CISA really wants tech makers to stop using default passwords

News
By published

Get rid of default passwords immediately, CISA urges firms

digital key
(Image credit: Shutterstock)

The US Govenrment's Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to manufacturers, urging them to forgo default passwords supplied with their internet-connected products as a matter of security.

CISA believes these default passwords pose a substantial risk to organizations, allowing hackers to easily breach systems if the basic credentials haven't been changed, as users are supposed to do.

The agency also cited the recent actions of threat actors connected to the Islamic Revolutionary Guard Corps (IRGC) as a case in point, as they hacked default passwords securing critical infrastructure systems across the US.

Better alternatives

Hackers can quite easily search for endpoints that are connected to the internet belonging to organizations. The default passwords these endpoints employ are also easily available for anyone to discover - and many organizations don't bother changing them. 

Hackers rely on this fact, allowing for easy access and potential lateral movement with an organization's entire network, and even the ability to gain administrative controls.

The IRGC hackers were discovered breaching programmable logic controllers (PLCs) by using the default password supplied with them, allowing for full control of the devices. The PLCs were used as part of water and wastewater systems in the US.

CISA says that in this case, the default passwords were spread across underground forums commonly used by cybercriminals, and anyone could have found them.

In light of this attack, CISA is now advising that vendors either provide unique setup passwords for each instance of a product, or deactivate default passwords after a certain time, forcing users to create their own unique password to replace it instead.

Other authentication methods were also suggested, such as multi-factor authentication (MFA), as well as requiring physical access to devices during setup.

It urged that security by design principles should be employed by manufacturers, and that they should make sure users are made aware that any cybersecurity issues can affect the public. 

Field tests were suggested by CISA as well, allowing manufacturers to see how their users are actually using their products in the wild, in order to determine how to proceed with securing their devices properly.

MORE FROM TECHRADAR PRO

Lewis Maddison
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
China
US Government officials urged to lock down devices amid telecoms breach
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
A woman holding a mobile phone in front of the Signal logo displayed on a computer screen
Salt Typhoon: US cybersecurity watchdog urges switch to Signal-like messaging apps
password manager
I'm a security expert - here are my biggest tips for creating a secure password for work and home life to stay safe online
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
US government urges federal agencies to patch Microsoft 365 now
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
Zorin OS 17 main image

I tried the latest version of Zorin OS - here's what I thought of this Linux distro
See more latest
Most Popular
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models