Default passwords are the easiest way for attackers to break into your systems without any special skill. A manufacturing unit in Pune had their entire ERP system compromised because the SQL database still used the default 'sa' password—attackers locked them out, encrypted their data, and demanded ransom. Your GST filing could be delayed, customer data could be stolen (inviting RBI or CERT-In action), or your entire production database could go offline during peak season. Compliance audits by large clients or banks will automatically fail if they find default passwords still active.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk in and find routers, printers, cameras, and servers all still using the passwords that came out of the box or printed on the device label. Nobody has documented what those passwords are or made any attempt to change them.
Initial
You ask the IT person and they say they 'probably changed some of them' but there's no list of which ones, what the new passwords are, or when it was done. Some devices like old printers still have their factory defaults.
Developing
You can see a basic spreadsheet listing devices and systems with a note that 'passwords have been changed,' but there's no proof of when, no record of who did it, and the spreadsheet doesn't include all systems (e.g., switches, backup appliances are missing).
Defined
You find a documented password change checklist covering all major systems and devices (servers, routers, printers, CCTV, databases), signed off with dates. New employees go through an onboarding checklist that includes verifying no default passwords exist on systems they're given access to.
Managed
You see a formal inventory of all networked devices, a regular audit schedule (quarterly or semi-annual) that tests and confirms default credentials don't exist anywhere, and evidence of automated scans that flag any system still using known defaults. Password change is part of the IT setup procedure.
Optimised
Your organization maintains an automated inventory of all systems, runs continuous vulnerability scans that detect default credentials in real-time, has automated alerts if any default password is detected, and conducts monthly audits. There's a formal policy that ties default password changes to device procurement and sign-off by IT leadership.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Make a written list of every networked device and system in your office (routers, servers, printers, CCTV, switches, databases, cloud accounts). Note which ones still have factory default passwords by checking documentation or trying known defaults. Ask IT to change at least the passwords for your top 5 critical systems. | IT person or office administrator | 2-3 days |
| 1 → 2 | Create a simple spreadsheet with columns: Device Name | Location | Default Password Changed (Yes/No) | New Password (encrypted note or stored in password manager) | Date Changed | Changed By. Fill this out for all devices. Store the actual passwords in a locked file or password manager (like Bitwarden or KeePass), not in the spreadsheet. | IT person | 1 week |
| 2 → 3 | Create a formal 'Default Password Removal Checklist' that lists every system (include: all servers, databases, routers, wireless access points, printers, CCTV systems, cloud logins, backup systems, monitoring tools). Document: current status, target completion date, responsible person, and sign-off. Assign completion deadlines and track weekly. Add this to your IT procedures manual. | IT manager or IT person with management sign-off | 2-3 weeks |
| 3 → 4 | Implement a vulnerability scanning tool (free or low-cost) that checks for default credentials quarterly. Build a formal audit process: run scans, document results, create remediation tickets for any defaults found, verify fixes, and sign off. Create a 'System Setup Standard' that includes a mandatory step: 'Change default credentials before device goes live.' Train new IT hires on this standard. | IT manager | 4-6 weeks |
| 4 → 5 | Deploy automated continuous monitoring (using free SIEM dashboards or paid solutions) that scans for and alerts on default credentials in near real-time. Integrate this into your change management process so any new device must pass a 'no default credentials' test before being added to inventory. Conduct monthly reviews of scan results and maintain a dashboard showing compliance status. | IT manager with security responsibility | Ongoing (monthly reviews + quarterly enhancements) |
Documents and records that prove your maturity level.
- A complete inventory list of all networked devices and systems (servers, routers, printers, CCTV, databases, cloud applications) with dates when default passwords were changed
- A password change log or signed checklist showing: device name, old (default) password, date changed, who changed it, and confirmation it was changed
- A password management system (encrypted file, password manager, or secure vault) where new passwords are stored and access is controlled—not in plain text spreadsheets
- A formal IT procedure or security policy document stating that all devices and systems must have default passwords changed before they are connected to the network or taken into production
- Audit or scan reports (quarterly or semi-annual) from vulnerability scanning tools or manual testing that confirm no systems are still using default or known credentials
Prepare for these questions from customers or third-party reviewers.
- "Can you show me the list of all systems and devices in your organization and confirm that each one has had its default password changed? How do you maintain this list and keep it updated?"
- "Walk me through your process for setting up a new server or device. At what step do you verify that the default password has been changed, and who approves this before it goes live?"
- "How often do you audit or scan your systems to check that no default passwords still exist? Can you show me the results of your most recent scan or audit?"
- "If I were to connect to your router, database server, or backup system right now using published default credentials, would that succeed? How do you prevent this?"
- "Who has access to the current passwords of your systems, how are they stored, and how do you ensure that old or default passwords are never used again?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Scan your network to find devices still using default or weak credentials | Nessus Essentials (free version, limited to 16 IP addresses); OpenVAS (open-source, unlimited) | Nessus Professional (₹60,000–80,000/year); Qualys VMDR (₹2,00,000+/year) |
| Safely store and manage all your passwords so they're not written on sticky notes or spreadsheets | Bitwarden (open-source, free tier covers small teams); KeePass (offline, free) | 1Password (₹4,500/person/year); LastPass Business (₹3,000–5,000/person/year) |
| Test if your systems are responding to known default credentials (manual testing) | SSH, Telnet, or basic browser login attempts (no tool needed, just documentation) | Hydra or Medusa penetration testing tools (free but require Linux knowledge) |
- Changing only the 'obvious' passwords (servers, databases) but forgetting devices like old network printers, wireless access points, CCTV systems, or out-of-band management ports (IPMI, iLO)—attackers use these forgotten devices as a backdoor.
- Writing down the new passwords in a shared spreadsheet or notebook on the desk instead of using a proper password manager; this defeats the entire purpose because anyone who sees the spreadsheet can log in.
- Changing the password once and never auditing again; a year later, a device gets reset to factory defaults during a crash and nobody realizes the default is active again until a breach happens.
- Relying on a single IT person who remembers the passwords but never documented them or told anyone else; when that person leaves, the organization is locked out of its own equipment or the passwords are reset to defaults by a new hire.
- Assuming cloud services or SaaS applications don't need this check because they're 'managed by the vendor'—many SaaS platforms still have default admin accounts that you must change yourself, especially internal admin portals.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (security and safeguards) and Schedule 2 (reasonable security practices) require organizations to implement safeguards against unauthorized access; default passwords are a direct violation |
| CERT-In Guidelines 2022 | Secure Configuration and Credential Management: organizations must change manufacturer-supplied credentials and implement strong authentication controls |
| ISO 27001:2022 | Annex A.5.3 (Segregation of duties), Annex A.8.3 (Password management), and A.8.2 (User registration and access rights); default passwords violate principle of unique identifiable access |
| NIST CSF 2.0 | Govern (GV.RO-01: Cybersecurity roles and responsibilities) and Protect (PR.AC-01: Identities and credentials are managed and protected); default credentials undermine access control and accountability |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →