In message <200601130141.k0D1fiZ1007762@world.std.com>, Martin Hannigan writes:
Actually, and fairly recently, this IS a default password in IOS. New out-of-box 28xx series routers have cisco/cisco installed as the default password with privilege 15 (full access). This is a recent development.
This is hardly only cisco's problem. Most office routers I've dealt with also come with default username/password and on occasions when I dealt with existing installation those passwords have rarely been changed.
What should really be done (BCP for manufactures ???) is have default password based on unit's serial number. Since most routers provide this information (i.e. its preset on the chip's eprom) I don't understand why its so hard to just create simple function as part of software to use this data if the password is not otherwise set.
Ex: Thot's how a Netscreen 5 works after a reset. The password is the serial # if I remember correctly.
How much entropy is there in a such a serial number? Little enough that it can be brute-forced by someone who knows the pattern? Using some function of the serial number and a vendor-known secret key is better -- until, of course, that "secret" leaks. (Anyone remember how telephone credit card number verification worked before they could do full real-time validation? The Phone Company took a 10-digit phone number and calculated four extra digits, based on that year's secret. Guess how well that secret was kept....) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb