Where Are Your Default Admin Passwords?

Friday, June 24, 2011

Bozidar Spirovski


Where are your default admin passwords - and who can get to them?

Every corporation nowadays is very concerned with account security. And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts (root, administrator, sa, DBO...).

We don't need to repeat the well known mantra of not using the default accounts for daily use.

But these accounts and passwords still need to be well secured, in order to achieve the following criteria:

  • Security - the passwords for the default admin accounts need to be strong and complex, and should withstand most attempts at brute force or social engineering attacks
  • Confidentiality -no single person should know the default admin account password, since he/she can abuse this account for gain or to cause damage.
  • Availability - In times of crisis, the organization may still need to use these default admin accounts, so they cannot be lost
The following procedure can be applied by any organization, and it meets all three criteria.

Security and Confidentiality - the passwords should be constructed in two parts (each part entered by different person). Having two people create a password increases the complexity significantly, and reduces the possibility of using social knowledge of a single person to attack the password. Also, no single person knows the password.

Confidentiality and Availability - The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes. These two envelopes should then be stored in a tamper evident envelope.

Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail. The basic reason is that tamper evident envelopes are not readily available, or even that they cannot be ordered through central procurement. This is rarely the case, since such envelopes are available in most office supplies stores.

But even if such envelopes are not available, you can easily create a DYI tamper evident envelope like this:

  • Take an ordinary envelope
  • Ask your manager to sign his name at least 2 times on the edges of the envelope, from both sides
  • Cover the length of signed edges with a transparent adhesive tape (scotch tape) - make sure that you overlap the envelope with the adhesive tape
  • Put the password envelopes inside the tamper-evident envelope
  • Seal the envelope, and have the manager sign the edge where the envelope is sealed
  • Cover the length of the seal and the signatures with the adhesive tape - make sure that the tape touches both the flap and the envelope surface as well as the signatures

The end result can be seen on the following image:


Through this process you have created a crude tamper-evident envelope. If someone tries to open this envelope at any edge or through the sealed flap, he/she will damage the adhesive tape. This damage is easily visible.

If someone tries to remove the adhesive tape prior to opening the envelope, the removed adhesive tape will remove the signature that it covers - thus showing that the envelope was tampered with.

Once this step is out of the way, the securing of password can be finished by storing the envelope in the department safe, where employees can still get to it if needed (a crisis situation).

This process is very simple to follow, and can be applied in one afternoon. All it takes is 3 people, some envelopes and the will to secure the default admin accounts.

Just make sure that you reset the passwords of the default admin accounts in all places where they are used, like services/daemon accounts, and system jobs.

Talkback and comments are most welcome...

Cross-posted from ShortInfosec

Possibly Related Articles:
Network Access Control
Information Security
Policy Network Access Control Due Diligence Root Accounts password Admins
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.