Skip to content

Weak or Default Credentials - SSH

Table of Contents

Option 1: Implement a Strong Password Policy

Change the credential’s password and ensure a strong password policy is in place and users are properly trained on best practices. The National Institute of Standards and Technology (NIST) commonly releases guidance on password best practices which include: - A minimum length of 8 characters - Blacklisting passwords that contain dictionary words, repetitive or sequential characters, and the company name - Implement Multi-Factor Authentication when available

NOTE: See full NIST publication here NIST 800-63-3


Option 2: Implement a Configuration Management Process

Often, systems and applications will be installed without the default credentials being changed. Identify a configuration management process that ensures default credentials are changed before systems are deployed in a production environment.