Welcome back to Password Tips From a Pen Tester. Last time, I exposed common password patterns we see when we perform penetration testing service engagements for our clients at Rapid7. This month, let’s dig into the amazingly weak default passwords that so many companies use.

The first day on the job: We fill out all the requisite paperwork for Human Resources and get a computer and our network password. That password is often something easy to remember, and is often the same for every new employee. It might be Welcome1, ChangeMe! or one of our old favorites, the SeasonYear (ie. Summer2018). If a new employee is having trouble signing in for the first time and they call the help desk, they can easily get the help they need. A big problem with this methodology is that attackers can do the same thing. When I’m on a social engineering engagement with a company, one of my first moves is always to call the help desk with a story about being new and needing to know what the default password is (or that I can’t remember mine and would like to just have it reset to the original, default value). If I’m able to find out what that is, I can then attempt to log in with other usernames and that default password. This works because I know that some people don’t change their first password—ever.

I have compiled a list of more than 136,000 passwords from pentests done by the Rapid7 team over the last three months. From that data, I searched for some of these typical first passwords. For example, looking at versions of “welcome,” I see:

• Welcome1 – 1015 times
• Welcome! – 9 times
• Welcome1! – 16 times

I also did a search for Welcome2 and got 637 results. This one is a little trickier because I am doing a wildcard search, so that could simply be someone who changed their Welcome1 to the next digit, or it could be a password like Welcome2Rapid7. When I dug in further, 121 of those were only Welcome2. Exactly 430 were of the Welcome2CompanyName variety and the remainder were Welcome2018 or some other small number of combinations.

It seems “change” might do a better jump of conveying to employees that the password should be changed. I found 38 variations of ChangeMe, 4 instances of Changeit, and 9 entries for Changethispassw0rd (yes, that’s a zero).

The data does also show different single digits after the Welcome and Change, possibly indicating another common user behavior, that the account holder is simply incrementing the number on each required update.

With all this discussion of “Welcome” and “Change”, we need to look at one other password that we’ve seen many times before. While it might also be something chosen by users, sometimes it is the default password. This was the most common password that I found when searching through my data. It’s none other than our old friend “password”. I took my file with 137,000 passwords and sorted and counted each and when I removed the company-specific passwords (ie. Rapid7!) the top remaining password, with 960 entries was Password1. As I look down the list, there are more versions of it. I see 314 entries for Password123, 175 entries for _Pass_Word1, 151 entries for password, 92 entries for Password2, and 60 entries for P@ssw0rd. The list of “passwords” just keeps going on and on.

So how do we deal with these default passwords? The short answer is to force employees to change it. The system administrator should activate a setting when the account is created, then check the box for “User Must Change Password at Next Logon”. I can’t give instructions on exactly how to do it as there might be slight variations for your environment, so I recommend using your vendor’s documentation on the proper way to set that value.

Ensuring that your people aren’t using a known, weak password will go a long way to helping the security of your network, and at least forcing them to change their original, default password is a great first step.

Interested in more penetration testing research from Rapid7? Check out our Under the Hoodie series, and uncover the most effective methods our pen testers have found to compromise high-value credentials.

Want more? Don’t miss these posts