Today’s organizations rely on numerous business applications, web services, and custom software solutions to meet business communications and other transaction requirements.
Typically, multiple applications frequently require access to databases and other applications to query business-related information. This communication process is usually automated by embedding the application’s credentials in unencrypted text in configuration files and scripts.
Administrators often find it difficult to identify, change, and manage these credentials. As a result, passwords remain unchanged, which may lead to unauthorized access to confidential systems.
Thus, hardcoded passwords can facilitate the work of technicians, but can also be an easy entry point for malicious agents. Keep reading the text and learn more about what hardcoded passwords are and how to manage this feature with security.
What Are the Risks of Using Hardcoded Passwords?
Data breaches are one of the scariest threats to a company. Exposure of sensitive data, whether by accident or by criminals, can lead to loss of competitive advantage and even fines in case of exposure of personal information.
According to IBM’s report, the global average cost of a data breach for an organization costs about $3.86 million in 2020, with an increase from about $1 million to $4.77 million if the breach is due to an employee’s compromised credentials.
In this scenario, companies are making large investments to reduce their attack surface and prevent possible data breaches. However, there is one threat that is usually underestimated among the many threats that need to be taken care of, although it possibly compromises the life of an entire company: hardcoded passwords.
Passwords encoded in a public codebase can be compared to closing the door of a house and forgetting the key in the lock: this is the most direct and obvious way to cause a data breach, in fact, hardcoded credentials do not need any specific skill to be exploited.
Following other risks associated with hardcoded passwords, there is the fact that many applications or devices can share the same hardcoded password. As a result, guessing the password can allow cybercriminals to connect to and control all other devices or apps that use the same password.
Unfortunately, guessing or learning the embedded combination may be easier than you think. Many developers share their code on GitHub and websites without realizing that by doing so, they can reveal passwords in plain text.
Of course, cybercriminals are also aware of this, so it may just be a matter of time before they find the shared passwords accidentally. Not to mention that various malicious apps and tools can force the password of the app or device, so keeping it encoded in the source code is always a risk.
How Are Hardcoded Passwords Used and Where Are They Found?
Passwords are everywhere. Sometimes they are apparent, encoded in code or configuration files. Other times, they take the form of API keys, tokens, or cookies.
Because they pose a security risk, there is no other way to say this: hardcoded passwords need to be deleted.
Hardcoded passwords are a practice used by developers when building a webpage or application. Using this practice, developers embed important information (passwords and other secret data) into the code language (rather than obtaining the passwords from external sources or generating them when needed).
As a result, encoded credentials contain passwords and other important secrets, and while they are not visible from the outside, they are almost very obvious and easy to find in the code language, which makes them a major security risk.
Within your business, you may have found hardcoded passwords in some ways, including:
Setting up and establishing a new system.
- API and system integration.
- Creating encryption or decryption keys.
- To define privileged access.
- To simplify application-to-application or application-to-database communication.
Hardcoded passwords can be found at:
- Software applications, both on-premises and hosted in the cloud.
- BIOS and other firmware on computers, mobile devices, printers, and servers.
- DevOps applications.
- Networks that include routers, switches, and a multitude of other control systems.
- Mobile devices enabled for IoT and the internet.
Hardcoded passwords are not encrypted. This is exactly why they represent a critical security flaw.
What Are Examples of Security Incidents Involving Hardcoded Passwords?
Passwords remain by far the most widely used method for authenticating users in applications and systems, despite the long-standing efforts of technology industry leaders to find more secure alternatives.
The increasing number of attacks involving theft or compromised credentials over the past few years has focused more attention on ways to enhance the security of password-based authentication mechanisms.
Despite all the efforts of security professionals, cybersecurity incidents involving hardcoded credentials still occur. Below are the most well-known cases worldwide involving this problem.
Mirai malware, which gained prominence in late 2016 (although it may have been active years before), verifies Telnet service on Linux-based IoT boxes with Busybox (such as DVRs and WebIP cameras) and on stand-alone Linux servers.
Then, through a brute force attack, it applies a table of 61 hardcoded default usernames and passwords to attempt a login.
Mirai and its variants have been used to assemble huge botnets of IoT devices, up to about 400,000 connected devices, without the knowledge of most of its owners.
Mirai-related botnets have carried out some of the most disruptive DDOS attacks ever seen, with victims such as French Telecom, Krebs on Security, Dyn, Deutsche Telekom, Russian banks, and the country of Liberia.
