The risk of default passwords: What they are & how to stay safe

Cyberattacks are evolving rapidly. As technology advances, so do the tools and techniques used by hackers, from AI-driven phishing schemes to highly targeted ransomware attacks. But despite this increasing sophistication, many successful breaches still rely on something shockingly simple: default passwords.

According to a recent IBM report, 86% of people have never changed the admin password on their home router. This oversight can have serious consequences, allowing hackers to manipulate and monitor traffic, launch man-in-the-middle (MiTM) attacks to steal data, and even spy on users through connected IoT devices.

In a business context, the consequences can be even more severe. Default credentials on company devices, servers, or cloud applications can act as open doors for attackers, allowing them to access sensitive systems and pivot across networks with minimal resistance.

This is just one example of the threat posed by default passwords, and why it’s so important to eliminate them from your environment. In this article, we’ll explain what default passwords are, why they remain such a persistent risk in 2025, and the practical steps you can take to protect your network from compromise.

What are default passwords?

Default passwords are pre-set credentials (like “admin” or “password”) that manufacturers assign to devices to simplify initial setup and provisioning. They’re meant to be temporary, giving users quick access during installation.

However, despite associated safety concerns, these passwords often go unchanged long after deployment.

Why are default passwords used?

There are a few reasons why default passwords still persist, both on the manufacturer side and the user side. The key reason for manufacturers is ease of deployment in large-scale environments. Using a standard, known password allows devices to be quickly provisioned, tested, and shipped without complicated setup processes.

Manufacturers setting default passwords shifts the responsibility for security downstream – and that’s where things often break down. In business environments, IT teams may distribute laptops, phones, routers, or other devices to employees with the expectation that they’ll follow onboarding instructions, including changing the default password to something secure.

But many users never do. Whether out of habit, convenience, or lack of awareness, employees often skip this step, leaving devices exposed and creating blind spots in the organization’s security posture.

The risk of default passwords

Leaving default passwords unchanged can create serious security threats for both individuals and organizations. Because these credentials are often publicly available, listed in user manuals or on manufacturer websites, they’re among the first things attackers try when scanning for vulnerable systems. Once inside, the damage can escalate quickly.

• Botnet recruitment: In many cases, compromised devices are quietly enrolled into large botnets, which leverage thousands of vulnerable systems to launch distributed denial-of-service (DDoS) attacks or spread malware.
• Ransomware entry and lateral movement: Default passwords can serve as the initial access point for ransomware operators. Once inside a network via an unsecured device, attackers can move laterally with devastating consequences.
• Supply-chain exploitation: If attackers gain access to systems that are integrated with partners or vendors, they can exploit those trusted connections to spread malware, exfiltrate sensitive data, or compromise downstream customers.

Real examples of default password attacks

Pennsylvania water supply attack

In 2023, a water facility in Pennsylvania was hit by a cyberattack initiated by foreign hackers known as ‘Cyber Av3ngers’. The water facility used Unitronics programmable logic controllers for monitoring and regulating water systems, which had apparently been connected to the open internet with a default password of “1111”. The hackers were easily able to find and exploit this weak default password, allowing them to take control of the system and cause a temporary halt in pumping.

This attack – along with several other connected breaches – prompted multiple authorities, including the FBI, CISA and NSA, to release a joint advisory warning of the threat and urging organizations to take protective measures including replacing all default passwords.

Mirai botnet

One of the most infamous examples of a cyberattack exploiting default passwords is the Mirai botnet, which emerged in 2016. Mirai specifically targeted Internet of Things (IoT) devices (like routers and IP cameras) that were still using default credentials. The malware continuously scanned the internet for vulnerable devices, using a hardcoded list of common default credentials like “admin:admin” or “root:123456” to gain unauthorized access. After compromising a device, Mirai recruited it as part of a massive botnet army that could be remotely controlled by attackers.

Mirai was used to launch some of the largest Distributed Denial of Service (DDoS) attacks in history at the time. In one high-profile case, Mirai targeted Dyn, a DNS provider, resulting in widespread outages across major players including Twitter, Netflix, and Reddit.

