Out in the wild, vulnerabilities are not just exploited by advanced attacks or complex malware—sometimes, they stem from simple issues such as default passwords. Despite years of warning from cybersecurity experts, many systems still rely on default credentials, leaving a very easy target for attackers. To address these risks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has laid out guidelines within their Secure by Design framework, urging companies to ditch the defaults and build more secure systems from the ground up.
Why Default Passwords Are a Threat
Default passwords are pre-configured by manufacturers during production to simplify initial setup for users. However, these credentials, often simple and identical across many devices, can present easy targets. Attackers can easily exploit this weakness by gaining access to systems simply by using easily guessable default credentials or by using programs that can crack the passwords quickly, compromising precious data.
Publicly Available Credentials: Many default passwords are publicly documented in user manuals or easily searchable online, enabling malicious actors to bypass authentication without sophisticated hacking techniques.
Uniformity of Access: When default passwords are not changed, attackers can scale their efforts across multiple systems, gaining access to entire networks from a single point of weakness.
Supply Chain Risk: Products using default passwords in the supply chain are particularly vulnerable, as these weak points can be exploited long before a system reaches its final user, magnifying the risk of a breach.
Aligning Avant with CISA’s Secure by Design Principles
CISA’s Secure by Design initiative emphasizes that security should not be an afterthought but built into the software and systems from their very inception. Here’s how we’re building our systems at Avant to support that vision:
Securing Authentication from the Start
Avant is prioritizing strong, unique, and well-protected credentials at the inception of an account. This means that we’re:
- Enforcing unique passwords for each new account.
- Requiring immediate password changes upon first use, ensuring users don’t operate with default credentials.
- Implementing password strength checks to ensure all new credentials meet robust security standards.
Reducing the Burden on Users
CISA’s guidelines encourage reducing complexity for users while maintaining security. To align with the Secure by Design Principles, Avant is:
- Avoiding reliance on users to manually reset or update passwords by implementing automatic password policies that enforce best practices.
- Using password generators to create new and unique passwords for each account securely.
- Requiring and enforcing the use of password managers for all of our team members to ensure safe storage of credentials for our internal systems.
The Path Forward
While eliminating default passwords is a key step in the Secure by Design approach, we must consider future-proofing authentication. We’re partnering with schools to implement single sign-on for our systems where organizations support it. This will help eliminate the burden of password fatigue and ease the use of our products. By focusing on more secure forms of identity verification, we can better protect our users and their data.
Avant’s Secure by Design Commitment
Avant is dedicated to adhering to the highest cybersecurity standards. As part of our Secure by Design pledge, we are phasing out the use of default passwords across all platforms, implementing strong password policies, and encouraging multi-factor authentication. We are also looking ahead at what the cybersecurity landscape looks like and exploring future options such as password-less authentication solutions to further enhance the security and convenience of our systems.
By embracing these measures, our users are better protected against common and emerging threats, all while delivering the seamless experience they expect. Staying secure means more than just reacting to incidents—it means being proactive from the start.
Check out our related posts below for more on Avant’s commitment to cybersecurity.
