It’s never been more critical to use sound security practices when online. Many of you are undoubtedly using a password manager to keep track of your unique, per-account passwords, which is awesome and a massive part of digital security. That can be backed up by 2FA or even a physical TOTP key for another layer of the security onion, but what about those devices that you can’t easily change the password on?
A depressingly large number of electronic devices come with absolutely terrible default passwords, and they often don’t get changed. Sometimes, they cannot be changed, as they’re hardcoded into the device’s firmware and need an update from the manufacturer. Plenty of online resources for security researchers have vast databases of these defaults, showing exactly how bad a problem this is.
The worst offenders are devices marketed as secure or designed to offer security to your home, such as internet-connected cameras, hardware firewalls, routers, or alarm systems. These devices often have a default password set for easy installation, but it doesn’t always get changed once the installation is over. If you’ve got any of these devices, check to make sure the defaults have been changed, and contact the manufacturer if necessary for those you can’t change yourself.
Related
5 things that will need to happen before we stop using passwords
Passwordless solutions are growing in popularity, but do you trust them?
7
Routers
Ah, yes, nothing like having default credentials for your internet gateway and Wi-Fi
Routers are often shipped with default passwords, whether for the administration pages, Wi-Fi credentials, or to connect to the ISP. While any router can have horrible, no good, terrible default passwords like admin/password which give the user administrator powers to change anything they like, the routers shipped by Internet Service Providers (ISPs) are especially known for this.
On the one hand, it makes it so that the installation tech can get everything working properly, and that you can connect to your new router’s Wi-Fi quickly, as the credentials are printed on a label somewhere on the router. But you’re supposed to change those login details once the tech has left your home. How many of you actually do? Not many, according to IBM, which says 86% of default router passwords have never been changed.
Remember, this is the device used as a gateway to the internet for every other device in your home, but more importantly, the device that’s a firewall for every device on the internet trying to get in. Change the passwords.
Related
How to change a router password
Give your Wi-Fi password out to the wrong person? Change your router password in a few steps to take back control.
6
Cable modems
I’m sensing a pattern here in internet-connected devices
Some of you might have multiple devices in your home to handle your home network and the gateway to the internet, and a cable modem is often part of the bundle. Except, they almost always have the dumbest default passwords, like admin/password, and what’s worse, many ISPs won’t let you change them as they use those login details to push firmware updates and other administrative tasks.
If you’re stuck with a cable modem on which you can’t change the admin password, you might want to consider sending it back to the ISP in a box and getting your own high-speed cable modem that you control and can change the deliciously dumb default password on.
Related
5 features to look for in a high-speed modem
The modem is your gateway to the wider internet, so it’s worth paying attention to the specifications when you pick one up.
5
Raspberry Pi
Secure your SBCs because otherwise they’re prime bait for hackers
Until recently, the Raspberry Pi had the worst default password combination (aside from admin/password, of course). Yes, using pi and raspberry for the username and password, respectively, would log you in to any freshly installed Raspbian and, later, Raspberry Pi OS. That was the same whether you logged in from the GUI or if you remotely accessed the SBC with SSH, and given the types of tasks Raspberry Pi users often install, that’s a big issue.
Thankfully, it’s not an issue anymore, as from Raspberry Pi OS based on Bullseye or later, the installation process will ask you to create your own login and password combination. That’s likely because the Raspberry Pi Foundation is based in the UK, which recently passed a law that forbids device makers from using foolish passwords for the default settings. Well, using the device’s name is pretty foolish, isn’t it, so off it goes, and user safety is increased.
Related
3 things I wish I knew about the Raspberry Pi before I bought one
Raspberry Pis are great, but they’re tricky to get into.
4
IoT devices
Your smart home is dumb, really dumb
Every year, many security companies publish reports on the worst passwords of the year. In 2024, “123456” is still the most common password in use, and other than losing faith in humanity every time I read that, I’m also not sure if it’s always due to user error. Okay, according to NordPass, it is user error, as over a million of you use that password in a corporate setting, but I digress.
