Anyone remember a few years ago when we had a small worm that affected SQL Server? I never had a problem with any of the SQL Server instances under my management for one simple reason. I didn't have a blank sa password, which was the default at that time for SQL Server 2000. Plenty of other instances in my company, including thousands of MSDE instances, were affected, as were many instances around the world. Since then Microsoft has tightened security in their products, especially SQL Server. If you want a blank sa password in SQL Server now you need to check the "yes-I'm-really-an-idiot" box in order to bypass the password entry dialog.

However some other companies haven't learned, or haven't bothered to improve their software. A new worm is attacking manufacturing software from Seimens, and the guidance from the vendor is to "not change the password" because it will break things. I used to test Oracle instances by inputting the default "System" and "Manager" accounts on instances to see if they worked. I was always amazed by how many places kept default accounts and passwords in place.

That's incredibly stupid, and unless some CIOs start holding vendor's feet to the fire regardig stupid practices like this, it will continue. A quick search on the Internet will find you lists of default accounts, which exist because they commonly exist in so many companies. Default passwords are good for initial installation, or for hardware resets, but a common practice should be to immediatly change passwords.

Mike Walsh wrote a nice blog recently that talked about some things that vendors should do to produce better software running on SQL Server. I also found a nice article this week that talks about how simple some security practices can be, but many businesses don't bother to implement them. Ultimately I think it comes down to each person taking it upon themselves to learn some basic security practices, and then ensuring that they are implemented at your company. Make it a point to educate your management about the risks of default passwords and ensure there is a password management system in place, such as Password Safe of KeePass inside your company. Ask your CIO or VP to pressure software vendors to comply with best practices for security inside their software.

If we can build secure software ourselves that follow best practices, independent vendors should be able to as well.

Steve Jones