Olson said, “It’s better to know that it’s a hard-coded password upfront and to know that your vendor is also aware of the passwords.
Because hard coded passwords are a way to get into the device with no username or authentications, they represent various ways of getting into a system that have been hard-coded in. Some of the information that is accessible might be sensitive, said Morey Haber, vice president of Technology, BeyondTrust.
“Many times we are not aware of hard-coded passwords until they are exposed. Enterprises need to protect those passwords by segmentation. Make sensitive data not accessible. Use control platforms and on premise password safe technology,” said Haber.
In addition, their IP subnets should not be accessible to anything except some form of management that proxies their use, Haber said. “For example, you’re a bank. If the sensitive data is on the same subnet as everything else, you need some type of proxy where there is a safety or filtering. You can mitigate the risk to an acceptable level because you have to authenticate before access to those hard-coding passwords,” Haber explained.
If vendors are outsourcing the software or firmware behind the scenes, they usually aren’t going the route of changing usernames and passwords, Haber said. So, for any company that is evaluating technologies, if the tool doesn’t allow them to change the username of the administrator or the password, that’s a big red flag.
“Look for another technology,” Haber said, “and If that is the only technology available, make sure it’s included in any RFPs or vendor discovery discussions. You need to know how your device is secured from an administrative perspective.”
Sign up for CIO Asia eNewsletters.