As recently as February this year, researchers at the University of Indiana published reports that show how attackers could take over your home router using malicious JavaScript code. All is required is for the default password to be in place. Once the router has been compromised, victims can be redirected to fraudulent Web sites, the researchers say. So instead of downloading legitimate Microsoft software updates, for example, they could be tricked into downloading malware. Instead of online banking, they could be giving up sensitive information to phishers. At the heart of the problem is the fact that consumer routers ship with simple, well-known default passwords, like "admin," which could be exploited by attackers. "Owners of home routers who set a moderately secure password - one that is non-default and non-trivial to guess - are immune to router manipulation via JavaScript," the paper states.

It is easy to lay some of the blame on the door of the manufacturer. They could be accused of shipping product with poorly configured security settings. Lets face it; it is not hard for them to force the user to change the initial configuration password. But that alone is not enough. What about the 'undocumented' password, the one that you don't even know about?


There are resources available on the Internet that allows you to audit your network devices and software applications. This should be performed as part of your yearly audit schedule. A simple Google search for 'default password list' yields hundreds of sites that claim to have the most comprehensive database of default passwords. One of the oldest, and still reliable, can be found here. It makes for some interesting reading and is regularly updated.

Whatever the organization, whatever the choice of software or hardware vendor, the default password is likely to raise its ugly head from time to time. Be proactive and get scanning. You will be amazed at what you may find.