Default passwords are publicly available online—attackers use them as their first attack method because they work so often. If someone logs into your router with the default password, they can intercept all your business data, install malware, or lock you out of your own systems. A manufacturing company in Bangalore lost ₹15 lakhs in a ransomware attack that started when a hacker logged into their server using the default 'admin/admin' password. You could also fail customer audits (many large buyers now ask for proof of this), lose client trust, or face penalties under data protection rules.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that several devices still have their original manufacturer passwords (like 'admin/password' on the Wi-Fi router or 'root/root' on the server). No one has documented what the original passwords were, and some device manuals with default credentials are still lying around.
Initial
You've changed passwords on the most critical devices (main server, Wi-Fi), but older computers, printers, and network switches still use defaults. You have a handwritten list of new passwords in the drawer, but it's not organized or securely stored.
Developing
All devices have had their default passwords changed to something stronger. The IT person knows which passwords have been changed, and you have a basic password list kept in a locked cabinet, though it's not properly backed up.
Defined
All default passwords on computers, servers, routers, and Wi-Fi have been changed to strong, unique passwords. You maintain a documented password inventory (possibly in a simple spreadsheet) and have a process to change passwords on new devices before they go into production.
Managed
All default passwords are changed with strong, unique credentials stored in a centralized password manager (like KeePass or similar). You have a documented policy requiring password changes within 48 hours of device setup, and you audit quarterly to ensure compliance.
Optimised
Default password changes are automated where possible, all credentials are managed in a secure, encrypted password vault with role-based access. You conduct regular audits (at least twice yearly), maintain change logs, and have a process to retire or reset devices at end-of-life without exposing old passwords.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Identify all network devices (routers, servers, printers, switches) and change default passwords on the most critical ones (Wi-Fi router and main server). Write down new passwords in a safe place (locked drawer, for now). | IT person or owner | 2-3 days |
| 1 → 2 | Change default passwords on remaining devices (computers, older servers, printers, network switches). Create a simple spreadsheet listing all devices, their default credentials (what was changed from), and new passwords. Store the spreadsheet in a locked cabinet or protected file. | IT person | 1-2 weeks |
| 2 → 3 | Document a formal policy stating that all new devices must have default passwords changed before first use. Implement a checklist for device setup. Review the password list monthly and confirm all critical devices are covered. | IT person with owner approval | 2-3 weeks |
| 3 → 4 | Deploy a password manager (such as KeePass, Bitwarden, or a low-cost paid option). Migrate all device passwords into the manager. Set up role-based access so only authorized staff can view critical passwords. Create a formal change request log. | IT person | 4-6 weeks |
| 4 → 5 | Automate password changes where the device API allows (via configuration management tools). Establish a formal quarterly audit schedule. Document and test device retirement procedures to ensure old passwords cannot be recovered. Integrate findings into your annual security review. | IT person or external security consultant | Ongoing (2-4 hours per quarter) |
Documents and records that prove your maturity level.
- Inventory list of all computers, servers, routers, printers, and Wi-Fi devices with columns showing 'default password changed: Yes/No' and date changed
- Password change log or ticket records showing when each device password was modified
- A secure password storage location (password manager, locked cabinet, or encrypted file) with proof of access control (who can view it)
- Device setup checklist or procedure document that includes 'change default password' as a mandatory step before deployment
- Audit report or sign-off sheet from the past 6-12 months confirming that all devices in use have non-default passwords
Prepare for these questions from customers or third-party reviewers.
- "Can you show me the list of all devices in your network and confirm which ones still have default passwords, if any?"
- "How are default passwords changed when a new server or router is installed, and who is responsible?"
- "Where and how are the new passwords stored, and who has access to view them?"
- "When was the last time you verified that all active devices have non-default passwords, and what did you find?"
- "If a device is decommissioned or returned, what process ensures the old default (or current) credentials cannot be misused?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and securely store all device passwords in one place so they don't get lost or written on sticky notes | KeePass (open-source, works on Windows/Mac/Linux, no ongoing cost) | Bitwarden (₹2,000–3,000/year for team version), 1Password (₹6,000/year), LastPass (₹4,000/year) |
| Check which devices on your network are still using default or weak passwords | Shodan (free tier for basic scanning, requires internet), Nmap (free network scanning tool, command-line) | Nessus Professional (₹80,000+/year), Qualys (₹1,00,000+/year) |
| Generate strong random passwords that are hard to guess | Built into KeePass or online password generators (passwordgenerator.com, bitwarden.com/password-generator) | Included in paid password managers listed above |
- Assuming that because a device is on an 'internal network only', the default password doesn't matter—many breaches start from inside, and ransomware spreads rapidly once a weak entry point is found
- Changing passwords but not documenting which ones were changed or keeping the list unsecured (written on paper, shared in plain email, or saved in an unencrypted spreadsheet)—this defeats the purpose and creates new risks
- Forgetting about older devices like printers, backup systems, or secondary routers because they 'aren't used much'—attackers specifically target forgotten devices because they're rarely monitored
- Not setting a process for new devices, so when you buy a new server or replace a router, the default password remains because no one remembers to change it until after an incident
- Using the same password for multiple devices (even if changed from default)—if one device is compromised, all others become vulnerable
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Security of personal data) requires reasonable security measures to protect personal data; default passwords do not meet 'reasonable' standards |
| CERT-In 2022 | Direction 2.4.3: 'Change all default credentials on network devices and systems before deployment' (as per CERT-In guidelines on baseline security) |
| ISO 27001:2022 | Annex A, Control 5.3.2 (Authentication and secret management): 'Systems shall be configured to prevent or detect the use of default or known weak credentials' |
| NIST CSF 2.0 | Function: Protect (PR); Category PR.AC-1 (Access Control Policy): 'Managed, defined, and enforced policies and procedures to manage physical access and manage logical access to assets' |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →