RFC 3871           Operational Security Requirements      September 2004

   Justification.

      Plaintext passwords can be easily observed using packet sniffers

      on shared networks.  See [RFC1704] and [RFC3631] for a through

      discussion.

   Examples.

      Remote login requires the transmission of authentication

      information across networks.  Telnet transmits plaintext

      passwords.  SSH does not.  Telnet fails this requirement.  SSH

      passes.

   Warnings.

      None.

2.12.9.  No Default Passwords

   Requirement.

      The initial configuration of the device MUST NOT contain any

      default passwords or other authentication tokens.

   Justification.

      Default passwords provide an easy way for attackers to gain

      unauthorized access to the device.

   Examples.

      Passwords such as the name of the vendor, device, "default", etc.

      are easily guessed.  The SNMP community strings "public" and

      "private" are well known defaults that provide read and write

      access to devices.

   Warnings.

      Lists of default passwords for various devices are readily

      available at numerous websites.

2.12.10.  Passwords Must Be Explicitly Configured Prior To Use

   Requirement.

      The device MUST require the operator to explicitly configure

      "passwords" prior to use.

Jones                        Informational                     [Page 60]