<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 12, 2014 at 12:16 PM, Jason Irwin <span dir="ltr"><<a href="mailto:jasonirwin73@gmail.com" target="_blank">jasonirwin73@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 12/03/14 18:02, David Aldred wrote:> Why an admin password change isn't simply forced on first login I don't know.<br>
</div>Why a password isn't randomly assigned in the factory (sticker on<br>
bottom) is beyond me.</blockquote><div><br></div><div>It is technically quite a tricky process to make the code image unique for each device coming off a production line in a way that is not trivially broken.</div><div><br>
</div><div>For instance, it is a mandatory requirement that the MAC addresses for the devices be unique, so the manufacturers have worked out how to do that, and they mark the MAC addresses on the sticker. But MAC addresses are simple incrementing identifiers and are not private information. If the password is based upon this MAC address (even through some complex hash) it becomes simply security through obscurity. The password is harder to determine but still remotely exploitable.</div>
<div><br></div><div>You need this password to be _properly_ randomly generated. And that's an expensive step in the manufacturing process. Not impossible, and I can think of multiple ways to achieve it that are manufacturable but still it costs. And remember these devices are made with very small margins. If they made them even a little more expensive, they would need to market the heck out of the benefit to shame other manufacturers who did not do it, or lose out because they were too expensive with no perceived benefit. And then they would be the target of loads of hackers/crackers around the world trying to break this new fancy system. With that much attention, the company would certainly fail, and the market would punish them for failing much more than they get punished for not trying.</div>
<div><br></div><div>Basically, it's just not worth it for the manufacturers. This is one of the problems that is only going to improve with legislation, not free-market economics.</div><div><br></div><div>-Michael </div>
</div></div></div>