No, 9999 Is Not a Good Password, Even for a Simple IoT Device

It seems that even after years of training and being bombarded with security tips and information, we are still not in the right mindset when it comes to cyber security. The latest, thankfully minor incident that made the news proves this yet again.

A user account shared among WeWork employees to run printer jobs was set up to use an alarmingly simple password - in this case the password was "9999". WeWork is a commercial real estate company, providing shared workspaces for its customers. A WeWork customer named Jake Easley who works in a London branch of the company managed to log into the account by simply guessing the password.

People like Mr. Easley would usually be given a seven-digit username string and a four-digit password string to use when they need to print documents on shared equipment. However, the username for this particular account was just four instead of seven digits and was "9999". Easley simply guessed the password, because it happened to be the exact same string as the username - "9999".

The account in question was set up in a way that did not allow it to see the actual contents of the printing tasks but Easley discovered that if he logged into the "9999" account through the printing web portal service, he was able to push printing tasks queued by other customers to any other printer on the same network.

The catch is that the printing web portal is also accessible through the free Wi-Fi network that guests can use, which in turn did not have a password at all.

After the company was alerted to the issue following Easley contacting TechCrunch about the issue, measures have been taken. WeWork representative Colin Hart stated that the company is investigating the issue and has taken steps to address any issues. Hart further stated that WeWork was going through a network-wide printing upgrade process that included heightened security measures.

This minor incident only serves to show that even corporate employees that undergo some sort of digital security training are prone to making bad choices and mistakes when working with account credentials.

One would think that it would be universal knowledge that using "12345" or any string of numbers is a terrible idea for a password, even when it comes to a simple, Internet-connected device like a CCTV camera or a printer. However, it looks like this point will take even more hammering home until we all get past the stage of using "password" or "9999" as our password string.

November 4, 2020

Leave a Reply