Home > CAPEC List > CAPEC-70: Try Common or Default Usernames and Passwords (Version 2.11)  

CAPEC-70: Try Common or Default Usernames and Passwords

Try Common or Default Usernames and Passwords
Definition in a New Window Definition in a New Window
Attack Pattern ID: 70
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords.

Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.

+ Attack Prerequisites
  • The system uses one factor password based authentication.

    The adversary has the means to interact with the system.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Brute Force
+ Examples-Instances


User Bob sets his password to "123" or literally leaves his password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.


Cisco 2700 Series Wireless Location Appliances (version and earlier) have a default administrator username "root" with a password "password". This allows remote attackers to easily obtain administrative privileges.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known.

+ Resources Required

Technology or vendor specific list of default usernames and passwords.

+ Probing Techniques

Try to determine what products are used in the implementation of the system. Determine if there are any default accounts associated with those products.

+ Indicators-Warnings of Attack

Many incorrect login attempts are detected by the system.

+ Obfuscation Techniques

Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer.

+ Solutions and Mitigations

Delete all default account credentials that may be put in by the product vendor.

Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.

Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.

Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Gain privileges / assume identity
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-InstancesInternal
Previous Entry Names
DatePrevious Entry Name
2017-08-04Try Common(default) Usernames and Passwords

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017