R142. Change system default credentials


The organization must modify all default access credentials of embedded systems.


Organizations usually keep default configurations of third-party products since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials found in provider documentation, which can be found easily on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.


  1. Remove all default credentials.

  2. Implement a mechanism to ensure only users with administrator privileges can access product consoles.

  3. Create a robust credential policy to improve the security of all credentials in the organization.

  4. The passwords must be changed every so often in case they are compromised.

  5. Perform audits periodically to detect improper configurations or missing patches.


  1. Brute force attack.

  2. Information leakage: Technical.


  1. Layer: Business layer

  2. Asset: Access credentials

  3. Scope: Confidentiality

  4. Phase: Deployment

  5. Type of Control: Recommendation


  1. CAPEC-70 - Try Common Usernames and Passwords An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions.

  2. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.4) Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").

  3. OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.2) Verify that if passwords are required, the credentials are not a default account.

  4. PCI DSS - Requirement 2.2.d

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy