Earlier this month, an underground forum released the code for the Mirai malware, which lets attackers hijack the thousands (and counting) of Internet of Things devices that are used to carry out distributed denial-of-service attacks.
Panic ensued.
Of course it did. This hack means that everyone can now view the code that allowed someone using the name Anna-senpai to harness 380,000 bots via weak telnet connections. Let’s ignore for now that in 2016 there is absolutely no reason to have telnet on any IoT device.
That aside, much of the subsequent hand-wringing over default password damage control missed the one glaring thing that manufacturers, startups, and providers can do to prevent this sort of devastating vulnerability: Don’t use default usernames and passwords in the first place.
The most common reasons for using default usernames and passwords boil down into a few key arguments (when you leave out “we’ve always done it this way,” which I won’t even dignify with a response because I know if you’re reading this, that’s not an argument you care about).
Source: IoT Default Passwords: Just Don’t Do It | Dark Reading