Iranian attackers recently manipulated a small U.S. water-treatment station simply by logging in with the factory-set password “1111”. The incident led CISA to repeat years-old advice: default credentials remain one of the most abused weaknesses in operational-technology (OT) and IoT environments. Default passwords survive because they simplify initial set-up and bulk provisioning, yet they invite botnet recruitment (e.g. Mirai), ransomware footholds and supply-chain breaches. New laws—including the UK ban on shipping IoT devices with default logins and forthcoming EU/US rules—mean manufacturers risk financial penalties as well as reputational harm. The article urges vendors to adopt secure-by-design practices (unique per-device passwords, forced credential rotation on first boot, signed firmware, zero-trust onboarding and developer security training). Until that happens, defenders should inventory every device, change credentials immediately and enforce strong password policies—commercial tools such as Specops Password Policy can automate the process.

Default passwords: the manufacturing blind spot we must close

How a single “1111” almost poisoned the water
An Iranian hack on a rural U.S. pumping station succeeded because no-one ever changed the factory password. CISA’s post-mortem could not be clearer: preset logins are still an open door into critical infrastructure.

Why do defaults persist?
• Speed over safety – engineers keep them to streamline roll-outs.
• Legacy kit – older PLCs offer no alternative authentication.
• Mind-set – many vendors still see security as an optional add-on.

The real-world fallout
• Botnets – Mirai enslaved 600k IoT devices and took Twitter offline with a 1 Tbps DDoS.
• Ransomware beachheads – a single unprotected camera or HMI can become the attacker’s staging server.
• Regulatory pain – the EU Cyber Resilience Act and the UK’s ban on default IoT passwords carry stiff fines.

Five secure-by-design fixes for manufacturers
1. Ship every unit with a unique, printed password.
2. Force credential change on first boot via API or QR code.
3. Embed zero-trust onboarding—no network access until the device is claimed.
4. Sign the login firmware so it can’t be tampered with.
5. Audit every build for hard-coded secrets before it leaves the factory.

What UK IT teams should do today
• Inventory every router, PLC and smart sensor.
• Change any stock credentials—no exceptions.
Waiting for a vendor patch is risky; swapping “admin/admin” for a decent passphrase takes minutes and could save millions.