related issues. I proposed such a crazy idea! I see I still have to learn a lot. I'll leave this open for a while, then accept the most voted answer. Thanks for the insight!


I would never advise setting a default password to be empty, especially for an administrator.

As another solution along the same lines, create a generated high entropy, cryptic (my example is nowhere cryptic, but it's an example) first-time password so your user will think:

"Wow, f45zaH67 is something I'll never remember, let me go ahead and change that"


Microsoft used a blank default password for the administrative account "sa" for SQL Server. The "sa" account has complete control over the database and can access cmd.exe using xp_cmdshell(). You can login to the database over port 1433. Worms spread by using the sa account with a blank password, over the years many databases where hacked. Finely Microsoft addressed the issue by forcing the user to set a password on install.

Never have a default password (especially if it allows remote code execution)


Can't you just force them to change it on first login?

Based on your edit...

I would opt for randomly generating a password something (as already suggested). The benefit of this is not only should it make the admin change it, but if they don't, you can be sure it ain't gona be easy to guess. Either way the account will be more secure than it would with a blank password (big no-no)


As requested, added as an answer.

Or set it to something completely random that you display to them during installation...? I don't think a blank password is ever a good idea.


Its interesting to note that Windows was changed awhile back so you can't remote desktop in to another machine if the account you're using has a blank password.

Any default password is a bad password, blank or no. The admin needs to change it. Detecting that an account has the default password and limiting its access in a few ways is one way to encourage users to change their password, or otherwise partially secure their system for them.


Wow ... do admins really command such little respect? It seems as if the standard assumption is that they WILL screw things up, no?


just don't use username/password credentials but look for some other ways to authenticate


Since answering your own questions is encouraged on SO, I'm going to present an idea I though of. But especially after reading the other answers on this thread, I don't have much confidence in this solution.

Block login, or at least pop up a warning message (optionally rendering the application in annoying neon-yellow colors) until the default password was changed.


How about setting it to a random password (as somebody mentioned) and REQUIRING the user to change it before proceeding?


"My idea is this: If I leave the default password empty, it is so horridly insecure that every admin is going to fix this as soon as possible."

Everyone already thinks this way, this is why my tiny Linux system with only 10 daemons will never be secure, because I can't be bothered to go find all the "insecure by default" things and fix them.

If this is a network system, you are now in a race with the hacker who just watched you install the "system", if he gets to login with the default pass before you get a chance to change it, you lose.

When you install the "system", it asks the user to make an admin account.

And optionally:

If the user chooses "no" to make an account, [s]he can add one later by running a program locally on the system that will edit the xml file and add an admin user.

Generating a random password during install is fine too, but if it's some GUI app instead of webapp, you'd probably want to make sure the user can copy/paste the password to a text file or something. Nothing is more annoying than writing down a generated password on paper :)

0

精彩评论

暂无评论...
验证码 换一张
取 消