Detailedlikelihood: Mediumseverity: HighDraft
CAPEC-70Try Common or Default Usernames and Passwords
Abstraction
Detailed
Status
Draft
Likelihood
Medium
Severity
High
Description
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.
Related weaknesses· 7
MITRE ATT&CK crosswalk· 1
Related attack patterns· 6
Exploits7
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Reliance on a Single Factor in a Security Decisioncwe-654 | 100% | live |
| Weakness | Use of Password System for Primary Authenticationcwe-309 | 100% | live |
| Weakness | Password Aging with Long Expirationcwe-263 | 100% | live |
| Weakness | Use of Single-factor Authenticationcwe-308 | 100% | live |
| Weakness | Weak Password Requirementscwe-521 | 100% | live |
| Weakness | Not Using Password Agingcwe-262 | 100% | live |
| Weakness | Use of Hard-coded Credentialscwe-798 | 100% | live |
Related to1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| SubTechnique | Default Accountst1078.001 | 100% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.