Almost every installation or setup guide written for modern systems recommends changing default account settings. Despite this fact, penetration testers consistently discover systems, devices, and applications that continue to have default accounts set up with their original passwords. Default password lists like those found at http://www.defaultpassword.com/ , https://cirt.net/passwords , and many other sites provide an easy way to quickly look up default usernames and passwords for many common network devices and software packages.

The actual settings for accounts are also often left unchanged. That means that some accounts may have greater permissions than they need to serve their intended purpose. After you check for default username and password combinations, you may also want to validate the rights that individual users have—after all, it is usually far more innocuous to take over a user account with administrative privileges than taking over root or the administrator account on the system, device, or service!