[EAS] EAS Zombie Attack
Alex Hartman
goober at goobe.net
Tue Feb 12 14:36:32 CST 2013
Then do like most email servers do, minimum 6 characters, one capital,
one punctuation, and have the software keep a small database of
previous passwords of the past 5 used (one way encrypted, typical md5
based) and have the password expire after 180 days. If you can't
remember the password to your EAS box for 6 months, then you're not
looking at it often enough.
What the boxes *should* do on first boot is force you to change the
default password before even letting you enter the call letters.
Again, a very simple thing to do. I can't tell you how many
machines/wifi/network gear i've run into still using default settings,
including a wifi access point down the road from me. They changed the
SSID to "hackme"... linksys login (admin/admin), changed it to
"ChallengeAccepted". 2 days later it was back to linksys, with default
user and pass.
Basic IT security is no excuse for not being able to keep track of
"h3ll0w0r1d" as a password. I'm sure most of you 50-somethings have
things more complex than that.
--
Alex Hartman
More information about the EAS
mailing list