You probably need to change a password, but not the one you think.
Become a Patron of Ask Leo! and go ad-free!
Transcript
This is Leo Notenboom for askleo.info.
News reports surfaced this week telling of a newly discovered vulnerability.
Well, it’s certainly not a new vulnerability, and whether or not it’s really
been “newly discovered” is arguable too. But it’s definitely making the
news.
As well it should.
So, let me ask you this: what’s the password to your router? The password
that you use to gain access to the router settings.
If you don’t know, or you’ve never changed it you’re probably at risk.
Here’s how the vulnerability works:
A virus, some spyware, or even some Javascript from a malicious web site can
try to connect, over your LAN, to the administration interface of your router.
If you haven’t changed that password, this malware can simply use the default
password to login. Once that happens, all bets are off. One scenario is that
the router might be silently reconfigured to, without warning, take you to some
phishing site when you might think you’re going to a legitimate site like eBay,
Paypal or your bank.
masquerades as an internal user on your LAN …”
Scary, right?
So how many of you LinkSys owners have a password of “admin” on your router?
That’s the default password, and if that’s the password to your
router, you’re at risk. If you have a different brand of router, the
default is probably something else, but given the overwhelming popularity of
brands such as LinkSys, Cisco, NetGear, DLink, and a handful of others, it’s
pretty easy for malware to just try them all until something works.
So, if you make only one security change today, change the password on your
router. Remember to keep it in a safe place, of course, so you’ll have it when
you need it later.
Oh, and if you do forget the password later, almost all routers have a
master reset sequence that will restore the router to its initial
configuration, including that default password. Master reset not something you
can do remotely; it typically involves actually pushing a button on the router. You’ll
lose any configuration changes you’ll have made, but at least you’ll be able to
get back in.
Routers are an incredibly important part making sure your local network and
the computers on it are safe from external threats. This vulnerability
masquerades as an internal user on your LAN, so making sure that your router is
configured securely with it’s own unique password is extra important.
And yep … until this morning my router’s password was “admin”.
Not any more.
I’d love to hear what you think. Visit askleo.info and enter 11177 in the go
to article number box and leave me a comment. While you’re there, search over
1,000 technical questions and answers on the site.
Till next time, I’m Leo Notenboom, for askleo.info.
This is the first thing I do when I get a new router. I change that master password ASAP. I also make it non-pingable.
Suggestion: Keep the password in meatspace.
I keep it on a post-it-note on the bottom of the router…. I don’t have to remember it, and there is just about zero chance it can be discovered online (use the roomba to turn the router on its back and point it at the webcam?).
Also, use MAC address filters!!!
When I set up a router for friends I always change the password and enable WPA. I also tell them to take full advantage of the 63 characters that they can use for the WPA key, write it down in a safe place, show them how to reset the master password if they forget the WPA key, and, by all means, don’t tell me the password!!!
Some routers have an option not to allow remote administration. This prevents anyone outside the LAN from accessing the configuration page. If your router has this option, I highly recommend turning that on as well. Most home users should have no need to configure their router from anywhere other than home.
Very interesting and scary. I have a linksys router. I am going to change my default username and password. Thanks.
Here is another explanation of the same problem.
http://michaelhorowitz2.blogspot.com/2007/03/home-routers-can-be-dangerous-very.html
And while on the subject of router configuration, I agree to use very long WPA passwords and to turn off remote admin. Let me also suggest turning off UPnP.
Everyone should be using full 63 bits for the the WPA PSA key. Also change the SSID and turn off broadcasting, and use MAC address filtering limited to the machines you use. For long PSA keys and SSID’s simply type out the info into Notepad and save the file somewhere on your PC where you can find it. Use ALL and/or ANY of the first 128 ASCII characters. Don’t use words or names. You can easily load/reload the key and/or SSID to router, wireless device, etc. by simple copy and paste. Full security and nothing to remember.
How can you change the password? The prompt screen for my Linksys WRT54G offers no apparent way to change from “ADMIN”. Please tell me how to do this– I must be overlooking something obvious.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
It varies some, but after I’ve logged into my LinkSys, across the top
there’s a tab labeled “Password” right inbetween “Setup” and “Status”.
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFF7ZsiCMEe9B/8oqERAsvMAJ4r9sckMH53p5dyzFuwfqp9RxEMSQCfVki5
u1kVu1kb0Or+j6GzIvzNxEE=
=oOup
—–END PGP SIGNATURE—–
I have a dlink and im not sure what the password is or how i change it. Please help!!!
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
That should be documented in the manual that came with your router. If
you don’t have that, then I’d look for support information or
documentation on the dlink site: http://www.dlink.com/
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFF702ZCMEe9B/8oqERAt7UAJ9QSYKlT//GUTClkfo6eWWEQReUpgCbB3qG
5O6WJQJ02f2SJlmvKf8cytg=
=9ADf
—–END PGP SIGNATURE—–
I initially changed the admin password of my d-link router but I forgot it. Is there way I can recover the password?
