views:

420

answers:

10

I'm currently designing a system that requires an admin to log in using a password. For certain reasons, it is difficult to set this password during installation, but it can be changed later.

My idea is this: If I leave the default password empty, it is so horridly insecure that every admin is going to fix this as soon as possible. If I were to use some kind of predefined password instead, admins may think "ah.. nobody would think I've got 'defaultpassword' as my password so it's not very important to change."

So the basic thought is to make it so terrible that even the most lazy people are going to do something about it.

Edit: In my case, it is impossible to have the password changed on first login. It has to be manually edited in an XML file. It's a bad environment, but it's difficult to change, that's why I'm asking. I'd love to have a solution like for instance Windows does.

Edit: I never touched this topic, so I was not familiar with the related issues. I proposed such a crazy idea! I see I still have to learn a lot. I'll leave this open for a while, then accept the most voted answer. Thanks for the insight!

+28  A: 

I would never advise setting a default password to be empty, especially for an administrator.

As another solution along the same lines, create a generated high entropy, cryptic (my example is nowhere cryptic, but it's an example) first-time password so your user will think:

"Wow, f45zaH67 is something I'll never remember, let me go ahead and change that"

Anthony Forloney
You mean a generated instead of a fixed password? Sounds very reasonable.
mafutrct
Yeah, a randomly generated strong password. My example was poor, I pretty much just laid my hands all over the keyboard.
Anthony Forloney
I hate those type of passwords, I know I always change mine :)
Doug
It's a good idea. It is quite secure, since there _is_ no default password and it encourages people to change it.
mafutrct
Agreed and I am a firm believer that the more strongly encrypted, the more likely they'll change it.
Anthony Forloney
@Anthony: I assume you mean "more random-looking"...
BlueRaja - Danny Pflughoeft
I fully agree with Anthony Forloney, and i see this is what goes on in "real" places. Examples - the original password generated by ISPs, Universities, and auto-generated passwords in websites (those that require email validation and send you your first account password via email). +1!
M.A. Hanin
@BlueRaja, I always see stronger passwords go hand in hand with random-looking passwords, but yeah your assumption was correct.
Anthony Forloney
@Anthony: I believe he was referring to your use of the term "encrypted" instead of "cryptic".
mafutrct
@mafutrct: Ah, that makes sense, thanks for pointing it out
Anthony Forloney
I would change it and replace it by something similarly cryptic, generated using a pair of dice.
starblue
Encryption has nothing to do with a password. You probably meant "high entropy" instead of "encrypted".
Longpoke
@Longpoke: Good choice of words, I had updated my answer to include that.
Anthony Forloney
A: 

Since answering your own questions is encouraged on SO, I'm going to present an idea I though of. But especially after reading the other answers on this thread, I don't have much confidence in this solution.

Block login, or at least pop up a warning message (optionally rendering the application in annoying neon-yellow colors) until the default password was changed.

mafutrct
+4  A: 

Can't you just force them to change it on first login?

Based on your edit...

I would opt for randomly generating a password something (as already suggested). The benefit of this is not only should it make the admin change it, but if they don't, you can be sure it ain't gona be easy to guess. Either way the account will be more secure than it would with a blank password (big no-no)

James
(see edited question)
mafutrct
If you can't force them to change on first login than you need a better design.
Joshua
@Joshua If it were that easy, I would not ask ;)
mafutrct
The problem with forcing to change on first login is that software frequently gets deployed without someone logging in.
vy32
@vy32, someone has got to log in at some point....
James
Not true. You might have an appliance or an embedded system that gets deployed but never used. The first person to log in may be the attacker.
vy32
+21  A: 

Microsoft used a blank default password for the administrative account "sa" for SQL Server. The "sa" account has complete control over the database and can access cmd.exe using xp_cmdshell(). You can login to the database over port 1433. Worms spread by using the sa account with a blank password, over the years many databases where hacked. Finely Microsoft addressed the issue by forcing the user to set a password on install.

