Comments on: ElcomSoft Discovers Most of Its Customers Want Stricter Security Policies but Won’t Bother Changing Default Passwords http://blog.crackpassword.com/2012/02/elcomsoft-discovers-most-of-its-customers-want-stricter-security-policies-but-won%e2%80%99t-bother-changing-default-passwords/ «...This blog is about <a href="/?s=password+recovery">cracking passwords</a>, <a href="/?s=forensic">forensics solutions</a>,<br><a href="/?s=security">computer and network security</a>, <a href="/?s=system+recovery">system recovery</a> and other things...» Fri, 26 Apr 2013 14:47:50 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Olga Koksharova http://blog.crackpassword.com/2012/02/elcomsoft-discovers-most-of-its-customers-want-stricter-security-policies-but-won%e2%80%99t-bother-changing-default-passwords/comment-page-1/#comment-27780 Olga Koksharova Fri, 24 Feb 2012 12:11:35 +0000 http://blog.crackpassword.com/?p=1961#comment-27780 Default passwords seem to be a real problem, so here is our advice. Do not use default passwords, as it’s dangerous, even if they are complex, simply because lists of such passwords are easily found in the Internet – for many different systems and applications. A really strong password should be not only long and complex, it should be unique (of course, there are many other factors such as changing the password on a regular basis; performing password/security audit etc – in other words, a good password policy).

Default passwords are also easily checked by bots and automated scripts: they usually have built-in wordlists that always contain default passwords – to be checked first. The other ‘dictionary’ words follow; but remember the weakest link principle.

After all, default settings are always bad. That’s not only about passwords. Another good example is SSID. With WPA/WPA2, the SSID is added to the password before hashing, so working like a ‘salt’. But for most common SSIDs (all manufacturs have their own favorite ones), effective rainbow tables can be created.

]]>