Comment by pabs3
2 days ago
This is the way, there should be no access by default, then on first access the user has to setup their desired authentication details, and if they want passwords, then they get a randomly generated one, not one they choose. There should also be a factory reset button too.
Exactly, and fwiw most manufacturers have moved to this model by now, or using randomly generated passwords printed on the physical device itself, in the case of routers.
The latter is still a security issue, because it means that anyone who had your device before, or was able to photograph the printed password briefly, could still have access to your device. Of course it mitigates a fair bit of the DDoS issue, but is still problematic.