Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

REQ.142 Change system default credentials

This document contains the details of the security requirements related to the definition and management of access credentials in the organization. This requirement establishes the importance of modifying all default credentials in the system in order to avoid brute force attacks.


The organization must modify all default access credentials of embedded systems.


Organizations usually keep default configurations of third parties products since these may adapt to most environments where they are installed and facilitate the deployment to production, but this practice may leave a default open gate for products and in most cases credentials found in provider documentation which can be found easily on internet. For this reason it’s important to check all configurations before deployment and remove all default credentials in order to avoid brute force accesses.


  1. Remove all default credentials from product provider

  2. Implement a mechanism to ensure only users with administrator privileges can access to product access consoles

  3. Create a robust credentials policy to improve the security of all credentials in the organization.

  4. The passwords must be changed every so often to avoid theft of these.

  5. Perform audits periodically to detect misconfigurations or missing patches.


  1. Brute force attack.

  2. Information leakage: Technical.


  1. Layer: Business layer

  2. Asset: Access credentials

  3. Scope: Confidentiality

  4. Phase: Deployment

  5. Type of Control: Recommendation


  1. CAPEC-70 - Try Common Usernames and Passwords

  2. OWASP - Top 10 2013: A5

  3. OWASP-ASVS v3.1-2.19 Verify there are no default passwords in use for the application framework or any components used by the application (such as “admin/password”).

  4. PCI DSS - Requirement 2.2.d

Service status - Terms of Use