Never have a default password (especially if it allows remote code execution)

Rook
Good example to illustrate.
mafutrct
I disagree - blank is not significantly worse than any other string as a default. If Microsoft has used "j'?17KONifylbjn0" as the default "sa" password and admins didn't change it after install, it would have been just as exploitable.
Andrew Medico
@Andrew Medico Having a hardcoded password of junk is equally wormable. I do not understand your point or how it relates to my answer. Or the -1 you gave me (which took away my nice answer badge!)
Rook
Any fixed default password is bad, and twenty random characters (normally a very strong password) is not much better than blank. Both are very bad. A randomly generated "default" password would work much better.
David Thornley
@The Rook, I already upvoted you, or I would do it now. But you shouldn't have to worry; badges are not removed once earned, except in very rare circumstances: http://meta.stackoverflow.com/questions/8046/how-do-nice-answer-badges-work/8064#8064
Lord Torgamus
@Lord Torgamus, good call, the badge was just delayed.
Rook
@The Rook, and now your post is above the threshold again anyways. It would appear that yours, ahem, goes to 11. Congrats.
Lord Torgamus
@Lord Torgamus W00t A Spinal Tap Reference win.
Rook
+1  A: 

Wow ... do admins really command such little respect? It seems as if the standard assumption is that they WILL screw things up, no?

NOTadmin
Admins are, usually, still human, and humans tend to be lazy if they can.
mafutrct
Not every administrator knows what they are doing. An admin could be in a rush or just not understand the threats that he faces.
Rook
"It seems as if the standard assumption is that they WILL screw things up" They WILL screw things up.
Longpoke
Besides humans being lazy, not all software is installed and used by paid administrators. Might be a home user, or in a small business it could be someone whose main responsibility is not system administration.
Qwertie
Maybe what you really need is some sort of UAC!Are you sure you don't want to use a password?Are really sure??Are you super duper sure????
NOTadmin
+3  A: 

Its interesting to note that Windows was changed awhile back so you can't remote desktop in to another machine if the account you're using has a blank password.

Any default password is a bad password, blank or no. The admin needs to change it. Detecting that an account has the default password and limiting its access in a few ways is one way to encourage users to change their password, or otherwise partially secure their system for them.

Frank Schwieterman
+4  A: 

As requested, added as an answer.

Or set it to something completely random that you display to them during installation...? I don't think a blank password is ever a good idea.

Chad
User clicks next next next and skips over password
Pyrolistical
@Pyrolistical: Said user is incompetent and a danger to themselves and others. Why exactly would you want them to see the admin password to _anything_ in the first place?
Nicholas Knight
A: 

"My idea is this: If I leave the default password empty, it is so horridly insecure that every admin is going to fix this as soon as possible."

Everyone already thinks this way, this is why my tiny Linux system with only 10 daemons will never be secure, because I can't be bothered to go find all the "insecure by default" things and fix them.

If this is a network system, you are now in a race with the hacker who just watched you install the "system", if he gets to login with the default pass before you get a chance to change it, you lose.

When you install the "system", it asks the user to make an admin account.

And optionally:

If the user chooses "no" to make an account, [s]he can add one later by running a program locally on the system that will edit the xml file and add an admin user.

Generating a random password during install is fine too, but if it's some GUI app instead of webapp, you'd probably want to make sure the user can copy/paste the password to a text file or something. Nothing is more annoying than writing down a generated password on paper :)

Longpoke
I'm not sure what you're trying to say. I think you're making too many assumptions - the password can be changed before the application runs the first time, and it is not possible to ask the user to change the password during installation.
mafutrct
Yeah well we don't have much context, in this case you can probably just s/install/first run/
Longpoke
A: 

How about setting it to a random password (as somebody mentioned) and REQUIRING the user to change it before proceeding?

Nate Shoffner
The "requiring" part is impossible, as stated in the question.
mafutrct
Sorry, didn't see that. There's no way you can remind them constantly upon login to change their password? Even if you have to be obnoxious about it, it would be benefiting them.
Nate Shoffner
I'd have to change a lot of stuff do make that possible.
mafutrct
+1  A: 

just don't use username/password credentials but look for some other ways to authenticate

Tim Mahy
If it were that easy... :)
mafutrct
sometimes there are some cool reallife authentication tokens just for end users to use, here in Belgium we all have a E-Identity card with a certificate that is under a national root....
Tim Mahy