When you build a piece of hardware with a web management GUI, you’ve got to set a default password. Otherwise no one could get into it.

The problem is that it seems not many people bother to change it. If you know the model of the thing you’re trying to connect to, there’s probably a greater-than-50% chance that you can Google “modelname default password” and get in. Things that people might not normally think of logging into, like VoIP phones, network printers/copiers, and network infrastructure, are generally left wide open.

There’s a fairly easy way to solve the problem, though: make the default password be the device’s serial number. This isn’t infallible, since you know the password will fall within a certain range, but it makes getting in much harder. For those who want to set the password, they need only see the big label saying “Serial Number / Default Password: ABC123XYZ” or read the manual. And for the 75% of people who never bother, they won’t be insecure by default.

As an alternative, for things that require setup before they work, demand that a password be set before networking is enabled. The problem with this is that most people will probably use “password” to get past the screen, with some thinking “I’ll set that later, but for now I want to get this up and running,” and most never thinking twice.