[ISN] Default Database Passwords Still In Use

From: InfoSec News <alerts_at_private>
Date: Wed, 26 May 2010 00:46:22 -0500 (CDT)

By Ericka Chickowski
Contributing Writer
May 25, 2010

The rampant use of default passwords within live database environments 
continues to plague the security of enterprise data, researchers say.

"It's a problem that has been around for a long, long time," says Alex 
Rothacker, manager of Team SHATTER, Application Security Inc.'s research 
arm. "A lot of default passwords out there get installed when you deploy 
a database, you install an add-on to it, or even if you install a 
third-party application that uses the database."

As he puts it, the problem of default passwords lingering in the wild 
has built up during the years as a result of cumulative errors by both 
vendors and database administrators. In the past, the majority of 
vendors had no compunction about pushing out installers that 
automatically created default accounts to expedite the deployment of new 
databases, add-ons, or applications on top of the database.

"In order to perform some of the installation functions, they need to 
create database accounts, and some of them simply go and create an 
account and put a default password on it that's well-known to the whole 
world," he says.

Meanwhile, users did nothing to clean up these default accounts once 
installation was complete. Rothacker says the situation on the vendor 
front has improved considerably in recent years, but default passwords 
continue to be a problem for a number of reasons.


Best Selling Security Books and More!
Shop InfoSec News
Received on Tue May 25 2010 - 22:46:22 PDT

This archive was generated by hypermail 2.2.0 : Tue May 25 2010 - 22:50:38 PDT