Secure Network Devices by Changing Default Credentials
During setup, change or remove default login details for network devices to enhance security.
Plain language
Changing the default username and password on network devices, like routers or modems, is crucial to prevent unauthorised access to your network. If someone with bad intentions finds out these default settings, they could easily get into your system, interfere with operations, or steal sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Default user accounts or credentials for network devices, including for any pre-configured user accounts, are changed, disabled or removed during initial setup.
Why it matters
If default device accounts are left unchanged, attackers can log in using known defaults and take control of routers/switches, enabling network compromise and data loss.
Operational notes
During initial setup, change or disable all default and pre-configured accounts on network devices; periodically verify configs and review logs for repeated failed/default-credential attempts.
Implementation tips
- The IT team should create a checklist for setting up new network devices that includes changing default usernames and passwords. They can do this by consulting the device manuals for default login details and ensuring these are changed to unique, strong credentials immediately during setup.
- Managers should ensure that the IT team regularly reviews and documents the credentials of all network devices. This can be done by logging the last updated passwords and checking them every few months to make sure they're still secure.
- Procurement officers should only buy network equipment that includes instructions for changing default credentials. Before purchasing, they can ask suppliers to confirm that easy-to-follow steps are provided for securing the devices.
- The system owner should arrange for periodic training sessions for staff who handle network equipment. These sessions should cover the importance of changing default settings and provide step-by-step guidance on how to manage device security correctly.
- Office managers should coordinate with IT to ensure that any devices brought into the office have their default settings changed before being used. They can maintain a log of network devices with dates of when default credentials were updated.
Audit / evidence tips
-
Askthe network device configuration policy document: Request evidence of an official policy that mandates changing default credentials during setup
Goodincludes clear instructions along with recorded dates and responsible staff
-
Asklogs or reports showing initial setup records of network devices: Check if the logs indicate when and by whom default credentials were changed
Goodincludes detailed logs showing changes from default to secure credentials for each device
-
Aska list of network devices in use: Request a list showing all active network devices in the organisation
-
Asktraining records on security practices for IT staff: Request to see records of training sessions relating to device security
-
Askevidence of procurement requirements for network devices: Confirm with procurement policies or checklists that stipulate the need for changing default credentials. Good evidence would be policies or checklists that specifically require suppliers to provide security guidance
Cross-framework mappings
How ISM-1304 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1304 demands that default accounts or credentials on network devices be changed, disabled, or removed at initial setup | |
| Annex A 8.20 | ISM-1304 requires default user accounts or credentials on network devices (including pre-configured accounts) to be changed, disabled or ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.