Router Security Router Passwords Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 

The Router Password: The First thing to change

Note: This page assumes there is a web interface for the router. On routers targeted to consumers, web interfaces are on the way out, being replaced by mobile apps. My experience with these mobile apps (Eero, Google Wi-Fi, AmpliFi) has been that the security is weaker. Anyone with access to the mobile device where the management app is installed can use the mobile app, no router password needed. Ugh.


The first thing to do when upgrading the security of an existing router is to change the router password. This may also be the hardest step for non-techies as they often don't know the current password. Heck, they may not even know that the router has a userid/password. If this applies to you, contact your ISP. This web site may have tons of tips about making your router more secure, but it all depends on knowing the router userid/password so that you can logon to the router and make changes.

The most important thing about a router password is that it not be the default out-of-the-box password. It does not need to be a long string of random characters. On the other hand don't use a single word in the dictionary either. A word and a number (Seattle2009) or two words (redtulips) should be sufficient as long as remote administration is not enabled. If remote administration is enabled, then the password needs to be stronger. I suggest at least 14 characters long and more than just two dictionary words.

Funny aside: perhaps my favorite router security story. Back in Feb. 2014 Brian Krebs was writing about some of the many flaws in routers when he threw in this:

"Here's a ... frustrating example, and one that I discovered on my own just this past weekend: I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ... ... my password was fairly long. However, ASUS's stock firmware didn't tell me that it had truncated the password at 16 characters .... when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first 16 characters of the password."

That's really everything you need to know about consumer routers right there. Depending on how you count, it took 4 or 5 mistakes to get to that point.

Once in possession of the router userid/password, then log in to the router using either the tried and true method, a web browser, or the more recent approach, a mobile app. It is very likely that instructions for doing this are on a label on the bottom of the router. If using a web browser, the router vendor may have a reserved name for the router. For example, Asus uses router.asus.com, D-Link uses dlinkrouter.local, Netgear uses www.routerlogin.com and TP-LINK uses tplinkwifi.net. There are more examples of this on the Introduction page. If there is no reserved name, then enter

http://1.2.3.4
where 1.2.3.4 is the IP address of the router. If you don't know the IP address, and its not on the bottom of the router itself, the good news is that every device on the network does. I blogged about how to Find the IP address of your home router back in September 2013. The article covers Windows XP, 7, 8 and 10, iOS 5, 6, 7, 8, 9 and 10, OS X Snow Leopard and Yosemite, Android 2.x, 4.x, 5.x and 6.x, and Chrome OS.

Sign in to the router and change the password. The specifics of how this is done differs on every router. You just have to hunt for the password reset option. It may be in an administrative section.

While many, if not most, routers have a single password, some have more than one because they support more than one userid. The most common case is that a router will allow for two userids, one that has full administrative powers and one that is read-only. If your router has a read-only user, be sure to change the password for that user too.

The best routers let you change not only the password(s) but also the userid(s). Rather than logging in to the router as user "admin", you can log in as user "MickeyMouse." This is a great security feature and if your router lets you change the userid, you should take advantage of it. Routers that allow you to change the userid include the Pepwave Surf SOHO and the Asus RT-AC66U.

Few of us are well organized. With that in mind, I suggest writing down the routers IP address (or the alias name if there is one), userid and password on a piece of paper and taping it to the router, face down. Or, keep it next to the router so as not to block any ventilation holes. The point being, to have it at the ready when needed in a place that couldn't be easier to remember. You may also want to write down the WiFi password(s).

Note: The Ubiquiti AmpliFi mesh router defaults to using the same password for both Wi-Fi and administering the router. Chances are other routers do this too. It is a very bad idea. Each function should have its own password.

FYI: How do I change the admin password on my NETGEAR router? Article ID: 20026. As of Oct. 27, 2016 it was Last Updated October 18, 2016.

See too, advice on Wi-Fi passwords.



Top 
Page Created: June 3, 2015      
Last Updated: January 27, 2023 8PM CT
Viewed 39,512 times
(11/day over 3,471 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024