Default passwords are a thing, and for a fairly decent reason. Your crap needs to be relatively secure, even if you haven’t actually done anything useful with your crap since the start of its existence. Default passwords are also incredibly, incredibly bad for you. It’s why most actual corporations force you to change it from the default the first time you log in, whether or not they force you to change it on a subsequently frequent basis later on. Because not doing so can be a real problem for you, your content, and your sysadmin. Most of this, you’d think, would be pretty common sense–even if you’re not the technical sort. But, I’m putting it here, so you can safely assume it’s not as common as I’d prefer. This came pretty much full circle yesterday, and the only reason it didn’t get blogged yesterday is educational things have conspired to fry me.
As probably a few of you will figure out, I’ve run this site on a dedicated server for a few years. I also happen to have added a few people to the list of things running on this server in that time. In doing so, I use what I think to be relatively standard practices for security–you get an account, with whatever domains/services/whichever you need access to. You get a username of your choosing, and because I neither want nor need to know what your actual password(s) is/are, I give you a standard default password–and very strongly recommend, as in you really, really want to do this before I scramble the thing for you and hand you a generated one that’s at least 32 characters long, that you change the thing. Like now. As in before you even decide to turn around and install WordPress–which you should, because flexible. Because yes, the thing is secure. Mostly. But default passwords are usually three things. Easy to remember, short enough so as not to be overly confusing for folks who aren’t exactly up to trying to translate, commit to memory and not completely flub a 32-character-long password, and probably not difficult to figure out for your average script kiddy with a brute force program and some free time to devote to finding themselves a new machine they can borrow to spam the hell out of someone or someones. In other words, change it or you really do deserve to be slapped across the forehead with the clue stick. Gently, of course.
So I was on my way out the door yesterday with the half dozen things that usually follow me out the door when my phone pretty much blew up. I pull it out on the bus and find myself staring at a screen full of mail server failure notices. I’m talking very nearly a hundred of the freaking things. Well, I figure. This isn’t altogether too pretty of a thing to be seeing if you’re me. Did a server people are trying to send to decide to pick yesterday to suffer a fatal issue, or has something on my end gone and broke itself?
To figure out how this applies, let me summarize roughly what happens when you try and send someone an email. Your machine, through Outlook or some other program, sends the mail you’re working on to a server–either owned by your ISP, or your website provider, or the company you work for–with instructions that basicly says “This needs to get to firstname.lastname@example.org”. Your mail server, then–that’d be the thing Outlook just got done talking to, flips through the internet equivalent of a phonebook to figure out which other servers are accepting mail for place.com. When it finds one or several, it tries to contact them. Assuming it gets an answer from one, it asks two questions. “Do you actually accept mail for place.com?” And, if the answer to that question is yes, “Does person exist in your info on place.com?”. Assuming both answers are yes, one of two things happens. Ideally, your mail is then sent to the receiving server, who then tells your mail server, “Okay, I’ve got it. Thanks for dropping by.” and that’s that. Transaction complete. Or, slightly less likely, the server’s experiencing problems–or one of the servers it relies on is experiencing problems–and your mail server is told to escentially try again later. Which it will, repeatedly every so often, until either the mail is delivered or it just plain gives up on account of the destination’s well beyond broken. If the answer to the second question comes back a no, the receiving server escentially tells your server, “I don’t have anyone named person here.”. Okay, so that’s a problem. And it’s a problem you should probably know about so you’re not trying to repeatedly send mail to email@example.com and wondering why in the sam hell that rat bastard hasn’t gotten back to you in 6 months. So your mail server turns around and automatically sends you a quick email saying basicly “I tried to send your mail to person, but the folks at place.com don’t know who that is. Sorry about that. Oh and by the way, you should probably tell person his place.com address doesn’t exist–or make sure the sneak gave you the right one already.”. Okay so maybe not that last part, but you get the idea.