While Mirai’s attacks were most notable for causing business downtime, Uber violation resulted in the exposure of information from 57 million customers, as well as about 600,000 drivers.
As with Mira, the hardcoded credentials were faulty. An Uber employee has published plain text credentials in the source code that was posted to Github, which is a popular repository used by developers.
An experienced malicious hacker simply found the credentials embedded in GitHub and used them to gain privileged access to Uber’s Amazon AWS instances.
What Are the Best Practices and Solutions for Hardcoded Password Management?
Many companies are aware of the problem posed by hardcoded credentials and know that passwords must be managed carefully. So here’s a list of best practices for managing hardcoded passwords in your IT environment.
Discover and Identify All Types of Passwords
Trying to find out if the hardcoded credentials are being used in the code is a good first step. The use of unencrypted text credentials also occurs in configuration files, infrastructure such as code, and containers.
Discover and identify all types of passwords, keys, and other secrets throughout your IT environment and place them under centralized management. Continually discover and integrate new secrets as they are created.
In addition to being a possible security exposure, the use of hardcoded passwords can affect cyber resilience. Besides gaining visibility into their use, it is best to properly govern and protect the use of credentials to improve security and resilience.
Attention to DevOps Tools
Delete hardcoded and embedded passwords in DevOps tool settings, build scripts, code files, test builds, production builds, applications, and more.
A best practice is to use a secret server or a credential vault to manage all kinds of secrets, such as passwords and SSH keys. This approach provides an API that gives access to policy-based secrets and eliminates the need to store credentials in unencrypted text in applications/configuration files/services.
Manage hardcoded credentials permanently, such as through API calls, and apply password security best practices. Deleting standard and hardcoded passwords effectively removes dangerous backdoors from your environment.
Create and Use Strong Passwords
Apply password security best practices, including length, complexity, exclusivity expiration, rotation, and more across all types of passwords.
Credentials, if possible, should never be shared. If a credential is shared, it must be changed immediately. Credentials for more sensitive tools and systems should have more rigorous security parameters, such as single-use passwords and rotation after each use.
Monitor Privileged Sessions
Apply privileged session monitoring to record, audit, and monitor all privileged sessions (for accounts, users, scripts, automation tools, and others) to improve oversight and accountability.
This may also involve capturing keys and screens (allowing live viewing and playback). Some business privilege session management solutions also allow IT teams to identify suspicious session activity in progress and to pause, block, or terminate the session until the activity can be properly assessed.
Manage Third-Party Credentials
Extend credential management to third parties and ensure partners and suppliers are compliant with credential use and management best practices.
Leverage threat analysis to continually analyze the use of credentials to detect anomalies and potential threats. The more integrated and centralized credential management is, the better you can report accounts, key applications, containers, and systems exposed to risk.
With the speed and scale of DevOps, it is crucial to create security in the DevOps culture and lifecycle (from the beginning, design, construction, testing, launch, support, and maintenance).
Adopting a DevSecOps culture means that everyone shares responsibility for security, helping to ensure accountability and alignment across teams. In practice, this should imply ensuring that best practices for secret management are in place and that the code does not contain embedded passwords.
Correct credential and secret management policies, supported by effective processes and tools, can make it much easier to manage, transmit and protect secrets and other inside information.
What Are the Next Steps to Manage Hardcoded Passwords?
You are probably wondering why people are still using hardcoded passwords. The main answer is because it is easier to do, and keeps the coding process less complicated.
In addition, hardcoded passwords are made to never be changed, therefore, they represent a part of the code language. Many developers fear changing them so as not to interrupt different types of operations within the system.
If you take into account that a medium-sized organization may have hundreds or thousands of passwords and other secret data spread across all devices, applications, and systems, you can assume that it is not an easy process to fix hardcoded credentials.
A PAM (Privileged Access Management) solution helps improve application security posture by reducing human error, automating security-related tasks, and improving perception and governance.
As for changing credentials, it is possible to schedule automatic rotation and impose the use of strong and exclusive credentials without the need to intervene manually in all applications that use them.
senhasegura allows the easy removal of passwords and hardcoded credentials from data sources through scripts, application codes, configuration files, and SSH keys via servers. The password vault connects to the main servers and synchronizes the password change with the database. The application, therefore, does not lose connection.
The integrated application can access the senhasegura API at any time and receive the updated password of the resource to be accessed. In this way, this critical data will be inaccessible to all attackers and malicious users.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.