The security risk to enterprises depends on how the passwords are being used, but by shipping the password along with the software, the potential that it can be discovered by malicious actors is heightened.
The problem isn’t new, yet it also is not going away for many different reasons. “In the development process, often times people work on teams and they need to access different systems and share access to systems and credentials,” said Weber.
Developers need to share access to certificates and private keys used for encryption and decryption, and then they need a place to store and share these passwords safely. The software needs to connect to other systems and they need a login. “When you send data to a database to interact, it requires a login,” said Weber. As a result, developers will often hard code the passwords into the software.
Sometimes having the passwords in the software is a matter of convenience during the development process, but failure to remove it is often an oversight. “These developers may start with one scenarios, then quickly there is another thing we need to do and store passwords for it,” Weber explained. “They might think ‘maybe now is a time to look at secure password management but we are too busy,’” he continued.
Often times a pen tester will see passwords written in the source code, and Weber said, “Whether they are published intentionally or unintentionally, it’s a bad habit. It’s one of those things with security: security is an inconvenience. A road block that slows people down.”
Ryan Olson, director of threat intelligence, unit 42, Palo Alto Networks, said the role the device plays in the enterprise will determine the level of risk the passwords pose to security. “The worst case scenario is that device has control over a significant portion of the network and the password gives complete access to the device,” Olson said.
Sometimes the hard-coded password is intended to be used in order for the initial set up. “If the password is used for a default account, that was probably going to be used by the first person installing device, and at the end of process that person should be removing that account,” Olson said.
Those default accounts don’t always get removed, and Olson suggested auditing your devices to understand that they do have default accounts. “It won’t work in every case because in some cases the hard coded passwords are in the code itself,” Olson said.
Enterprises can take some action to protect themselves and their networks by putting pressure on vendors to make sure they are not leaving the passwords in the devices. Asking key questions about whether the vendor has a way to recover this device if they were to lose the password will give a good indication of whether there are hard coded passwords.
Sign up for CIO Asia eNewsletters.