Default credentials SHALL be removed from all pieces of digital infrastructure in the business environment.
One of the first things you should do when configuring network infrastructure is to remove the default credentials from infrastructure firmware. This goes for routers, firewalls, switches, and access points. Each manufacturer ships their hardware with their basic default credentials configured. They are used for the initial setup of the device, and can usually be found on a tag at the bottom of the device, in a device manual, or online. Immediately after authenticating to the device firmware, navigate to the administration page and configure the device with a new default admin account and password. The password should follow your business password policy and be stored in a safe location, such as a password manager.
If you do not change the account name and password for your router management firmware, a threat actor can Google the device vendor's default credentials and log into it themselves. This high-level access will allow them to wreak havoc on every part of the network segment.