Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code. Default, hardcoded passwords may be used across many of the same devices, applications, systems, which helps simplify set up at scale, but at the same time, poses considerable cybersecurity risk.
Embedded passwords are used in multiple ways, including:
Setting up new systems
API and other system integrations
Encryption and decryption keys
Privileged and superuser access
Application-to-Application (a2a) and Application-to-Database communications
Hardcoded passwords may commonly be found in:
Software applications, both locally installed and cloud-based
BIOS and other firmware across computers, mobile devices, servers, printers, etc.
Network switches, routers, and other control systems
Internet of Things (IoT) devices and medical devices
Often, manufacturers or software companies hardcode default passwords into hardware, firmware, software, scripts, applications, and systems. These products are then shipped and, often deployed, with the embedded default passwords intact. Developers and other users may also embed credentials into code, for easy access as part of their workflow.
Proponents of hardcoding credentials may also claim it provides an extra layer of assurance so that unsophisticated users cannot tamper with the code or product. However, the practice of hardcoding credentials is increasingly discouraged as they pose formidable security risks that continue to be exploited by malware and hackers.
Hardcoded passwords are particularly dangerous because they are easy targets for password guessing exploits, allowing hackers and malware to hijack firmware, devices (such as health monitoring equipment), systems, and software. The same hardcoded password, or a limited number of them, are often used across all applications (many that require elevated privileges to function) or devices produced by a manufacturer/software development company within a particular series, release, or model. So, once a hacker knows the default password, they can potentially access all similar devices or application instances. This kind of exploit has resulted in some massive cyber-attacks (two of which are detailed below), that have caused massive security breaches, worldwide outages, and even jeopardized critical infrastructure.
Additionally, developers and other users often embed passwords in code and then forget about it, and/or accidentally publish the code (such as to GitHub) with the plaintext password easily discoverable by anyone with the right knowledge or scanning tools.
Hardcoding presents a risk for the specific device, firmware, application, etc. itself, to other parts of the connected IT ecosystem, and even to innocent third-parties which may be on the receiving end of DDOS attacks from botnets of devices enslaved via a hardcoded password exploit.
Often, hardcoded passwords are created with the intention that they never be changed—despite the risk that stale passwords present. Thus, admins may feel wary about trying to change certain types of embedded passwords for fear of breaking something in the system, and possibly disrupting company operations.
Understanding where all an organization’s embedded passwords are in the first place presents a huge challenge. You will need to carry out an audit/discovery of all devices and applications that potentially have hardcoded passwords. Reviewing vendor documentation about embedded passwords can also help you know where to look.
Unfortunately, there is no viable manual way to detect or centrally manage passwords stored within applications or scripts. Securing embedded passwords requires separating the password from the code, so that when it’s not in use, it’s securely stored in a centralized password safe, as opposed to being constantly exposed in plain text.
Some cybersecurity vendors provide enterprise password management solutions that are able to continually discover hardcoded and default passwords and bring them under management, including enforcing password rotation and other best practices.
The Mirai malware, which rose to prominence in late 2016 (though it may have actually been active years earlier), scans the Telnet service on Linux-based IoT boxes with Busybox (such as DVRs and WebIP Cameras), and on unattended Linux servers. Then, through a brute force attack, applies a table of 61 known hardcoded default usernames and passwords to attempt login. Mirai, and its variants, were used to assemble enormous botnets of IoT devices, up to about 400,000 connected devices, unbeknownst to most of their owners. Mirai-related botnets waged some of the most disruptive DDOS attacks ever seen, with victims including French Telecom, Krebs on Security, Dyn, Deutsche Telecom, Russian banks, and the country of Liberia. (Use this free enterprise IoT Scanner to pinpoint default or hardcoded credentials in your organization’s IoT ecosystem, and chart a path to mitigate threats).
While the Mirai attacks were most notable for causing business downtime, the Uber breach resulted in the exposure of information of 57 million customers, plus roughly 600,000 drivers. As with Mira, hardcoded credentials were at fault. An Uber employee published plaintext credentials within source code that was then posted on Github, which is a popular repository used by developers. A savvy hacker simply found the embedded credentials on GitHub, then used them to gain privileged access on Uber’s Amazon AWS Instances.
If you want to reduce your exposure to embedded passwords, there are a few steps you can take:
Bring application passwords under management. Introduce a third-party privileged password management or application password management solution that uncovers default and hardcoded credentials across the enterprise, and forces applications, scripts, etc. to call (or request) the use of the password from a centralized password safe. Once the credentials are under management, the tool can enforce password security best practices, including password rotation, password length, and uniqueness, to dramatically reduce cyber risk.
Refuse to buy from vendors that include hardcoded credentials. Pressuring vendors to stop using hardcoded passwords is the best long-term solution to eliminate this dangerous threat to the entire IT ecosystem.
Vulnerability management. Software and product vendors periodically release patches to address flaws, such as with hardcoded passwords. If you have a thorough vulnerability scanning and patch management process in place, you can quickly address these issues once they are known and a patch is available.