[WordyMcWordface]

Exactly, every vendor has default passwords. If you are doing things right all default credentials are changed or disabled. Access to any service is firewalled off or better yet only accessible out of band on a dedicated management network.

[djsumdog]

This is changing. I've seen a number of ISPs no longer have default passwords. Each router or modem has a random password string set to the device, it's printed out and pasted as a sticker on the modem (or some print directly to the plastic). A lot of big name devices do this now too.

Sure it's a password written on the device, but it's random, you need physical access to see it, and people who are security conscious can change it.

This bad practice isn't excusable, especially not by a company as big as Huawai, not if they want to be taken seriously.

[elmo2you]

It's definitely a good development that ISPs have started to deploy routers and modems with randomized passwords. However, please do keep in mind the deployment of consumer equipment and enterprise hardware is different. Or at least it should be, in theory.

Enterprise equipment is usually not supposed to be just dropped into place, without oversight. It usually needs proper configuration/management, by qualified people.

Whether this also happens in practice can be a different story altogether. Still, the security of enterprise equipment usually involves more policy and procedure than it does with consumer equipment. With the latter, security has to come more or less by default, because the people handling the devices usually have little expert knowledge.

[SuperNinjaCat]

From what I have seen where I live, printed passwords on things like home routers and VDSL/Fiber modems provided by major ISP's are for 802.11 stuff (WiFi passwords) and not for the devices management interface. This may have changed since I last looked into it a few years ago though. There was also the whole Netgear router "backdoor" port thingy (a device shipped by a major ISP) which I actually had to exploit to recover my password after forgetting it once, which was kind of amusing.

[bifrost]

Juniper doesn't. There is no password on the device when you power it on.

When you get a new device, in order to save your initial configuration on it, you have to set a password.

Cisco used to ship with zero config on their devices and part of the setup process was setting a password as well.

[o-__-o]

Cisco never requires a passsword to be set. iOS prompted for a password during the easy configuration but if you dropped in, via console or Tftp, a config over you can configure it without a pw.

Later versions did not allow passwordless ssh but still allowed it via telnet. Cisco’s ACI platform enforces password on the initial account, then with some smarts you could disable it in OpenLDAP

[bifrost]

If you consoled into easy mode you defo could set a pw there, or skip it. I still don't get why they don't make you set at least one password, but some of it also stems from the architecture of the OS AFAIK.