Password Tips from a Pen Tester: What is Your Company’s Default Password?

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Welcome back to Password Tips From a Pen Tester. Last time, I exposed common password patterns we see when we perform penetration testing service engagements for our clients at Rapid7. This month, let’s dig into the amazingly weak default passwords that so many companies use.

The first day on the job: We fill out all the requisite paperwork for Human Resources and get a computer and our network password. That password is often something easy to remember, and is often the same for every new employee. It might be Welcome1ChangeMe! or one of our old favorites, the SeasonYear (ie. Summer2018). If a new employee is having trouble signing in for the first time and they call the help desk, they can easily get the help they need. A big problem with this methodology is that attackers can do the same thing. When I’m on a social engineering engagement with a company, one of my first moves is always to call the help desk with a story about being new and needing to know what the default password is (or that I can’t remember mine and would like to just have it reset to the original, default value). If I’m able to find out what that is, I can then attempt to log in with other usernames and that default password. This works because I know that some people don’t change their first password—ever.

I have compiled a list of more than 136,000 passwords from pentests done by the Rapid7 team over the last three months. From that data, I searched for some of these typical first passwords. For example, looking at versions of “welcome,” I see:

Welcome1 – 1015 timesWelcome! – 9 timesWelcome1! – 16 times

I also did a search for Welcome2 and got 637 results. This one is a little trickier because I am doing a wildcard search, so that could simply be someone who changed their Welcome1 to the next digit, or it could be a password like Welcome2Rapid7. When I dug in further, 121 of those were only Welcome2. Exactly 430 were of the Welcome2CompanyName variety and the remainder were Welcome2018 or some other small number of combinations.

It seems “change” might do a better jump of conveying to employees that the password should be changed. I found 38 variations of ChangeMe, 4 instances of Changeit, and 9 entries for Changethispassw0rd (yes, that’s a zero).

The data does also show different single digits after the Welcome and Change, possibly indicating another common user behavior, that the account holder is simply incrementing the number on each required update.

With all this discussion of “Welcome” and “Change”, we need to look at one other password that we’ve seen many times before. While it might also be something chosen by users, sometimes it is the default password. This was the most common password that I found when searching through my data. It’s none other than our old friend “password”. I took my file with 137,000 passwords and sorted and counted each and when I removed the company-specific passwords (ie. Rapid7!) the top remaining password, with 960 entries was Password1. As I look down the list, there are more versions of it. I see 314 entries for Password123, 175 entries for _Pass_Word1, 151 entries for password, 92 entries for Password2, and 60 entries for P@ssw0rd. The list of “passwords” just keeps going on and on.

So how do we deal with these default passwords? The short answer is to force employees to change it. The system administrator should activate a setting when the account is created, then check the box for “User Must Change Password at Next Logon”. I can’t give instructions on exactly how to do it as there might be slight variations for your environment, so I recommend using your vendor’s documentation on the proper way to set that value.

Ensuring that your people aren’t using a known, weak password will go a long way to helping the security of your network, and at least forcing them to change their original, default password is a great first step.

Interested in more penetration testing research from Rapid7? Check out our Under the Hoodie series, and uncover the most effective methods our pen testers have found to compromise high-value credentials.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?