Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code. Default, hardcoded passwords may be used across many of the same devices, applications, systems, which helps simplify set up at scale, but at the same time, poses considerable cybersecurity risk.

How Are Embedded Passwords Used and Where Are They Found?

Embedded passwords are used in multiple ways, including:

Hardcoded passwords may commonly be found in:

Often, manufacturers or software companies hardcode default passwords into hardware, firmware, software, scripts, applications, and systems. These products are then shipped and, often deployed, with the embedded default passwords intact. Developers and other users may also embed credentials into code, for easy access as part of their workflow.

Proponents of hardcoding credentials may also claim it provides an extra layer of assurance so that unsophisticated users cannot tamper with the code or product. However, the practice of hardcoding credentials is increasingly discouraged as they pose formidable security risks that continue to be exploited by malware and hackers.

What Makes Hardcoded Passwords Risky?

Hardcoded passwords are particularly dangerous because they are easy targets for password guessing exploits, allowing hackers and malware to hijack firmware, devices (such as health monitoring equipment), systems, and software. The same hardcoded password, or a limited number of them, are often used across all applications (many that require elevated privileges to function) or devices produced by a manufacturer/software development company within a particular series, release, or model. So, once a hacker knows the default password, they can potentially access all similar devices or application instances. This kind of exploit has resulted in some massive cyber-attacks (two of which are detailed below), that have caused massive security breaches, worldwide outages, and even jeopardized critical infrastructure.

Additionally, developers and other users often embed passwords in code and then forget about it, and/or accidentally publish the code (such as to GitHub) with the plaintext password easily discoverable by anyone with the right knowledge or scanning tools.

Hardcoding presents a risk for the specific device, firmware, application, etc. itself, to other parts of the connected IT ecosystem, and even to innocent third-parties which may be on the receiving end of DDOS attacks from botnets of devices enslaved via a hardcoded password exploit.

What are the Challenges to Managing & Securing Embedded Passwords?

Risk of operational continuity

Often, hardcoded passwords are created with the intention that they never be changed—despite the risk that stale passwords present. Thus, admins may feel wary about trying to change certain types of embedded passwords for fear of breaking something in the system, and possibly disrupting company operations.

Lack of visibility and awareness

Understanding where all an organization’s embedded passwords are in the first place presents a huge challenge. You will need to carry out an audit/discovery of all devices and applications that potentially have hardcoded passwords. Reviewing vendor documentation about embedded passwords can also help you know where to look.

Lack of the right tools

Unfortunately, there is no viable manual way to detect or centrally manage passwords stored within applications or scripts. Securing embedded passwords requires separating the password from the code, so that when it’s not in use, it’s securely stored in a centralized password safe, as opposed to being constantly exposed in plain text.

Some cybersecurity vendors provide enterprise password management solutions that are able to continually discover hardcoded and default passwords and bring them under management, including enforcing password rotation and other best practices.

Examples of High Profile Exploits Involving Embedded Passwords

Mirai Attack

The Mirai malware, which rose to prominence in late 2016 (though it may have actually been active years earlier), scans the Telnet service on Linux-based IoT boxes with Busybox (such as DVRs and WebIP Cameras), and on unattended Linux servers. Then, through a brute force attack, applies a table of 61 known hardcoded default usernames and passwords to attempt login. Mirai, and its variants, were used to assemble enormous botnets of IoT devices, up to about 400,000 connected devices, unbeknownst to most of their owners. Mirai-related botnets waged some of the most disruptive DDOS attacks ever seen, with victims including French Telecom, Krebs on Security, Dyn, Deutsche Telecom, Russian banks, and the country of Liberia. (Use this free enterprise IoT Scanner to pinpoint default or hardcoded credentials in your organization’s IoT ecosystem, and chart a path to mitigate threats).

Uber Breach

While the Mirai attacks were most notable for causing business downtime, the Uber breach resulted in the exposure of information of 57 million customers, plus roughly 600,000 drivers. As with Mira, hardcoded credentials were at fault. An Uber employee published plaintext credentials within source code that was then posted on Github, which is a popular repository used by developers. A savvy hacker simply found the embedded credentials on GitHub, then used them to gain privileged access on Uber’s Amazon AWS Instances.

Best Practices for Managing Embedded Passwords

If you want to reduce your exposure to embedded passwords, there are a few steps you can take: