This points to a much broader security problem: Default admin passwords. They are everywhere, from elevators to routers, and it seems like 90% of devices are just left out in the open with the default admin password.
Instead of having a default password there should be a step in the setup where you are prompted for an admin password. Yes, there will be a lot of easily guessable passwords, but surely it's better than a factory default.
Having been involved in new products ranging from consumer electronics to security devices, the problem with this is that people will get too creative with their passwords, forget them, and then get mad when a factory default loses all settings.
In my experience, it's a losing battle no matter how you approach it. Make people specify a password, but then often times one person stages it and another installs it, so do you make an easy password for staging it? Do you add the overhead of making a device that enforces strong passwords? And so on...
The closest thing to a best solution I've seen is a 2-factor system, a passcode along with some kind of hardware dongle to default or get admin access.
Good points - this is obviously a hard problem that hasn't been solved. Basically there are two opposites that both need to be fulfilled to solve the problem: It has to be both easy and secure.
If ATMs aren't going to get this right, what hope is there for all the other random security locks?
Keyless entry systems have been a target for decades; read old Phrack issues for stories, and even listings of the (very small) complete sets of combinations. Obviously, conventional tumbler locks have been a target for as long as there's been an MIT.
Instead of having a default password there should be a step in the setup where you are prompted for an admin password. Yes, there will be a lot of easily guessable passwords, but surely it's better than a factory default.