An Overview of the Usage of Default Passwords

  • Brandon Knieriem
  • Xiaolu Zhang
  • Philip Levine
  • Frank BreitingerEmail author
  • Ibrahim Baggili
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 216)


The recent Mirai botnet attack demonstrated the danger of using default passwords and showed it is still a major problem. In this study we investigated several common applications and their password policies. Specifically, we analyzed if these applications: (1) have default passwords or (2) allow the user to set a weak password (i.e., they do not properly enforce a password policy). Our study shows that default passwords are still a significant problem: 61% of applications inspected initially used a default or blank password. When changing the password, 58% allowed a blank password, 35% allowed a weak password of 1 character.


Default passwords Applications Usage Security 



Special thanks go to Mohammed Nasir who initially started this research project and Matthew Vastarelli for supporting us.


  1. 1.
    Booker, L.: Brute force attack targets WordPress sites with default admin username (2013)Google Scholar
  2. 2.
    Carroll, R.: Breached server still had default password (2014)Google Scholar
  3. 3.
    Casey, B.: Network security risks: the trouble with default passwords (2014)Google Scholar
  4. 4.
    Christey, S., Martin, R.A.: Vulnerability type distributions in cve. Mitre report, May 2007Google Scholar
  5. 5.
    Gordineer, J.: Blended threats: a new era in anti-virus protection. Inf. Syst. Secur. 12(3), 45–47 (2003)CrossRefGoogle Scholar
  6. 6.
    Grassi, G.: Digital identity guidelines. National Institute of Standards and Technology (2016)Google Scholar
  7. 7.
    Hypponen, M., Nyman, L.: The internet of (vulnerable) things: on hypponen’s law, security engineering, and IoT legislation. Technol. Innov. Manag. Rev. 7(4), 5–11 (2017)Google Scholar
  8. 8. They hack because they can (2014)
  9. 9.
    Martins, F.: Creating strong password policy best practices (2014)Google Scholar
  10. 10.
    Northcutt, S.: The risk of default passwords (2007)Google Scholar
  11. 11.
    Pham, T.: Default passwords: breaching ATMs, highway signs and POS devices (2014)Google Scholar
  12. 12.
    Duo Security: Utah department of health (UDOH) breach (2012)Google Scholar
  13. 13.
    Microsoft Customer Support: An unsecured SQL server server that has a blank (NULL) system administrator password allows vulnerability to a worm (2005)Google Scholar
  14. 14.
    Symantec Security Response. Mirai: what you need to know about the botnet behind recent major DDoS attacks, Oct 2016Google Scholar
  15. 15.
    Traynor, P., Butler, K., Enck, W., McDaniel, P., Borders, K.: Malnets: large-scale malicious networks via compromised wireless access points. Secur. Commun. Netw. 3(2–3), 102–113 (2010)CrossRefGoogle Scholar
  16. 16.
    Van Heerden, R.P., Vorster, J.S.: Statistical analysis of large passwords lists, used to optimize brute force attacks (2009)Google Scholar
  17. 17.
    Vijayan, J.: Weak passwords still the downfall of enterprise security (2012)Google Scholar
  18. 18.
    Vinton, K.: Data breach bulletin: home depot,, JP morgan (2014)Google Scholar
  19. 19.
    Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.L.B., Cook, J., Schultz, E.E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. 65(8), 744–757 (2007)CrossRefGoogle Scholar
  20. 20.
    Westervelt, R.: Verizon data breach report finds employees at core of most attacks (2013)Google Scholar
  21. 21.
    Williams, C., Spanbauer, K.: Understanding password quality (2001)Google Scholar
  22. 22.
    Wisniewski: Naked security (2016)Google Scholar
  23. 23.
    Wright, J.: Oracle worm proof-of-concept (2005)Google Scholar
  24. 24.
    Zanero, S.: Wireless malware propagation: a reality check. IEEE Secur. Priv. 7(5), 70–74 (2009)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Brandon Knieriem
    • 1
  • Xiaolu Zhang
    • 1
  • Philip Levine
    • 1
  • Frank Breitinger
    • 1
    Email author
  • Ibrahim Baggili
    • 1
  1. 1.Cyber Forensics Research and Education Group (UNHcFREG)Tagliatela College of Engineering, University of New HavenWest HavenUSA

Personalised recommendations