Still using the default password on your office router? Cyber Essentials will catch it.

A facilities manager at a 40-person law firm in Leeds applied for Cyber Essentials last year. The assessor asked for the admin login on the office Wi-Fi router. It was still admin / password, exactly as it shipped from the ISP three years earlier. Nobody had ever changed it, because nobody had ever been asked to. The assessment failed on the spot.

That's not a rare story. Default passwords on routers, printers, NAS drives, and old admin panels are one of the most common reasons UK small businesses fail their first Cyber Essentials attempt. The control isn't complicated, which is exactly why it gets overlooked. Nobody schedules time to go round every piece of hardware checking what password it shipped with.

Why default passwords matter for Cyber Essentials

Cyber Essentials, the UK government-backed certification scheme, includes a direct self-assessment question under its Secure Configuration control: have you changed all default passwords on all devices and software? This covers routers, switches, printers, IoT devices, server management interfaces, and any software that ships with a known factory login.

The risk isn't theoretical. Default credentials for almost every consumer and business router model are public, searchable, and used in automated scanning by attackers who aren't even targeting your business specifically. They're targeting anyone who hasn't changed the password yet. A business with ten internet-facing devices and one default login has ten doors, with one left wide open.

Assessors ask about this directly because it's checkable. Unlike some Cyber Essentials questions that rely on a written policy, this one has a definite right or wrong answer for every device you own.

The devices people forget to check

Most businesses remember to change the password on their main router. Where they fall down is everything else connected to the network. That includes guest Wi-Fi access points, office printers and scanners with their own web interface, network-attached storage units, IP cameras and door entry systems, and any old admin panel for software nobody uses any more but never decommissioned.

If your business has been operating for more than two or three years, there's a reasonable chance at least one of these still has its out-of-the-box login. Nobody checks the printer. Almost nobody checks the printer.

How to actually audit this before your assessment

Start with a physical inventory, not a network scan. Walk the office and list every device with a network connection and a login screen. For each one, try logging in with the manufacturer's default credentials, which are usually printed on a sticker on the device itself or listed in the manual. If the default login still works, change it immediately to a unique, randomly generated password stored in a password manager, not a sticky note on the monitor.

For everything externally facing, Olimpio's CE Readiness view pulls this together for you. It runs the automated checks a scan can pick up — exposed admin panels, weak configurations, missing headers — directly against the Cyber Essentials control structure, then asks you the handful of questions a scan can't answer on its own, including this exact one about default passwords. You tick yes or no as you go, and it builds a single list of what to fix before your assessor asks for it.

That self-assessment question matters because it's not something a scanner can verify externally. Whether your office Wi-Fi router still has its factory password isn't visible from outside your network, so this is one of the few Cyber Essentials checks that genuinely needs a human to confirm it, walking the office with a list.

What assessors actually check

A Cyber Essentials assessor doesn't take your word for it. They'll typically ask for evidence: a sample of devices and the process you used to confirm passwords were changed. Some assessors ask to see a password policy document. Others simply ask you to demonstrate changing a password on a sample device during the call.

Treat this as a checklist item with a paper trail, not a one-off task. Note the date you checked each device category, who did it, and what you changed. That record is what turns "we think we did this" into "here's the evidence."

Frequently asked questions

Does Cyber Essentials check every single device, or just a sample? Assessors typically review a representative sample of your devices and ask you to confirm the same process was applied organisation-wide. They can ask for evidence on any specific device at their discretion.

What counts as a default password? Any password that ships with the device or software out of the box and hasn't been changed by you, including ones that look reasonably complex if they're shared across every unit of that model.

Do I need to change the password if the device isn't connected to the internet? Cyber Essentials focuses on internet-facing and network-connected devices. If something is genuinely air-gapped with no network connection at all, it falls outside scope, but most "offline" office devices turn out to be connected to the same network as everything else.

Can a guest Wi-Fi network use a simpler password than the main network? It can be different, but it still can't be the manufacturer's default, and it should still be unique and not guessable from public information about your business.

How long does it take to audit all devices in a small office? For a typical 10–50 person office, expect half a day for the physical walkthrough and password changes, assuming you don't find anything that requires a firmware update first.

Run a free scan of your domain and you'll get straight access to your CE Readiness checklist — automated findings and self-assessment questions like this one, all in one place, ready before your assessor asks: olimpio.io/free-scan