The consequences of using default passwords

Default passwords are commonly used to simplify initial setup, but failing to change them after deployment can leave your organization wide open to attack. Aside from the risk of a breach itself, here are some of the potential consequences of relying on factory-set or hardcoded credentials:

1. Brand damage from security breaches

When a cyberattack exploits default credentials in your infrastructure, the fallout can cause significant damage to your organization’s reputation. Publicized breaches – particularly those affecting customer data or critical operations – undermine trust and can result in lost business, negative press, and damaged partnerships.

In some cases, your organization may also face internal investigations, board-level scrutiny, or legal action due to perceived negligence.

2. Regulatory fines for non-compliance

New regulations like the EU’s Cyber Resilience Act and U.S. state-level laws (like those in California) are cracking down on manufacturers that ship devices with insecure defaults. These laws can impose significant fines and even prohibit the sale of non-compliant products. Companies that fail to eliminate default passwords now risk legal penalties and forced product redesigns later on.

3. High operational costs

Leaving default passwords unchanged greatly increases your exposure to cyber threats, which in turn raises the cost of maintaining your systems.

A single compromise can trigger the need for emergency patching, forensic investigations, downtime, and system reconfigurations. All of these reactive measures are more disruptive and expensive than proactive password strengthening.

4. Risk to broader IT systems

Default password vulnerabilities don’t tend to stay isolated. Once an attacker gains access to a single poorly secured device or system, they can move laterally through your network, taking advantage of privilege escalation to gain more and more access and cause significant disruption and damage.

This is particularly dangerous in high-stakes environments like healthcare facilities or industrial control systems, where a single weak point can undermine the security of the entire infrastructure.

How to reduce the risk of default passwords

Default passwords are one of the easiest entry points for attackers. Fortunately, they’re also one of the easiest to fix. Taking proactive steps can dramatically reduce your organization’s exposure to credential-based attacks.

1. Identify and audit for default credentials regularly

The first step in addressing default passwords is knowing where they exist. Conduct regular audits across your entire network to detect any default or weak credentials still in use.

This includes checking manufacturer documentation, scanning for known default username/password combinations, and using automated tools to flag insecure configurations.

With our free Specops Password Auditor, you can run a read-only report of your Active Directory to identify any weak or compromised credentials. It’s able to compare the NTHash of every password and display users who have the same one set – indicating potential default password use. Try it for free here.

2. Immediately change default passwords

Any time you introduce a new device, service, or platform into your environment, you should immediately enforce a password change as part of the initial setup process. Where possible, try to disable any accounts with default login credentials entirely – they may not actually be necessary, and eliminating them greatly reduces your attack surface.

Specops First Day Password, a feature of Specops uReset, can help make this process more secure and seamless. It eliminates the need to share temporary passwords with new users during provisioning. Instead, users securely reset their onboarding password themselves – without ever needing to know or handle the original password.

It’s a simple step that removes a common vulnerability from your onboarding process and improves both security and user experience. Get in touch for a free demo.

3. Implement strong password policies

Default passwords are a danger, but so are weak passwords in general. It’s vital to enforce strong password policies that meet minimum standard requirements, including for complexity and length.

Specops Password Policy can help you strengthen your password security, ensuring compliance and blocking over 4 billion unique compromised passwords from your Active Directory. Sign up for a free live demo today.

4. Enable multi-factor authentication (MFA)

Multi-factor authentication significantly reduces the risk that a compromised password (default or otherwise) can lead to a breach. By requiring a secondary form of authentication, like a one-time passcode from an authenticator app, MFA adds a second line of defense that can stop attackers in their tracks.

5. Segment and monitor network access

Even with a strong password policy in place, you should always assume that credentials could be compromised. If attackers do gain access, network segmentation can limit their movement within your environment.

Continuous monitoring and logging is also important to detect unusual access attempts, particularly any originating from known default credential patterns or unrecognized IP addresses.

Protect your organization from default password risks today

One of the best ways to mitigate the risk of default passwords in your environment is to implement strong password policies that encourage the use of unique, complex credentials for each system, enforce regular password changes, and ban any reuse of common or factory-set defaults.

 Specops Password Policy offers a proactive approach to password security, helping you to easily enforce compliance and block over 4 billion unique compromised passwords from your Active Directory. As well as continuous scanning for new breached passwords, Specops Password Policy allows you to block end users from creating weak passwords in the first place, helping to eliminate the threat of credential-based attacks.

Interested in finding out more about how Specops Password Policy could help eliminate default passwords in your AD? Book a live demo today.