Many consumer and industrial IoT products manufactured today have factory default passwords. Default passwords are usually easy-to-guess phrases (such as password123), and are meant to be replaced by stronger passwords when the device has been deployed. Historically, these default passwords have often given the device owners/administrators a false sense of security, meaning they fail to replace the factory default password.

Most security breaches where comprised IoT devices are used as attack vectors trace back to default password exploits. Some security experts are of the opinion that, from a security perspective, it may serve the world well if manufacturers discontinue the practice of providing default passwords, thereby mandating that administrators provision new passwords.

Some of the IoT messaging and communication protocols have built-in support for password-based authentication. MQTT, a publish/subscribe messaging protocol designed mainly for scalable IoT infrastructures, has username/password fields in its CONNECT message (OASIS-OPEN). MQTT handles these fields in plaintext, so, for ensuring cryptographic security, TLS needs to be used in conjunction.

However, password-based authentication was never designed for the M2M world and, as such, this method presents multiple challenges for IIoT deployments. Some of the concerns are as follows:

• Scalability: Provisioning and managing usernames and passwords for a very large number of devices is a practical hurdle—both in terms of effort and accuracy.
• Managing passwords: It is hard to automate the initial deployment and periodic password updates in highly scaled use cases.
• Secured storage: Securely storing the passwords as secrets in the device is not easy and provides a backdoor for intrusion.
• Defaulter syndrome: When the barriers are high, operators rely on default options and do not bother to override the factory default passwords. However, the rise of IoT botnets proves the bad consequences of using default passwords.

In some small-scale and less vulnerable deployments, password-based authentication may still be applicable. If used, the following precautions are recommended:

• Implement password rotation policies in 30 or 40-day cycles for each device. Consider augmenting these policies with an alert mechanism that automatically prompts administrators when password updates for a group of devices are due.
• Establish event logging to monitor device account activity.
• Create privileged accounts to support administrative access to IoT devices.
• Segregate the password-protected IoT devices onto less trusted networks.
• Create a policy that disallows default passwords and enforces password strength requirements.
• Ensure password encryption is implemented in the transport layer.