topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 4:24 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: "Admin" is a BAD user name for anything! Change t!  (Read 6671 times)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
"Admin" is a BAD user name for anything! Change t!
« on: April 14, 2013, 01:30 AM »
If your login name for Wordpress (or anything else) is "Admin", you really should change that for security reasons.

I logged into Cpanel on 2 of my domains (same web host), to see this notice at the top of the page.

Screenshot - 4_14_2013 , 1_56_27 AM.png

The page they reference in the screenshot is this one: http://blog.cloudfla...ing-the-wordpress-br

If you have been stupid enough to keep the default login of "admin" enabled on anything, do whatever you have to do to change it ASAP! Unless you'd really enjoy getting hacked, that is.

Keeping default login names or passwords on anything is BAD SECURITY!

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member

kunkel321

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 597
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #2 on: April 14, 2013, 12:20 PM »
This is mostly true only for web-based stuff--yes?

My work computer has some installed-onto-the-c-drive, non-networked utilities that still have "admin" as the login. 

barney

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,294
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #3 on: April 16, 2013, 12:40 AM »
Unfortunately, Admin is default for a lot.  And, while you can log to a new username, Admin is not disabled in most cases.  Routers come to mind, as well as a few other items of hardware  :(.  Unless you can actually disable the Admin user name, you're pretty much out of luck.  Had to nearly break my wi-fi in order to prevent an interloper from logging in with the default provided - on a number of Web sites  :o! - as an emergency access.  Prolly easier with Web-based, but don't think there're any guarantees  :huh:.

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #4 on: April 16, 2013, 01:36 AM »
IIRC, my router actually offered to change the default admin password when I first logged in.  I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it.  :Thmbsup:

*EDIT* I meant to say "admin username" instead of password.  :-[
« Last Edit: April 17, 2013, 10:30 PM by Edvard »

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #5 on: April 16, 2013, 03:02 AM »
IIRC, my router actually offered to change the default admin password when I first logged in.  I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it.  :Thmbsup:

May change the password but a lot of routers don't change the default user name - hell some routers don't even have a user name - just a password.

barney

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,294
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #6 on: April 16, 2013, 03:24 AM »
IIRC, my router actually offered to change the default admin password when I first logged in.  I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it.  :Thmbsup:

Yep.  Most of 'em do.  But they don't let ya change the username.  There's a back door built in to most hardware - and a lot of software! - so that the vendor can tell you how to recover if you have a memory lapse - read, screw things up - and maintain their pristine reputation.

Back when I was overseas - Asia, mid-sixties, combat pending - a captain in charge of our group misplaced a password, i.e., he lost the scrap of paper it was on.  He had to contact what was then the equivalent of IT today, and IT promptly got him straightened out, restored his access.  They had a back door  :o.  (Mind, this was a radio network, not PC, but the principle ...)

I've encountered software issues where a user was locked out because of a forgotten password.  In every case but one (1), the vendor was able to provide a way back in.  That single case was such that no one - at that time  :huh: - could crack the database involved, not even the vendor.  And it was clearly stated in the documentation that if you lost your login, your data couldn't be recovered.  However, in every other instance, hardware or software, I've been able to contact the vendor, provide requisite bona fides, and regain access for the client.

If you cannot change the Admin username, any hacker is halfway to cracking the system involved.  Brute force and a decent dictionary can still resolve ninety percent of passwords when Admin is still a viable username.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #7 on: April 16, 2013, 07:20 AM »
IIRC, my router actually offered to change the default admin password when I first logged in.  I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it.  :Thmbsup:

Mine allowed login with default on first login, then demanded I set a user and pass for access, not allowing me to move on to what I logged in for, until setting that up. And once set up, the default no longer works.

Yep.  Most of 'em do.  But they don't let ya change the username.  There's a back door built in to most hardware - and a lot of software! - so that the vendor can tell you how to recover if you have a memory lapse - read, screw things up - and maintain their pristine reputation.

Mine is easy to bypass in that case, but only if you have physical access to the router. A paper clip in the back to reset it to factory defaults will do the trick, but there will be no normal internet access beyond the ISP's new user start page until you log in with your account, download and install their custom stuff, and set everything up again. So a name/pass is still required.  ;)

If you cannot change the Admin username, any hacker is halfway to cracking the system involved.  Brute force and a decent dictionary can still resolve ninety percent of passwords when Admin is still a viable username.

In the case of Wordpress, it's not enough to not create the admin name as something else other than "admin" in the first place (Wordpress won't allow you to make a user name change later). You need to create at least a 2nd admin account and delete the first one, regardless of the user name chosen, or you risk getting locked out of your blog if it is attacked, and having to reset your password.

User ID 1 is the first created, first admin, and most targeted account, for things like SQL injections with the intent to change the password. If successful and the account name is "admin" then it's an easy in, without a brute force dictionary attack. They know the name (admin) and the password (they changed it themselves). If the account name is other than admin though, they don't have as easy of a time, but you still end up locked out.

If the account ID is something other than 1, it makes it a little harder, and you'll be less likely to end up locked out. Now they have to start guessing the ID, and maybe the user name too, since a default "admin" account no longer exists. Yes, there are ways to easily figure that stuff out too (in most cases), but it takes more time and is a bit more trouble, and unless the hacker is targeting your blog specifically, not as likely to happen, when there are so many other easier targets to hit with an automated attack.

There is a lot one can do to protect a wordpress blog, but people need to take the time to read and do the stuff required. A rough estimate of the time required to truly beef up the security on a WP blog is about 5 hours, if you have never done it before, and do everything in this checklist. Use the online version if you don't want to go through the registration to download the pdf. It's always the most up to date. Registration gets you an email notice of any changes to the checklist, though, so once done, it's a good idea, any way.  ;)

And the first step in that checklist/tutorial is how to set up automation of backups, and how to have them automatically stored offsite is also covered at some point.

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #8 on: April 17, 2013, 10:28 PM »
IIRC, my router actually offered to change the default admin password when I first logged in.  I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it.  :Thmbsup:
May change the password but a lot of routers don't change the default user name - hell some routers don't even have a user name - just a password.
-Carol Haynes (April 16, 2013, 03:02 AM)

Aargh!! Dammit, I meant to say change the USERNAME, which it did allow and as I recall, it was actually part of the initial setup process to change the default username along with the password. :-[

I've encountered software issues where a user was locked out because of a forgotten password.  In every case but one (1), the vendor was able to provide a way back in.  That single case was such that no one - at that time  - could crack the database involved, not even the vendor.  And it was clearly stated in the documentation that if you lost your login, your data couldn't be recovered.

My chosen email provider - Lavabit.com - has just such a policy:

http://lavabit.com/secure.html
In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand.

Lavabit has developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it. We felt that this technical protection was necessary in addition to our Terms of Use and privacy policies.
...

« Last Edit: April 17, 2013, 10:35 PM by Edvard »

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: "Admin" is a BAD user name for anything! Change t!
« Reply #9 on: April 19, 2013, 11:40 PM »
My ASUS RT-N16 router comes with the username "admin" and while I was able to change the password it does not allow changing the username.   >:(

(Damn thing continually drops wireless connections for the past week, too!   :mad:  )

Jim