User: Password:
|
|
Subscribe / Log in / New account

Default passwords

Default passwords

Posted Mar 26, 2009 11:13 UTC (Thu) by epa (subscriber, #39769)
Parent article: Linux botnets

How hard would it be to ship each router with a randomly generated password and print it on a label on the bottom of the device? This would solve two problems: weak default passwords, and forgetting the password for a router you own. After all if you have physical access to the device you can reset it anyway. Owners who don't want the password to be visible can just peel off the label and/or change the password.


(Log in to post comments)

Missing write-protect switch!

Posted Mar 26, 2009 13:18 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Some manufacturers do ship with randomized passwords and it's good practice.

My own view is that there's an essential piece of hardware missing from such devices: the write-protect switch. Frankly, nothing containing firmware should allow that firmware to be reprogrammed, without the user first manually setting it to writeable.

If these devices shipped write-protected, any crackery could always be un-done by resetting or power-cycling the device.

Manufacturers eliminated the write-protect switch to save a few cents (and, they say, to avoid confusing their lusers). Legislators would do well to mandate it back into existence. It should be plain illegal to sell any piece of hardware missing such an obvious and cheap security measure.

Missing write-protect switch!

Posted Mar 26, 2009 14:13 UTC (Thu) by clugstj (subscriber, #4020) [Link]

Wow, government-mandated write-protect switches? You seem to have a very high level of faith in your politicians. I feel sorry for you.

Missing write-protect switch!

Posted Mar 26, 2009 14:58 UTC (Thu) by DG (subscriber, #16978) [Link]

Rebooting a device wouldn't help all that much - presumably it would get re-exploited remotely fairly quickly...

Limits of security legislation

Posted Mar 26, 2009 18:26 UTC (Thu) by copsewood (subscriber, #199) [Link]

Legislation should not try to go to that level of detail because technology changes. Legislation could be expected to attempt to define legal responsibility for security negligence which can adversely affect many people to a minor extent, or a few people to a major extent. The UK Data Protection Act requires organisations processing personal data to take appropriate security measures. It doesn't state what these are and doesn't have to. The Nationwide Building Society was fined 980,000 UKPounds for a breach of the DPA a couple of years ago, when account details of many account-holding members (one of them myself) were leaked.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds