{{Short description|Password for devices on factory default settings}} thumb|upright|WiFi Router with default username "admin" and default password "password" Where a device needs a username and/or password to log in, a '''default password''' is usually provided to access the device during its initial setup, or after resetting it to the factory default settings.
Manufacturers of such equipment typically use a simple password, such as ''admin'' or ''password'' on all equipment they ship, expecting users to change the password during configuration. The default username and password are usually found in the instruction manual (common for all devices) or on the device itself.{{Citation needed|date=November 2021}}
Default passwords are one of the major contributing factors to large-scale compromises of home routers.<ref>{{cite arXiv |title=Owning Your Home Network: Router Security Revisited |eprint=1506.04112 |last1=Niemietz |first1=Marcus |last2=Schwenk |first2=Joerg |class=cs.CR |year=2015}}</ref> Leaving such a password on devices available to the public is a major security risk.<ref>{{cite web |url=http://www.sans.edu/research/security-laboratory/article/default-psswd |title=The Risk of Default Passwords |publisher=SANS |work=Security Laboratory: Methods of Attack Series |access-date=June 16, 2015}}</ref><ref>{{cite journal |last=Opaska |first=Walter P. |date=1986-09-01 |title=Closing the VAX Default Password "Backdoor" |url=https://doi.org/10.1080/07366988609450370 |journal=EDPACS |volume=14 |issue=3 |pages=6–9 |doi=10.1080/07366988609450370 |issn=0736-6981 |url-access=subscription}}</ref><ref>{{cite journal |last1=Nam |first1=Sungyup |last2=Jeon |first2=Seungho |last3=Kim |first3=Hongkyo |last4=Moon |first4=Jongsub |date=2020-05-31 |title=Recurrent GANs Password Cracker For IoT Password Security Enhancement |journal=Sensors |language=en |volume=20 |issue=11 |pages=3106 |doi=10.3390/s20113106 |pmc=7309056 |pmid=32486361 |bibcode=2020Senso..20.3106N |doi-access=free}}</ref><ref>{{cite journal |last1=Shafiq |first1=Muhammad |last2=Gu |first2=Zhaoquan |last3=Cheikhrouhou |first3=Omar |last4=Alhakami |first4=Wajdi |last5=Hamam |first5=Habib |date=2022-08-03 |editor-last=Lakshmanna |editor-first=Kuruva |title=The Rise of "Internet of Things": Review and Open Research Issues Related to Detection and Prevention of IoT-Based Security Attacks |journal=Wireless Communications and Mobile Computing |language=en |volume=2022 |pages=1–12 |issn=1530-8677 |doi=10.1155/2022/8669348 |doi-access=free}}</ref> Several Proof-of-Concept (POC) demonstrations were made, and active "worms" ran across the Internet searching for systems having the default username and password. Voyager Alpha Force, Zotob, and MySpooler are a few examples of POC malware which scan the Internet for specific devices and try to log in using default credentials.<ref name=sans>{{cite web |title=The Risk of Default Passwords |url=https://www.sans.edu/cyber-research/security-laboratory/article/default-psswd |website=Sans Security Laboratory |publisher=SANS Technology Institute |access-date=3 June 2017}}</ref>
In the real world, many forms of malware, such as Mirai, have used this vulnerability. Once devices have been compromised by exploiting the Default Credential vulnerability, they can themselves be used for various harmful purposes, such as carrying out Distributed Denial of Service (DDoS) attacks. In one incident, a hacker gained access and control of a large number of networks including those of University of Maryland, Baltimore County, Imagination, and Capital Market Strategies L, simply because they hadn't changed their NetGear switches from the default credentials.<ref name="ITWorld">{{cite web |title=If your router is still using the default password, change it now! |last1=Pinola |first1=Melanie |date=7 December 2012 |website=Computerworld |url=https://www.computerworld.com/article/1404692/if-your-router-is-still-using-the-default-password-change-it-now.html |access-date=14 April 2026}}</ref>
Some devices (such as wireless routers) have unique default router usernames and passwords printed on a sticker, which is more secure than a common default password. However, some vendors derived the unique default passwords from the device's MAC addresses using a known algorithm, and attackers easily computed the same passwords.<ref>{{cite web |title=Reversing D-Link's WPS Pin Algorithm |publisher=Embedded Device Hacking |date=31 October 2014 |url=http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/ |access-date=June 16, 2015}}</ref>
==See also== * Backdoor (computing) * Cyber-security regulation * Internet of things
==References== {{Reflist}}
Category:Password authentication Category:Computer security exploits