Change Default Credentials on Network Devices
Ensure default accounts on network devices are changed or disabled for security.
Plain language
This control is about changing or removing default usernames and passwords on network devices like routers and switches. It's important because if you leave them as the default, hackers can easily break into your network since these credentials are often publicly known.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Enterprise mobilityOfficial control statement
Legal advice is sought prior to allowing privately-owned mobile devices and desktop computers to access systems or data.
Why it matters
Without seeking legal advice, allowing BYOD can expose sensitive data to unauthorised access and lead to regulatory non-compliance.
Operational notes
Document a BYOD approval workflow that requires recorded legal advice before privately-owned devices can access systems or data, with periodic review of that advice.
Implementation tips
- The IT team should identify all network devices such as routers, switches, and wireless access points. They should gather a list of these devices and the current default credentials that need changing.
- Network administrators need to change the default usernames and passwords on all network devices. This can be done by accessing each device's settings through a web interface or control panel, following the device manual to update login details.
- Managers should ensure that all IT staff are aware of the importance of not sharing these updated passwords. Hold a training session to explain the reasons for this control and instruct them to keep passwords secure and shared only on a need-to-know basis.
- The IT department should set a policy to regularly update all device passwords and to use strong, unique passwords. Use a password manager to help generate and store these securely.
- Procurement officers should include requirements in vendor contracts for new devices to not use default credentials. Specify that vendor-provided devices must have unique credentials or instructions for changing them upon setup.
Audit / evidence tips
-
Aska list of all network devices currently in use: Determine if there is a record of all equipment with their located username and password settings
Goodincludes a complete inventory with alteration history for login credentials
-
Goodwould show timely and regular updates
-
Aska training attendance record: Verify that IT staff received training regarding the handling of network device credentials
Goodwill list participants and topics covered related to credential management
-
Goodincludes a policy with specific, enforceable instructions
-
Askvendor agreements for new devices: Review whether agreements require devices to have unique credentials at delivery
Goodcontains explicit contractual terms about credential management
Cross-framework mappings
How ISM-1297 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1297 requires organisations to change or disable default accounts on network devices to reduce the risk of unauthorised access using ... | |
| handshake Supports (3) expand_less | ||
| Annex A 8.2 | ISM-1297 requires organisations to change or disable default accounts on network devices so privileged or built-in access cannot be obtai... | |
| Annex A 8.21 | ISM-1297 requires organisations to change or disable default accounts on network devices to prevent straightforward compromise via known ... | |
| Annex A 8.32 | ISM-1297 requires organisations to change or disable default accounts on network devices, which is a common configuration change that mus... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.