Why are default passwords on devices (routers, IP cameras, IoT) such a reliable attack vector?
Network devices ship with well-known factory passwords that owners often never change — so attackers just try the published defaults first.
The problem:
Most network-capable devices (routers, IP cameras, printers, IoT gadgets) come with a standard password from the manufacturer. The intention is that you change it during setup — but in practice many people never do.
Why attackers love it:
- Default credentials for almost every device are published openly online (whole databases of them exist)
- No cracking needed: just try
admin/admin,admin/password, etc. - Devices are often internet-exposed and unmonitored
Real-world impact:
Large botnets have been built by scanning the internet for devices still using factory passwords, then logging straight in. Unchanged camera and router passwords are a recurring cause of mass compromise.
Defenses:
- Change every device's default password immediately on first setup
- Use a unique strong password per device
- Disable remote/internet-facing admin access unless you truly need it
Tip: "Try the default first" is step one for many automated attacks — changing the factory password is one of the cheapest, highest-impact security actions you can take.
Go deeper:
Default password (Wikipedia) — the risk plus the Mirai botnet exploiting unchanged factory credentials.