|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cisco, haven't we learned anything? (technician reset)y
In message <[email protected]>, Martin Hannigan writes: > >> >> >> >> > Actually, and fairly recently, this IS a default password in IOS. New >> > out-of-box 28xx series routers have cisco/cisco installed as the default >> > password with privilege 15 (full access). This is a recent development. >> >> This is hardly only cisco's problem. Most office routers I've dealt with >> also come with default username/password and on occasions when I dealt >> with existing installation those passwords have rarely been changed. >> >> What should really be done (BCP for manufactures ???) is have default >> password based on unit's serial number. Since most routers provide this >> information (i.e. its preset on the chip's eprom) I don't understand >> why its so hard to just create simple function as part of software to >> use this data if the password is not otherwise set. > >Ex: Thot's how a Netscreen 5 works after a reset. The password is the >serial # if I remember correctly. > How much entropy is there in a such a serial number? Little enough that it can be brute-forced by someone who knows the pattern? Using some function of the serial number and a vendor-known secret key is better -- until, of course, that "secret" leaks. (Anyone remember how telephone credit card number verification worked before they could do full real-time validation? The Phone Company took a 10-digit phone number and calculated four extra digits, based on that year's secret. Guess how well that secret was kept....) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
|