[87843] in North American Network Operators' Group
Re: Cisco, haven't we learned anything? (technician reset)
daemon@ATHENA.MIT.EDU (Bill Nash)
Thu Jan 12 13:53:11 2006
Date: Thu, 12 Jan 2006 11:00:10 -0800 (PST)
From: Bill Nash <billn@bacchus.billn.net>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.62.0601121010260.20115@qentba.nf23028.arg>
Errors-To: owner-nanog@merit.edu
Just as an offshoot discussion, what's the state-of-the-art for AAA
services? We use an modified tacacs server for multi-factor
authentication, and are moving towards a model that supports
single-use/rapid expiration passwords, with strict control over when and
how local/emergency authentication can be used.
I'd be interested in that discussion, on or offlist.
- billn
On Thu, 12 Jan 2006, Rob Thomas wrote:
>
> Hi, NANOGers.
>
> ] On the other hand, the most common practice to hack routers today, is
> ] still to try and access the devices with the notoriously famous default
> ] login/password for Cisco devices: cisco/cisco.
>
> This is NOT a default password in the IOS. The use of "cisco" as
> the access and enable passwords is a common practice by users, but
> it isn't bundled in the IOS. I've heard it began in training
> classes, where students were taught to use "cisco" as the
> passwords.
>
> Oh, and for those of you who think it mad leet to use "c1sc0" as
> your access and enable passwords, the miscreants are on to that as
> well. ;)
>
> We've seen large, massively peered and backbone routers owned
> through this same technique. We've even seen folks who have
> switched to Juniper, yet continue to use "cisco" as the login and
> password. :(
>
> The nice thing about cooking up blame is that there is always
> enough to serve everyone.
>
> Thanks,
> Rob.
> --
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);
>
