No Defaults Passwords Ever

I appreciate default passwords on systems. Often, for routers or other devices, I might need a way to connect initially. Or, if I perform a hardware reset, I want some password that I can use to reconfigure things. However, I am pretty good (not perfect, but really good) at changing those passwords to something else. It drives my wife slightly crazy at times, but I save the passwords and stick them in a manager I share with her periodically.

SQL Server doesn't store a default password when you install it. If you enable the sa account, you need to create your own password. I primarily deal with containers, and I always set one, usually my own default. However, lots of software either allows a blank password or has a default password set on installation. Oracle even lists theirs in docs. That's not the worst idea if sysadmins change them, but if they don't, it's a threat vector for attackers. I was working with a customer last year who had an Oracle database. I asked them to try a default user/pwd as a test and it worked. I think my head was slowly shaking for the rest of the call.

Recently, Silicon Valley saw the result of a default password not being changed when someone hacked the crosswalk signals and uploaded fake audio files that played when the signals changed. The vendor (not surprisingly) advised the city to change the passwords to something strong. A somewhat harmless prank, but it's possible that someone might have made a more nefarious change.

It's 2026. We know there are people out there with malicious intentions, as well as those whose prank goes sidesways and have unexpected side effects. There isn't a good reason to keep default passwords anywhere, including in your own personal devices. These days, connectivity among many systems is a reality with network, Bluetooth, NFC, and who knows what other connections are possible. Your personal devices ought to have defaults changed for your own protection.

Inside organizations, it can be worse as the weakest link can be exploited to gain access to other systems. Quite a few hacks started in test systems and progressed to accessing production data. Even places we might not expect to be problematic, such as version control systems, have been used by hackers to gain access.

To me, finding a default password is worthy of a reprimand and a note in whoever's file forgot to change it. A second offense ought to lead to a suspension at a minimum and possibly termination. This is such a low bar of required security that I can't think of a good excuse to allow it anywhere.

Steve Jones - SSC Editor

Join the debate, and respond to the editorial on the forums

Redgate Flyway’s January update brings faster drift resolution, AI-powered deployment descriptions, and a look back at everything we shipped in 2025. Plus, we want to hear from you about how you’re managing database changes.

SQL Prompt’s January release brings support for Microsoft Fabric and an exciting new preview feature.

Entity Framework Code First is great for development, but its abstractions can hide risky database changes until deployment. This article explores three practical EF–Flyway hybrid workflows that add visibility and control, helping teams stabilize deployments for complex, legacy databases such as monoliths.

More than a decade after Aaron Swartz’s death, the United States is still living inside the contradiction that destroyed him. Swartz believed that knowledge, especially publicly funded knowledge, should be...

GPT-5.2 Pro delivers a Lean-verified proof of Erdo...

Running tSQLt unit tests is great from Visual Studio but my development workflow isn’t just write tests, run tests, fix tests, run tests anymore, it is 2026 and... The...

It's 2am. Your phone wakes you. Rub your eyes, check your email, and there it is:

This is another part in my series designed to offer guidance around common issues in SQL Server. Today, let’s talk about the all-too-common error: invalid length.

We started receiving alerts that a client’s SQL ...

SQL Server 2025 introduces a new Resource Governor...

I detail issues we experienced (and maybe should have expected) while upgrading to SQL Server 2025.

SQL Server 2025 went GA in November. The upgrades ...

When a query is slow, it is often caused by inefficient access to the data. So our tuning work very frequently comes down to figuring out how data was...

AI in Snowflake is powerful.AI in Snowflake withou...

With the retirement of the Data Migration Assistant (DMA) on July 16, 2025, and the retirement of Azure Data Studio in February 2026, what tools do we use to assess and migrate databases to Azure SQL?

If you’ve used Azure SQL Managed Instance Genera...

The following article originally appeared on Addy Osmani’s Substack newsletter, Elevate, and is being republished here with his permission. When I joined Google ~14 years ago, I thought the...

After a bit of a holiday break, the podcast is back. And today’s episode explains it pretty well why I took a month off. My physical life is a...

Deutsch | English | Español | Français | Italiano As a European citizen, I understand first-hand the importance of digital sovereignty, especially for our public sector organisations and highly...

AWS is announcing the general availability of Amazon EC2 X8i instances, next-generation memory optimized instances powered by custom Intel Xeon 6 processors available only on AWS. X8i instances are...

As a database application vendor, the security and...

This post is part of a series of excerpts from my forthcoming book “Microsoft Power BI Data Analyst Associate Study…

Fun Query Plan Friday   Going Further If this is the kind of SQL Server stuff you love learning about, you’ll love my training. I’m offering a 25% discount...

Stored Procedure IF Branching and Deferred Compilation In SQL Server Going Further If this is the kind of SQL Server stuff you love learning about, you’ll love my training....

I was recently part of a discussion (which I have ...

AI is a big deal in 2026, and at Redgate, we’re experimenting with how AI can help developers and DBAs become better at their jobs. One of the areas... The...

Teams work on databases across multiple environmen...

SQL Prompt’s January release brings support for ...

Redgate Flyway’s January update brings faster drift resolution, AI-powered deployment descriptions, and a look back at everything we shipped in 2025. Plus, we want to hear from you about...

On January 15, 2026, Microsoft released SQL Server 2022 Cumulative Update 23. This is Build 16.0.4235.2. By Microsoft’s count, there are 15 public fixes and improvements in this CU,...

In this series on common SQL Server problems, I provide some guidance around the error message "An invalid length was passed to the LEFT or SUBSTRING function..." errors.

Learn why SQL Server throws the invalid length err...

Ramblings of a retired data architect Let me start...

A Neat Trick with Using SELECT to Assign Variable ...

Taiwan has pledged at least $250 billion in direct U.S. investments for semiconductor, energy, and AI production. The post US, Taiwan Sign $250B AI Chip Deal appeared first on eWEEK.

"Zero balance due now!" shouted davethepirate "To be fair, I had disputed a charge on a bill and they finally relented which should have actually resulted in them owing me $1.01,...