Dark Mode

Settings

Capec-70 Detail

Try Common or Default Usernames and Passwords

Detailed Software Likelihood: Medium Typical Severity: High

Parents: 49

Threats: T71 T263 T271 T279 T292 T307 T385 T398

Description

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.

Not present

External ID Source Link Description
CAPEC-70 capec https://capec.mitre.org/data/definitions/70.html
CWE-521 cwe http://cwe.mitre.org/data/definitions/521.html
CWE-262 cwe http://cwe.mitre.org/data/definitions/262.html
CWE-263 cwe http://cwe.mitre.org/data/definitions/263.html
CWE-798 cwe http://cwe.mitre.org/data/definitions/798.html
CWE-654 cwe http://cwe.mitre.org/data/definitions/654.html
CWE-308 cwe http://cwe.mitre.org/data/definitions/308.html
CWE-309 cwe http://cwe.mitre.org/data/definitions/309.html
T1078.001 ATTACK https://attack.mitre.org/wiki/Technique/T1078/001 Valid Accounts:Default Accounts
REF-572 reference_from_CAPEC https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion Corporate IoT – a path to intrusion, 2019--10---05, Microsoft Security Response Center (MSRC)
REF-574 reference_from_CAPEC https://www.us-cert.gov/ncas/alerts/TA13-175A Risks of Default Passwords on the Internet, 2016--10---07, Cybersecurity and Infrastructure Security Agency (CISA)
REF-596 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
REF-597 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)

Not present

  1. The system uses one factor password based authentication.The adversary has the means to interact with the system.
  1. Technology or vendor specific list of default usernames and passwords.
Low
An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known.
Authorization Access Control Confidentiality
Gain Privileges Gain Privileges Gain Privileges
  1. A user sets their password to "123" or intentionally leaves their password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.
  2. Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username "root" with a password "password". This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288
  3. In April 2019, adversaries attacked several popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. An investigation conducted by the Microsoft Security Resposne Center (MSRC) discovered that these devices were used to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. [REF-572]

We use cookies to ensure you get the best experience on our website.