In 2025, attackers no longer need zero-day exploits. They don’t need insider access. All they need is a device still running with its factory-set credentials. Default usernames and passwords remain one of the most common and preventable ways to gain access to enterprise networks.
But forward-thinking organizations are proving they don’t have to be a statistic. They are showing that default credentials, once considered an unavoidable risk, can now be eliminated at scale with the right approach.
Attackers are No Longer Breaking In. They’re Logging In.
For decades, enterprises have treated xIoT devices differently from IT assets. Printers, cameras, HVAC systems, medical devices, and kiosks often ship with default credentials that are rarely changed. IT teams lacked the tools to track, update, and rotate them, leaving attackers with an easy way in.
Recent events prove just how dangerous this blind spot can be.
689 Brother printer models were discovered to have critical vulnerabilities linked to default passwords.
Russian or Russian-linked attackers opened the floodgate on a dam in Norway after leveraging a default password on an OT system, highlighting the national security-level stakes of leaving systems exposed.
As Phosphorus president Sonu Shankar noted in coverage of the incident, “Too many of these [devices] run outdated firmware, are active with default passwords, or expose remote network services such as Telnet/SSH,” he says. “That’s a far lower bar than attempting to compromise a well‑defended IT asset.”
xIoT Security Hygiene That Matches IT Security Hygiene
The organizations Phosphorus works with are rewriting this story. They’ve recognized that xIoT security hygiene must match IT hygiene, and they’re proving it can be done.
Here’s how customers are protecting themselves:
- Finding what others miss. With Intelligent Active Discovery, they can safely uncover every xIoT device on their networks. No more shadow assets leaving their organizations exposed to attack.
- Identifying weak credentials. Default or shared passwords are surfaced in minutes, giving teams immediate visibility into their risk.
- Rotating credentials on a schedule. Instead of one-time password changes, customers automate ongoing rotations to ensure credentials never go stale.
- Monitoring for drift. Device posture inevitably changes, passwords get reset (either maliciously or through device resets), vulnerabilities are discovered in firmware, newer firmware becomes available, and certificates expire. Customers continuously monitor for this “drift” and remediate it before attackers can exploit it.
- Hardening at scale. Whether it’s 300 HVAC controllers, 30,000 printers, or 300,000 IP cameras, customers can apply consistent password and configuration policies across the fleet.
- Working with existing PAMs. Phosphorus integrates with customers’ Privileged Access Management systems. This means xIoT passwords are not only rotated and secured but also stored, governed, and audited alongside IT credentials, extending PAM best practices to every connected device.
Customers Refusing to Be a Statistic
Global hospitality leaders have locked down “promiscuous” printers that were once targeted by ransomware. Healthcare providers have eliminated weak credentials on life-critical infusion pumps. Data center operators with tens of thousands of devices are now utilizing automated credential management to ensure compliance and reduce risk.
These customers are not waiting to see their names in headlines. They’re proving that default credentials no longer need to be an unfixable problem.
Default Credentials Are No Longer an Excuse
In the past, enterprises lacked the technology to remediate xIoT credentials at scale. That barrier is gone. Phosphorus delivers automated discovery and assessment, device remediation, and continuous monitoring. Best of all, it does so safely, precisely, and deploys in hours, not months or years, unlike legacy approaches that require expensive hardware, taps, or span ports.
Today, our customers aren’t just securing devices. They’re building resilience, protecting operations, and setting a new standard for xIoT security hygiene.
They’ve made their choice: they won’t be a statistic. Will you?
Learn how to join them at phosphorus.io.
Related Posts
You discovered a lot of xIoT devices! 6.8 Billion IP addresses scanned on behalf...
CISA’s latest joint advisory exposes a trend security teams have long suspected: pro-Russian hacktivist...
