When we picture cyber security breaches, we often imagine shadowy hackers exploiting sophisticated zero-day vulnerabilities or deploying state-of-the-art malware. But in reality, the biggest weakness in the Internet of Things (IoT) remains something much simpler—and much more human: bad passwords.
From water treatment plants to home security cameras, billions of connected devices rely on passwords for protection. Unfortunately, many of those passwords are the digital equivalent of leaving the front door unlocked.
The dangers of weak IoT passwords are not new. The infamous Mirai botnet of 2016 made headlines for launching massive distributed denial-of-service (DDoS) attacks that temporarily crippled major internet platforms like Twitter, Netflix, and Reddit. The attackers didn’t need advanced exploits or insider access—they simply ran automated software that scanned the internet for vulnerable IoT devices using a hardcoded list of just 60 common usernames and passwords. That tiny list was enough to compromise hundreds of thousands of devices, from IP cameras to routers.
It was a similar story in November 2023, when the Municipal Water Authority of Aliquippa, near Pittsburgh, suffered a cyber attack that temporarily disrupted a water system. The attackers, reportedly targeting Israeli-made equipment, didn’t rely on advanced nation-state-level techniques. According to federal and state security officials, the entry point was likely a weak or default password left unchanged.
This breach highlights how critical infrastructure—systems we rely on daily for water, power, and transportation—can still be undone by something as trivial as an “admin123″ password.
Mohammed Khalil, a Cyber Security Architect at DeepStrike specialising in advanced penetration testing and offensive security operations, believes this issue goes far deeper than simple user negligence. “The most unsettling aspect of the IoT threat landscape is that the vast majority of successful attacks do not rely on sophisticated, nation state-level capabilities or complex zero-day exploits,” he explains. “Instead, they prey on a handful of fundamental, systemic security failures that are baked into devices from the factory floor.”
Khalil argues that what we’re witnessing is not just a security lapse, but a market failure. “Ultimately, the IoT security crisis is not a technological failure but an economic one,” he says. “For years, manufacturers have been economically incentivised to prioritise speed to market and low production costs over robust security. Implementing features like encryption chips, unique credential generation, and secure update servers adds to the bill of materials and can delay product launches.”
“Because the manufacturer does not directly bear the cost when one of their devices is conscripted into a botnet, security has been treated as an externality. The collective cost of millions of insecure devices is borne by society at large—the victims of massive DDoS attacks or enterprise ransomware campaigns. This fundamental market failure is the true root cause of the problem and is precisely what new government regulations are now attempting to correct.”
The problem persists because IoT devices, by design, prioritise ease of use over security. Many ship with factory-default logins, and users rarely change them. Worse, some devices use the same password across all units—making them prime targets for automated attacks.
According to DeepStrike’s IoT Hacking Statistics 2025: The Definitive Report on Threats, Risks & Regulations, automated attacks against IoT devices now occur at an average rate of 820,000 attempts per day. These are not handcrafted cyberwarfare campaigns—they’re automated “brute force” attacks that test common username-password combinations until they gain access.
Verizon’s Data Breach Investigations Report reinforces this picture: 70% of data breaches stem from weak or easily guessable passwords. The simplicity of these attacks makes them cheap, scalable, and devastatingly effective.
The same report notes that while credential abuse remains the top method of attack, vulnerability exploitation is closing the gap fast. In 2025, attacks targeting edge devices and VPNs rose to 22%, up nearly eightfold from the previous year. Even when vulnerabilities were discovered, only about 54% were fully patched, taking a median of 32 days to fix—ample time for attackers to strike.
Data from Nozomi Networks’ 2025 telemetry echoes these findings: 7.36% of detected IoT and OT attacks involve brute-force attempts, and 5.27% exploit default credentials to move deeper into networks. Once an attacker gains access to a single device—a smart thermostat, security camera, or industrial controller—they can pivot through internal systems and cause cascading damage.
In industrial environments, that might mean compromising SCADA systems or halting production lines. In consumer settings, it could mean hijacking smart speakers, baby monitors, or even home locks. The potential consequences range from privacy invasions to full-scale operational disruptions.
Recognising that the market has failed to fix the problem, governments are stepping in. The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, which came into full effect on April 29, 2024, explicitly bans the sale of devices with universal or easily guessable default passwords such as “12345” or “admin.” It marks a turning point in IoT regulation by holding manufacturers legally accountable for baseline security standards. Other countries and several US states are now following suit.
Still, regulation can only go so far. Millions of legacy devices remain online, vulnerable, and unpatched. Responsibility ultimately lies with both manufacturers and users to secure their devices and networks.
Five Steps to Strengthen IoT Security
The good news is that most IoT breaches can be prevented with a few simple measures. Whether managing an industrial system or a home network, these five steps dramatically reduce exposure:
- Change Default Passwords Immediately
Replace factory-set passwords with strong, unique credentials as soon as the device is deployed. - Use Strong, Unique Credentials
Avoid reusing passwords across multiple devices or accounts. Use a password manager to generate and store them securely. - Enable Multi-Factor Authentication (MFA)
Where supported, turn on MFA to add an extra layer of defense beyond passwords. - Segment Your Network
Place IoT devices on a separate Wi-Fi network or VLAN to prevent attackers from moving laterally into sensitive systems. - Consider Passwordless Options
Adopt emerging standards like FIDO2/WebAuthn, which use device-bound credentials that can’t be phished or reused.
As IoT adoption continues to accelerate—connecting everything from smart fridges to power grids—the risks posed by weak passwords grow exponentially. Attackers don’t need to outsmart encryption or bypass firewalls; they just need one device left on “admin.”
While the industry is shifting towards stronger defaults and passwordless authentication, the weakest link remains human complacency. The future of IoT security will depend not only on technology and regulation but on awareness and collective action to close the digital door that Mirai opened nearly a decade ago.
