1

Many IOT devices and routers manufacturers hardcode plaintext default passwords in their devices. Why don't they store the hashed password instead? For what functionality do they need the plaintext password?

microwth
  • 2,141
  • 2
  • 15
  • 20
  • What would hashing accomplish? What threats does it protect against? – schroeder Jan 23 '21 at 12:44
  • Never attribute to malice that which can be adequately explained by stupidity. – gowenfawr Jan 23 '21 at 15:35
  • Passwords are an easy technology and can be implemented fast and cheap. That is the most obvious reason. – Robert Jan 23 '21 at 19:40
  • 3
    OP, I think you are getting confused with server-side password hashing. Server-side password hashing is common, and considered to be a good security practice - but it only works because the server only needs to *verify* when a client provides a correct password, the server never needs to *provide* the password. IOT devices, on the other hand, are usually clients. So, they need to *provide* the password to authenticate with the server. Therefore, they need the actual password, not the hash of the password. – mti2935 Jan 23 '21 at 20:40
  • @mti2935 can you add your comment as an answer so I accept it? Thanks – microwth Jan 24 '21 at 13:17
  • @microwth Done (slightly edited). Thanks. – mti2935 Jan 24 '21 at 14:39
  • 1
    The correct question is not "why aren't they hashing" but "why aren't they creating a different password for each *unit*". There are deployment-at-scale issues with that but they are not insurmountable. The answer is laziness and https://www.schneier.com/blog/archives/2007/01/information_sec_1.html (TLDR: doesn't cost the vendor anything to ignore the issue). Also see my comment under the accepted answer for why I don't agree that IoT is the client when discussing in a security context. –  Jan 27 '21 at 01:42

1 Answers1

2

I think you may be getting confused with server-side password hashing. Server-side password hashing is essential for any system worth its salt (pun intended), to prevent users' passwords from being leaked in the event that the user database is compromised. But, it only works because the server just needs to verify when a client provides a correct password; the server never needs to provide the password. IOT devices, on the other hand, are usually clients. So, they need to provide the password to authenticate with the server. Therefore, IOT devices need the actual password, not the hash of the password.

See https security - should password be hashed server-side or client-side? for more information on common misunderstandings about client-side password hashing.

mti2935
  • 21,098
  • 2
  • 47
  • 66
  • Umm no. As https://en.wikipedia.org/wiki/Mirai_(malware) says: "Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware." The IoT device is the "server" in most attack scenarios. –  Jan 27 '21 at 01:38