When my server sends people the “place.com doesn’t know who person is” email, it also copies that email to me. Not because I feel like snooping in on the juicy details of the morning’s gossip that you’ve accidentally sent to the slightly mistyped but still mostly correct address of the chick you usually have coffee with after work, but because in the event this kind of thing happens consistently, there’s either something wrong with the receiving server–which I may need to yell at someone about, or work around temporarily–or there’s something wrong on my server’s end, either with your account or with the server in general–which I need to fix, or prod you to fix, in order to prevent further much larger problems. So when an account on my server started generating several emails to random addresses that didn’t exist, the server got several “this person doesn’t exist here” notices from servers it was trying to deliver to. As a result, I got several copies of “I tried to deliver this, but they don’t exist” emails. And because it’s 2013, I’m a geek and there isn’t a smartphone alive today that doesn’t let you, I got to handle most of those on the way to class–and discover that those emails were coming from entirely random addresses on my server that also didn’t exist. Well then. Don’t we have us a situation. I couldn’t do entirely too much about it at the time except diagnose on account of I was mobile, I was on 3G and I wasn’t in one place long enough to haul out the laptop and make things happen, but at least now I knew there was something amiss in techville.
When I got where I was going, I had a bit more time to play find the hole. And what I found was the mail traffic was being generated by an account that hadn’t actually been accessed since it was set up and the person who owned it installed a version of WordPress. Since then, that account had escentially been sitting there doing not much. Unfortunately, because it hadn’t been accessed except the one time it took to install WordPress, that also meant its default password was still its current password. And, as a quick check would tell me when I got back to a network I could actually use without the restrictions of a not very well set-up firewall, it was that default password stil being set for months on end, on a public-facing system, that lead to the account being accessed by places and in ways that it might not aughta be. Having no idea at the time, though, my priority was escentially turn off the tap. So I disabled that account before class started, and it sat there being disabled until I could get a look at it when I was free–see also: when I confirmed that yes, in fact, the thing was accessed in ways it shouldn’t have been by a password that should have had a lifespan of 5 minutes.
That account will more than likely end up deleted, on account of it was never actually used and so really, nothing’s being lost by killing it. Which also means I don’t need to send an actual user an email basicly saying “by the way, because you fail at security basics all your crap is now compromized. Thank you.”, which works just fine for me. But this is a thing that could actually happen to a system or service you would probably much prefer it didn’t. think of everything that comes with a default password in place already. Routers, any modem purchased in the last maybe 5 years, university or college email/network accounts, the afore mentioned actual work related systems, the list goes on. They don’t come with default passwords because they’re worried about John Q. User developing amnesia and not having the slightest idea what their password is. They come with default passwords because they’re usually set up automatically, usually in batches, usually for several dozen to several thousand people at once. This also means if you feel like giving it a couple months, that common, default password can and will be found on Google. Which means anyone with 5 minutes free who knows the service exists and you have access can easily also have access. Which in turn means if they decide to use that access for less than legal purposes, or less than insanely irritating purposes, it’s not them that catches hell for it–it’s your access, therefore it’s your problem. Changing that default password, preferably the second you sit down in front of the system in question and access it for the first time, significantly reduces the likelyhood of it becoming your problem. It also just so happens to be exceedingly smart thinking, since in the case of people who maybe used to have access and shouldn’t anymore, it prevents them from deciding to borrow your access to try and get back at whoever decided they no longer needed it. And you’ll have just prevented, at least temporarily, your friendly neighbourhood sysadmin from developing a few of those grey hairs. That gets you bonus points somewhere. And hey, if it’s a thing I have anything to do with and you’ve just prevented me from having to piece together a working copy of your account long enough to beat you with it before telling you you should probably change your password, I swear I’ll be your best friend for life. Which will be a lot easier if you’ve also resulted in me having one or two fewer heart attacks. Now if the rest of the world would just come along quietly we’ll have it made.