On World Password Day, Osama Alzoubi, VP at Phosphorus Cybersecurity, warns that weak xIoT passwords pose serious industry-wide risks. Phosphorus automates credential management to secure devices, reduce risk, and ensure compliance.
In today’s hyperconnected xIoT landscape, how do weak or default passwords increase the risk exposure across industrial and enterprise environments?
In many industries, weak or default passwords make it easier for hackers to gain unauthorised access to connected devices, such as cameras and sensors. These devices often run on outdated software and use factory-set passwords, which leaves them vulnerable to attacks. Hackers use this to spread ransomware or get into important systems without being detected. In many places, hacking a simple device can cause more significant problems, such as preventing power from being restored after an outage. Studies show that around 50% to 80% of companies still use devices with default passwords, particularly in the healthcare and finance sectors. Addressing these weak spots is crucial to safeguarding critical services.
Across industries, approximately 75% of connected devices are configured with default passwords. Many also have unsafe settings, such as Telnet being turned on. These problems pose significant risks that must be addressed, especially since many devices are essential to daily operations. Updating device settings and passwords safely and efficiently is necessary to maintain good security practices.
What unique password-related security challenges do xIoT devices present compared to traditional IT assets?
xIoT devices like IoT, OT, IIoT, and IoMT usually come with weak passwords and outdated software. Unlike regular computers or servers, these devices often cannot be updated or patched automatically because they are sensitive and critical. Fixing their weaknesses manually is slow and difficult. On average, it takes more than 100 hours to update just one type of xIoT device. This makes them much harder to protect than traditional IT systems.
How can organisations identify and manage password vulnerabilities across thousands of unmanaged or legacy xIoT devices?
Organisations can identify and manage password vulnerabilities across thousands of unmanaged or legacy xIoT devices by using automated platforms that deliver complete visibility without relying on agent-based deployment. Solutions like Phosphorus’s xIoT Security Management Platform automatically detect weak or default credentials across diverse device types. The platform can scale to rotate passwords across multi-vendor environments and integrates seamlessly with security tools like CyberArk. It also fits into zero-trust architectures by enforcing strong credential hygiene without disrupting device operations, dramatically reducing manual overhead and improving response times.
What role does automated password rotation and credential management play in reducing the attack surface in xIoT ecosystems?
Weak and unchanged passwords are still the easiest way for attackers to break into connected devices. Automated password management solves this by regularly finding devices, setting strong passwords, and syncing them with security systems. Tools like Phosphorus solution can mitigate the challenge of stolen passwords by rotating these passwords across millions of devices within minutes, not months. They also ensure compliance and alleviate the heavy burden of manually managing passwords, thereby enhancing the protection of these systems.
From a security strategy standpoint, how should businesses prioritise password hygiene as part of a broader XIoT risk management framework?
Businesses should treat password hygiene as a Tier-1 control under the NIST Cybersecurity Framework’s “Identify” and “Protect” functions. Start with full device discovery, then eliminate default credentials and enforce unique, strong passwords through automated rotation that syncs with PAM tools. Research shows that default or weak passwords drive most IoT/OT compromises, especially in critical infrastructure.
Automation slashes manual effort, keeps pace with 60 B+ devices, and aligns with NIST SP 800-213 guidance. Track metric percentage of devices under managed rotation, and audit regularly to prove compliance and reduce risk.
How are threat actors exploiting weak credentials in xIoT environments today, and what trends are you seeing in real-world attacks targeting these devices?
Companies should treat password management as a top priority under recognised security frameworks like NIST. First, they should find all connected devices, then rotate default passwords and enforce strong ones using automation linked to security policies. Research shows that weak passwords are a major cause of IoT and OT hacks, especially in critical sectors. Automation enables companies to manage millions of devices and comply with official guidelines. Tracking and auditing devices under password management is key to staying compliant and lowering risks.
How is Phosphorus Technologies helping organisations proactively address weak password risks and secure their XIoT environments at scale?
Phosphorus offers a platform that helps companies find and secure devices with password management. Their system makes it easy to set and update strong passwords regularly. It also integrates with existing security systems to continuously monitor devices, helping companies reduce risks and stay secure.