That’s also one of the most common default passwords on IoT devices, things like internet-connected cameras, video doorbells, smart lights, smart switches, and the like. Not for nothing do they have a bad reputation for security, and sometimes these absolutely heinous passwords are hardcoded in the device firmware, so you can’t do anything about it. What you can do is look for devices from trusted brands, as those are less likely to be using security practices that should have died off with the dodo, and change any default login credentials as soon as you connect them to your network.
Related
6 ways to improve smart home security
Protect your physical and digital home
3
Cars with Wi-Fi hotspots
Change the Wi-Fi password, for the love of everything that’s holy
The humble in-car Wi-Fi hotspot is a classic case of convenience over security. I mean, who wouldn’t want their home office situated in a multi-tonne metal box hurtling down the freeway? Assuming you have a car with Wi-Fi, because everything needs Wi-Fi these days, have you changed the default password? Did you know how depressingly easy a thief can get your credentials?
If your car has OnStar, all they need to do is press the OnStar Voice Command button and say Wi-Fi settings, and your ever-helpful voice assistant will read out the details. That’s even easier than the one-button WPS system, which should also be turned off. And the default Wi-Fi password is often in easy-to-find spots, like the vehicle’s manual, on a sticker in the glovebox, or even on the Wi-Fi hotspot device if it’s visible. The infotainment system will also show the Wi-Fi password, but the car has to be running for that, making it easy to find the password you changed the default to.
Related
How to use your iPhone as a hotspot
You can turn your iPhone into a Wi-Fi router of sorts
2
Your home alarm system
Did you know most have a pre-configured panic code that silences the alarm?
Did you know that one of the features of your home alarm system includes a default code that silences the alarm? I sure didn’t, but I do know and I know one more default password that needs changing as soon as I get a new alarm fitted. Thanks to KrebsonSecurity, we know that ADT has a duress code on its keypads, which is a handy feature that silences the alarm but also sends a silent panic alarm to ADT so they can send help.
But we also found out that the keypads are often set up with 2-5-8-0 as the default. Yes, a single line, straight down the middle of the keypad, is the best they could come up with as a default code. I guess it makes some sense, because you’d want something easy to remember in an emergency, but it should be a setting the user can change, not a default. Having it widespread among alarm systems means a thief could silence the alarm long enough to get in and get out before the police arrive.
Related
How to enable smoke alarm detection alerts on the HomePod
Your Apple HomePod or HomePod Mini can detect smoke alarms and alert you, even when you’re not home. Here’s how to enable this feature.
1
Medical devices
Pacemakers, CT scanners, and more, all using hardcoded defaults
You’d think that medical imaging devices costing large sums of money would be secured better than a default password, but think again. TechCrunch says that dozens of imaging machines built by General Electric have “hardcoded default passwords that can’t be changed,” and these are networked in the hospital, so you can see the issue here regarding patient privacy. It’s not just imaging devices; hardcoded credentials also secure pacemakers and other patient devices. That makes it easier for the doctors treating you to work, but opens you up to potential attacks on your health.
Related
Samsung Galaxy Ring and Watch 7 review: A spotlight on Samsung Health
It’s the back end that matters
Default passwords are bad, but change is on the way
Devices with default passwords are indicative of sloppy security practices by the manufacturer. The fact that these are often used on devices designed by security companies, like Cisco routers, internet-connected cameras, Wi-Fi routers, or your home alarm system, is an egregious failure for the security community. Some of these defaults are even hardcoded, so the end user can’t remove them, and hackers can easily take over the device in question.
But it’s not all bad news. California has a law banning weak default passwords, as does the UK, with both having the user choose a password at setup time as the preferred way of handling things. Maybe one day default passwords will be gone, and then it’s a question of remembering your own passwords once the setup is over.
