Are you trying to access (IP/time) or the user program (upload/download)?
Older PLCs communicate over unprotected serial (RS-232/RS-485) or Ethernet ports. When programming software connects to the PLC, it transmits the password. Attackers and recovery tools use software like Wireshark to capture these packets and read the password in plaintext or simple hex format. 2. EEPROM Flash Memory Dumping