Default Credentials

Years ago I got a call to help someone with a database. I walked over to their desk (when this was possible) and sat down. They asked me how they could get into a database they had been told about. I quickly realized this was an Oracle database and asked for credentials for SQL*Plus. This person didn’t have any, but I was able to log in with SYSTEM and MANAGER. This was a small department system of some sort, but it always struck me that the default credentials were available. Since then, every time I’ve encountered an Oracle database, I’ve tried those credentials. I’ve been amazed how often they worked, even for production systems.

Recently there was a report that the Nissan corporation had some of their source code leaked. While I would prefer that the code running inside cars was open and widely examined, I was more dismayed that the leak was from an internal Git server with default credentials. Maybe even worse is the defaults are admin and admin, something that might not be hard to guess.

I understand people make mistakes, and I do get that there are pressures people feel to get work done, but there isn’t a good excuse to stand up any server in production with default credentials, and I’d argue a VCS server is production. Even if you didn’t install the server and were just moving it to a new role, or you take over administration, you can’t leave default credentials around. You certainly can’t accept “admin” as a password in 2021.

To me, this is grounds for termination. If nothing else, it’s certainly a reason to remove someone from a privileged position. Being this lax with security would worry me, and I don’t know that I could trust that you’d been careful with other parts of your job. If I encountered this, I would request that every other system under management be audited for improper admin accounts.

Steve Jones

Listen to the podcast at Libsyn, Stitcher, Spotify, or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.