Default credentials

Theory

Default credentials are a really simple and extremely common way to get initial access to a system. Many devices (especially in the Internet of Things) come with default non-random passwords that are often left unchanged. Below is a list of very common credentials :

Username

Password

admin

root

tomcat

password

Practice

Default passwords can be found through the following means

Password lists
Wikipedia's list of most common passwords
Google Dorks: intext:'password' intext:'default' Application Name
Manual or vendor documentation
Source code
Physically (e.g. a sticker indicating the default credentials)

This technique is not to be confused with credential bruteforcing which aims at sending multiple login+password attempts until valid credentials are found. The "default credentials" technique aims at finding potential valid creds depending on the information gathered during the reconnaissance phase.

Resources

WSTG - Latest | OWASP Foundation

PreviousConfiguration NextHTTP methods

Last updated 1 year ago

Was this helpful?