Cyber Essentials
DashboardSign Out

Lesson 5.3 — Default and guessable passwords: changing unsafe credentials without storing secrets

This lesson helps the learner identify and change default or guessable account passwords across in-scope devices, network equipment, servers, cloud services and applications.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify systems where default or guessable passwords may exist
  • confirm that unsafe credentials have been changed
  • record evidence safely without writing down passwords
  • create a gap list for any unknown
  • weak or supplier-managed credentials.

Why This Matters

It explains why default credentials are dangerous, what makes a password guessable, how to evidence password changes without storing secrets, and how to carry password-policy issues into the later password-based authentication and user access control lessons.

The most common problems are:

  • assuming default passwords were changed;
  • changing defaults to weak passwords;
  • using company name plus year;
  • using seasonal passwords;

The Core Rule

Cyber Essentials expects organisations to change default or guessable account passwords.

A default password is one supplied with a device, service or account before the organisation sets its own secure credential.

What the CE Assessor Looks For

A strong position shows:

  • no default passwords remain on in-scope accounts;
  • no guessable passwords are knowingly used;
  • router and firewall credentials are changed and controlled;
  • local admin passwords are unique or otherwise securely managed;
  • supplier setup passwords are changed after handover;
  • temporary passwords are changed at first use;

Common Mistakes

  • assuming default passwords were changed;
  • changing defaults to weak passwords;
  • using company name plus year;
  • using seasonal passwords;
  • reusing the same password across devices;
  • using the IT provider’s standard password across customers;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What does Cyber Essentials require for default or guessable passwords?
  • [ ] Why are default passwords dangerous?
  • [ ] Is a password still risky if it is not a factory default but follows an obvious pattern?
  • [ ] Give three examples of guessable passwords.
  • [ ] Should actual passwords be recorded in the workbook or evidence pack?

Your Action

Do this now — it takes 10–20 minutes.

Check for default or guessable passwords on your systems and devices. Record your findings and any changes made in Section SC.

Key Takeaway

Record that unsafe passwords have been changed and controlled, without writing down the passwords themselves.

Your Workbook Activity

Complete: Default and guessable password review record

Next Lesson

In the next lesson: Unnecessary software, services and system utilities: reducing attack surface

Up next

Unnecessary software, services and system utilities

Reduce attack surface by uninstalling unnecessary software, services, and system utilities.