Anatomy of a Default Credential: Why Factory Auth Persists in Critical Infrastructure

Across every product category assessed in 2024, factory-default authentication was the single most common finding. In several families the default account cannot be removed or renamed.

The Scale of the Problem

Of the 89 products assessed by ZSL in 2024, 73 shipped with default credentials that provided full administrative access. In 31 cases, the default account could not be disabled, renamed, or have its password changed — it was hardcoded into the firmware.

Common Patterns

• admin/admin — The classic. Found in 28 products across 12 vendors
• root/[blank] — Empty password on the root account, typically on embedded Linux systems
• service/service — Hidden service accounts intended for vendor technicians, often undocumented
• Derived from MAC/serial — Passwords generated from publicly readable device identifiers

Why It Persists

Vendors cite three reasons: backward compatibility with existing deployments, field technician access requirements, and the assumption that devices will be on isolated networks. In practice, these devices are routinely exposed to corporate LANs and, through misconfiguration, to the internet.

Recommendations

Force password change on first login. Disable or remove default accounts in firmware. If service accounts are required, use time-limited tokens generated per-device rather than shared credentials. Implement account lockout after failed attempts.