Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco, haven't we learned anything? (technician reset)y

  • From: Steven M. Bellovin
  • Date: Thu Jan 12 21:07:32 2006

In message <200601130141.k0D1fiZ1007762@world.std.com>, Martin Hannigan writes:
>
>> 
>> 
>> 
>> > Actually, and fairly recently, this IS a default password in IOS.  New 
>> > out-of-box 28xx series routers have cisco/cisco installed as the default 
>> > password with privilege 15 (full access).  This is a recent development.
>> 
>> This is hardly only cisco's problem. Most office routers I've dealt with
>> also come with default username/password and on occasions when I dealt
>> with  existing installation those passwords have rarely been changed.
>> 
>> What should really be done (BCP for manufactures ???) is have default
>> password based on unit's serial number. Since most routers provide this
>> information (i.e. its preset on the chip's eprom) I don't understand
>> why its so hard to just create simple function as part of software to 
>> use this data if the password is not otherwise set.
>
>Ex: Thot's how a Netscreen 5 works after a reset. The password is the
>serial # if I remember correctly.
>

How much entropy is there in a such a serial number?  Little enough 
that it can be brute-forced by someone who knows the pattern?  Using 
some function of the serial number and a vendor-known secret key is 
better -- until, of course, that "secret" leaks.  (Anyone remember how 
telephone credit card number verification worked before they could do 
full real-time validation?  The Phone Company took a 10-digit phone 
number and calculated four extra digits, based on that year's secret.  
Guess how well that secret was kept....)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.