It shouldn't even be an option to misconfigure your product in that fashion. Botnets are nothing new. Assume your customer will go with the defaults, and make those defaults a secure default. Give them an option for doing a factory reset, because yes, many folks will forget the password even though you reminded them to record it. Don't let them make the password "password" or "password123." Because they will.