Are you still using the Default Admin password on every copier you install?

[rthonpm]

... a modern security audit would flag using the password DSC328 on 2+ machines as a security weakness.

Unless you have other compensating controls in place. We just placed several MFP's with a regulated customer, all of them have the same admin credentials but the web interface is only available from a single administrative system that is accessible via AD by specific staff, anyone else who tries to log in is blocked by Group policy.

Yes, you could use the credentials from the machine's op panel, but at that point you're not getting very far since the machines can only talk to two internal servers, and those are configured using Windows authentication which isn't directly accessible from either the web interface or the machine itself.

It all depends on how granular you want to get, and even in smaller environments we may set up different admin accounts for different functions.

Overall, we definitely do NOT use the default passwords on any MFP. We will set one just for our staff for customer machines so that there is a fallback if they forget their password, but only two of our staff have access to those, and if it gets used for a specific machine, we will change it on the next service visit.

[tsbservice]

... so how did you store and retrieve 100s of unique passwords?

I am aware of the California law requiring all IOT (Internet of Things) devices to be programmed upon first install away from the default password. I am not aware that this law was enacted anywhere else.

Nope. Most of techs would turn off any password they can as too much grief. There's no advanced law enforcements here but I like to be proactive. They will come soon or later.

[SalesServiceGuy]

Use the serial number.

I like this idea. Use the last four-six digits of the copier's serial #. It is always on the copier somewhere but there is no way a hacker could know it unless they are physically near the copier.

[copier tech]

I like this idea. Use the last four-six digits of the copier's serial #. It is always on the copier somewhere but there is no way a hacker could know it unless they are physically near the copier.

On Ricoh for example you can view the serial number BEFORE logging in!

Not sure about other manufacturers.

[BillyCarpenter]

Full credit goes to KYO for the serial number idea. It was in the attachment that he posted.

[slimslob]

@Billy,

KDC is not sleeping.
California IoT Security Act SB 327 Enclosed new security rule for next generation of Iris (TaskAlfa 2554ci, etc..)If "older" systems get this "modification", i don`t know at the moment.
Attachment 48899

If that were the case then every Windows 10 computer sold in California is in violation.

[slimslob]

This entire discussion is moot at least for Ricoh. With as many people that have openly posted certain proprietary information here, any hacker in the world would have ne problem resetting the passwords to default.

[SalesServiceGuy]

On Ricoh for example you can view the serial number BEFORE logging in!

Not sure about other manufacturers.

Not on a Toshiba but excellent point! This assumes that a hacker knows the IP address of the copier.