[87862] in North American Network Operators' Group
Re: Cisco, haven't we learned anything? (technician reset)
daemon@ATHENA.MIT.EDU (Jay Hennigan)
Thu Jan 12 20:41:32 2006
Date: Thu, 12 Jan 2006 17:40:36 -0800
From: Jay Hennigan <jay@west.net>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.62.0601121656350.11476@sokol.elan.net>
Errors-To: owner-nanog@merit.edu
william(at)elan.net wrote:
>
>> Actually, and fairly recently, this IS a default password in IOS. New
>> out-of-box 28xx series routers have cisco/cisco installed as the
>> default password with privilege 15 (full access). This is a recent
>> development.
>
>
> This is hardly only cisco's problem. Most office routers I've dealt with
> also come with default username/password and on occasions when I dealt
> with existing installation those passwords have rarely been changed.
True. However I much prefer the old way that Cisco did it. No default
passwords on the box at all. But, no remote administration at all until
a password was set on the console.
Now, there is a default cisco/cisco. Newbie admin creates a new
user/pass, tests thinks it's secure, fails to remove the default, game
over.
> What should really be done (BCP for manufactures ???) is have default
> password based on unit's serial number. Since most routers provide this
> information (i.e. its preset on the chip's eprom) I don't understand
> why its so hard to just create simple function as part of software to
> use this data if the password is not otherwise set.
The old-school Cisco way works for me. Default is no password if you
have physical access, but no remote access.
--
Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
NetLojix Communications, Inc. - http://www.netlojix.com/
WestNet: Connecting you to the planet. 805 884-6323
