Tech manufacturers must eliminate default passwords, says cyberdefense agency CISA

In a nutshell: Default passwords can be useful for streamlining the manufacturing process or helping system administrators easily deploy new devices in a network. They also are a scourge for the overall security of companies and the internet as a whole, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted, and should disappear forever.

CISA continues its crusade against default passwords used by technology manufacturers. The US cybersecurity agency recently provided a new "secure by design" guidance, urging software and hardware companies to "proactively" eliminate the risk of default password exploitation from their products.

Default passwords such as "1234," "default," or even "password" are routinely exploited by malicious cyber actors, CISA said in its latest guidance. Insecure passwords provide initial access to internet-exposed systems and a way for the aforementioned malicious actors to move laterally within an organization to wreak havoc and steal sensitive data.

According to CISA, Infamous threat actors such as Islamic Revolutionary Guard Corps (IRGC)-affiliated groups have been successful in compromising critical infrastructures within the United States by exploiting passwords set to a "static default." The agency is releasing its latest alert because of "recent and ongoing" threat activity, and "years of evidence" that show how relying on thousands of customers to change their password cannot possibly cut it.

CISA is providing the following two principles for manufacturers designing new technology products:

• take ownership of customer security outcomes
• build organizational structure and leadership to achieve these goals

Technology companies must eliminate default passwords from their software and devices, providing unique "setup passwords" for every single product to force users to select a new secure password right from the start. Another viable alternative is including "time-limited" passwords, which disable themselves when a setup process is complete and require more secure authentication approaches such as phishing-resistant multifactor authentication (MFA).

Companies should also "secure" their business structure, CISA said, ensuring that each link in the manufacturing chain understands the importance of cybersecurity issues. Products must be designed, manufactured, and delivered with security and safety built in by default. Executive leaders must also provide "incentive structures" and appropriate resources to enable these secure-by-design outcomes.

By implementing these two principles in their design, development, and delivery processes, CISA said, software manufacturers will (hopefully) prevent exploitation of static default passwords in their products. The agency is committed to providing even more Secure by Design (SbD) alerts for the technology industry, focusing on vendor decisions that can significantly reduce harm at a global scale.