CISA really wants tech makers to stop using default passwords

digital key
(Image credit: Shutterstock)

The US Govenrment's Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to manufacturers, urging them to forgo default passwords supplied with their internet-connected products as a matter of security.

CISA believes these default passwords pose a substantial risk to organizations, allowing hackers to easily breach systems if the basic credentials haven't been changed, as users are supposed to do.

The agency also cited the recent actions of threat actors connected to the Islamic Revolutionary Guard Corps (IRGC) as a case in point, as they hacked default passwords securing critical infrastructure systems across the US.

Better alternatives

Hackers can quite easily search for endpoints that are connected to the internet belonging to organizations. The default passwords these endpoints employ are also easily available for anyone to discover - and many organizations don't bother changing them. 

Hackers rely on this fact, allowing for easy access and potential lateral movement with an organization's entire network, and even the ability to gain administrative controls.

The IRGC hackers were discovered breaching programmable logic controllers (PLCs) by using the default password supplied with them, allowing for full control of the devices. The PLCs were used as part of water and wastewater systems in the US.

CISA says that in this case, the default passwords were spread across underground forums commonly used by cybercriminals, and anyone could have found them.

In light of this attack, CISA is now advising that vendors either provide unique setup passwords for each instance of a product, or deactivate default passwords after a certain time, forcing users to create their own unique password to replace it instead.

Other authentication methods were also suggested, such as multi-factor authentication (MFA), as well as requiring physical access to devices during setup.

It urged that security by design principles should be employed by manufacturers, and that they should make sure users are made aware that any cybersecurity issues can affect the public. 

Field tests were suggested by CISA as well, allowing manufacturers to see how their users are actually using their products in the wild, in order to determine how to proceed with securing their devices properly.


Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.