Router Security | Router Passwords |
Website by Michael Horowitz |
Note: This page assumes there is a web interface for the router. On routers targeted to consumers, web interfaces are on the way out, being replaced by mobile apps. My experience with these mobile apps (Eero, Google Wi-Fi, AmpliFi) has been that the security is weaker. Specifically, anyone with access to the mobile device where the management app is installed can use the mobile app, no router password needed. Ugh. Android 15 and iOS 18 added features to hide some apps so that anyone with the mobile device can not see that they are installed. This hiding can even include a password just to run the app. I suggest using these features to make it harder to get into the mobile app for the router.
The first thing to do when upgrading the security of an existing router is to change the router password. This may also be the hardest step for non-techies as they often don't know the current password. Heck, they may not even know that the router has a userid/password. If this applies to you, contact your ISP. This web site may have tons of tips about making your router more secure, but it all depends on knowing the router userid/password so that you can logon to the router and make changes. You may also need it to update the firmware (aka software) in the router.
The most important thing about a router password is that it not be the default out-of-the-box password. The second most important thing, is that it be different from the Wi-Fi password(s) and not used anywhere else for anything else.
The router password does not need to be a long string of random characters. On the other hand don't use a single word in the dictionary either. A word and a number (Seattle2009) or two words (redtulips) should be sufficient as long as remote administration is not enabled. If remote administration is enabled, then the password needs to be stronger. I suggest at least 14 characters long and more than just two dictionary words.
Funny aside: perhaps my favorite router security story. Back in Feb. 2014 Brian Krebs was writing about some of the many flaws in routers when he threw in this:
"Here's a ... frustrating example, and one that I discovered on my own just this past weekend: I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ... ... my password was fairly long. However, ASUS's stock firmware didn't tell me that it had truncated the password at 16 characters .... when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first 16 characters of the password."
That's really everything you need to know about consumer routers right there. Depending on how you count, it took 4 or 5 mistakes to get to that point.
Once in possession of the router userid/password, then log in to the router using either the tried and true method, a web browser, or the more recent approach, a mobile app. It is very likely that instructions for doing this are on a label on the bottom of the router. If using a web browser, the router vendor may have a reserved name for the router. For example, Asus uses router.asus.com, D-Link uses dlinkrouter.local, Netgear uses www.routerlogin.com and TP-LINK uses tplinkwifi.net. There are more examples of this on the Introduction page. If there is no reserved name, then enter
http://1.2.3.4where 1.2.3.4 is the IP address of the router. If you don't know the IP address, and its not on the bottom of the router itself, the good news is that every device on the network does. I blogged about how to Find the IP address of your home router back in September 2013. The article covers Windows XP, 7, 8 and 10, iOS 5, 6, 7, 8, 9 and 10, OS X Snow Leopard and Yosemite, Android 2.x, 4.x, 5.x and 6.x, and Chrome OS.
Sign in to the router and change the password. The specifics of how this is done differs on every router. You just have to hunt for the password reset option. It may be in an administrative section.
While many, if not most, routers have a single password, some have more than one because they support more than one userid. Synology routers support many userids as the operating system is derived from their NAS devices which need multiple users. Peplink routers support two userids, one has full administrative powers and one is read-only. If your router has a read-only user, be sure to change the password for that user too.
The best routers (Peplink and Synology for example) let you change not only the password(s) but also the userid(s). Rather than logging in to the router as user "admin", you can log in as user "MickeyMouse." This is a great security feature and if your router lets you change the userid, you should take advantage of it. Here is a screen shot of this on the Asus RT-AC66U.
Few of us are well organized. With that in mind, I suggest writing down the routers IP address (or the alias name if there is one), userid and password on a piece of paper and taping it to the router, face down. Or, keep it next to, or under, the router. Just do not block any ventilation holes. The point being, to have it at the ready when needed in a place that couldn't be easier to remember. You may also want to write down the WiFi password(s) on the paper.
Note: The Ubiquiti AmpliFi mesh router defaults to using the same password for both Wi-Fi and administering the router. Chances are other routers do this too. It is a very bad idea. Each function should have its own password.
FYI: How do I change the admin password on my NETGEAR router? Article ID: 20026. Last Updated: Feb. 17, 2023.
See too, advice on Wi-Fi passwords.