4.7 Change Default Passwords | The Practice of Network Security: Deployment Strategies for Production Environments

4.7 Change Default Passwords!

Table 4.2 lists the default username/password combinations for commonly deployed devices. While these combinations are not necessarily the default on all devices manufactured by these vendors , they are used on enough devices that administrators should be concerned . If an attacker comes across one of these devices, the default combination is going to be the first tried. That's why it is important to create an account, and then remove the default account.

Table 4.2. Default Usernames and Passwords

Vendor	Username	Password
Bay Networks	Manager	Manager
Cisco	cisco	cisco
Extreme	admin
Juniper	root
Nortel	admin	setup

Often, an administrator will create one, or several, accounts, without deleting the default account, leaving a gaping security hole. It is important to delete all default accounts and replace them with more secure account name and passwords. Unfortunately, it is easy to overlook the different accounts on a network device, so make sure you use this checklist to cover your bases:

Virtual terminal user
Console user
Superuser (enable user on Cisco routers)
HTTP user (unless you are disabling remote access)
SNMP read password (unless you are going to disable SNMP)
SNMP write password
Default passwords for any vendor-specific protocols (unless you are disabling these services)

Removing default users and changing default passwords make it more difficult for remote users to access network devices. Coupling these steps with only using encrypted access from internal network devices significantly reduces the chances that an outside attacker will be able to gain access to the network through its routers.

That being said, after these precautions are taken, it is important that the passwords are not shared with anyone who does not need them. If more than a handful of users access the network equipment, it is a good idea to use a TACACS or RADIUS server. If there are fewer than five users, each user should be assigned a unique username and password combination, and his or her access level should be appropriately distributed.

There is a temptation when only one or two users access the system to use a single login and password. If you are logging connections to your networking devices, you should not do this. If there is no distinction between the users, then there can be no accountability should a mistake or a malicious act occurs.