Gidley's Gossipings

A blog about not much really

Why is there such a thing as default passwords?

Why in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords.

This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. It’s not hard to do that! With software it’s even easier you just force the user to pick a password and don’t ship them with admin/password or whatever you’ve decided is good enough.

I’ve seen some commentry that it’s the consumers fault, as they should change the passwords. This is a very wrong-headed response in my opinion. People are busy, people don’t understand the tech they use and people don’t read instructions books or change passwords in menus that are hard to find. It’s simply bad user interaction design to create a system that requires consumers to do anything to be secure.

Maybe it’s going to take a government regulator to simply ban devices shipped this way, you’re not allowed to ship a device that electrocutes people - so why are you allowed to ship one that exposes all of us to these risks.


comments powered by Disqus