I appreciate default passwords on systems. Often, for routers or other devices, I might need a way to connect initially. Or, if I perform a hardware reset, I want some password that I can use to reconfigure things. However, I am pretty good (not perfect, but really good) at changing those passwords to something else. It drives my wife slightly crazy at times, but I save the passwords and stick them in a manager I share with her periodically.
SQL Server doesn’t store a default password when you install it. If you enable the sa account, you need to create your own password. I primarily deal with containers, and I always set one, usually my own default. However, lots of software either allows a blank password or has a default password set on installation. Oracle even lists theirs in docs. That’s not the worst idea if sysadmins change them, but if they don’t, it’s a threat vector for attackers. I was working with a customer last year who had an Oracle database. I asked them to try a default user/pwd as a test and it worked. I think my head was slowly shaking for the rest of the call.
Recently, Silicon Valley saw the result of a default password not being changed when someone hacked the crosswalk signals and uploaded fake audio files that played when the signals changed. The vendor (not surprisingly) advised the city to change the passwords to something strong. A somewhat harmless prank, but it’s possible that someone might have made a more nefarious change.
It’s 2026. We know there are people out there with malicious intentions, as well as those whose prank goes sidesways and have unexpected side effects. There isn’t a good reason to keep default passwords anywhere, including in your own personal devices. These days, connectivity among many systems is a reality with network, Bluetooth, NFC, and who knows what other connections are possible. Your personal devices ought to have defaults changed for your own protection.
Inside organizations, it can be worse as the weakest link can be exploited to gain access to other systems. Quite a few hacks started in test systems and progressed to accessing production data. Even places we might not expect to be problematic, such as version control systems, have been used by hackers to gain access.
To me, finding a default password is worthy of a reprimand and a note in whoever’s file forgot to change it. A second offense ought to lead to a suspension at a minimum and possibly termination. This is such a low bar of required security that I can’t think of a good excuse to allow it anywhere.
Steve Jones
Voice of the DBA 
We’re both… umm… in the industry long enough to recall when SQL Server did allow a blank password for sa. I (in part) squashed an acquisition we were looking at because of it.
My boss asked me to take a look into a company we were looking to acquire. So I started at their homepage. Then I had the idea to try to take Enterprise Manager (told you it was a long time ago) and poke around at that IP and a few around it. Ding.. one IP address below their home page I got a response. I forget the exact reason why, but I couldn’t connect with Enterprise Manager, but I could with I think it was SQLCMD. On a lark I decided to see what would happen if I connected as sa Bam. I was in. No password.
And since this was long before xp_cmdshell was set to 0 (that option may not have even existed, it’s been decades) a quick sqlcmd combined with the right OS command and I’d have had complete root access to their entire Active Directory domain. Since it took me less than 10 minutes of effort to get to this point, I had to assume that their entire network was already compromised. We held off on the acquisition. Now to be fair, there were probably other business reasons, but had we acquired them, I would have basically torn down their entire stack and rebuilt it.
Then there’s the time at a different company I almost had my 8 year old hack into the fiber switch the CTO had setup. I realized I could make my point effectively without going to that step.
Oh I’d add besides no default passwords, firewall everything.
LikeLike