DeeNaxic
commented
2 years ago Even if you do, people will still copy paste the examples in. Having scanned a lot of the documentation, there's actually a lot of code blocks, with passwords, which are not even valid by the default policy. This is an odd thought, but it is a way of solving the problem.
If you can't deploy the example, you won't end up with defaulted passwords, as you are forced to do a manual edit. You would of course get an annoying error saying "Hey, the password you provided, doesn't live up to the standards." - but at least that's understandable.
This is just a suggestion, I could easily go through with my tools and find all password blocks and set this. But would probably require some feedback from others, as it's also not an obvious solution.
kthejoker
This doc
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine
Contains an example script, including a plain-text administrative password.
Attackers are using this exact admin/password combo for recon on Azure VMs in order to hijack them, infect them with malware, etc.
Can we include an even more aggressive disclaimer or alert at the top of the docs to not deploy with this example password, but to change it in your script, with the stated effort of preventing a VM from being generated with a password already known to attackers.