Ok i changed my Linksys Password and i forgot how do i reset it?
admin is the username and password is the default password on my LinkSys Router. I have changed the password but not the username. How do I do that?
haha, I have a mac and a mac airport extreme with a very long password and username
I like Louis [March 14th 2008] have changed my password but can not change the username from “admin” how can this be done if at all?
Regrds Gazza.[11177]
Hi Leo,
My new linksys router has the default set up 198.182.1.1 to connect to it. It also uses this same address for IP and gateway. So besides the “admin” password, which I changed to another one it will be possible that any one can get to these routers. I have changed my logon (default is blank) and my password (default is admin) I do not know if I can change the 198.182.1.1. address without getting into other problems with the firmware in the router. It is bad enough that this router sometimes has to restarted because it drops the connection. What are your views on it?
07-May-2009
hi,
whenever i open my intenet browser it ask for usrname and password on tp-link page everytime, my router is tp-link. how i can set it only for one time?
I haven’t changed my password for a long time, but then I don’t use a router, I am talking about just email address or other log in’s to sites such as facebook etc. I haven’t had any problems by keeping the same password.
I’ve always believed that the default passwords are safe because you needed to be physically connected to make changes.
How stupid am I!
All router passwords changed tonight (and written on the bottom :-))
What about mobile internet ie a Dongle, are they safe , Cheers
Leo, please tell me HOW TO change the password on my Netgear router. Step by step please; I’m a novice. thank you
jan
17-Feb-2010
I always change mine. Ever since I read years ago about the default user name and passwords being freely available on the web.
What do you think about port forwarding though? I know using a fairly random port helps, but is it then still a big security risk do you think? Is there an easy way to tell if my ports are being scanned? Moreover, is there an easy way to open and close individual ports at will? (without having to reconfigure the router that is) (doesn’t look like you have covered this else where… but if you don’t reply… :) )
Thanks for the great articles Leo. I usually find at least one or two that I want to “continue reading” each month. And nine times out of ten I do learn something, as well as being entertained! Nice work!
I’m glad you enjoyed your visit. Those cyclones we just had weren’t participially big, but after two of them joined up, did it rain cats n’ dogs or what! Cheers m8.
24-Feb-2010
Not only am I in the same novice level as Jan, who wanted step-by-step instructions on how to change the router’s password, I’d need to learn how to find the router, and how to find what kind of router i have.
25-Feb-2010
After reading this article, I followed the links to some of the related articles and now have these questions: My computer is a stand-alone, not networked with any other. Is there any reason to change the router’s password as long as I don’t network with any other computer? And, since I am not networked with any other computer, do I even have a router? (I get my internet access through my TV cable company, who supplied the modem, though I’m not computer-savvy enough to know if this makes any difference or not.)
25-Feb-2010
I’ve encountered this change router password subject in articles by several other tech newsletters. I promptly changed my Linksys (non-wireless) router ONLY TO FIND I COULD NOT CONNECT TO THE INTERNET! An ISP page came up instead wanting to run a diagnostic that ended up with a “call us” result. So I reset my router password but still got a failed connection.
So I called AT&T/SBCGLOBAL.NET (using a number I already had not the one I was given – paranoia pays, y’know!).
My ISP told me that there had to be some kind of password agreement with my user account…but several attempts by them to get things working again ended in disconnecting the router and straight connecting to the DSL modem.
There seemed to be some concern that the internet light on my modem was not lighting up (but I can tell you that it never did when the previous router and modem connection had ALWAYS worked).
Efforts focused on “bridging” and not bridging and PPO and PPOea, etc. and stuff the tech was vague about left my head spinning.
But I had a working modem-direct connection and since I had to leave for an appointment I thanked them, left it at that, and moved along. Later, I reinstalled the Linksys using the CD (which crashed 1/2 way through the install). In frustration, I cold booted the PC with the power off on the modem and the router. Waited a minute and powered them on and VOILA, everthing was working again.
Now, about the paranoia part…so now my internet light on my modem is always on and frankly I’m a little concerned that I’m less secure than I was before since I imagine that my IP address is not that of the router but of my PC.
Should I be concerned. Should I go back to the ISP? Back to Linksys? Back to bed?
Thanks.
Thanks Leo and all of you commentators!
I first logged onto my ISP’s website and went to their FAQs pages. There, they showed me how to get to my Netgear router webpage from which I just followed the step by step instructions to set a password of my own and by the way disable the wireless function altogether!
Drastic did you say?
I never overlook my teacher’s advices!
Cheers to all!
Thanks for your reply Leo.
I didn’t realise before, that port scanners had to know what service the port was being used for to exploit it. See, I am learning stuff! /grins.
Leo wrote:
“if it does attempt to probe that (random – ed) port the scanner has no real way to know what service “language” (like SSH) it should talk to the port to make it operate”
Snipped from Wikipedia:
“A port may be forwarded for use by either the TCP protocol, the UDP protocol, or both.”
I guess I just assumed that port scanners these days would be intelligent enough to know that non-standard (hence forwarded) ports, must be using one or both of the accepted TCP or UDP protocols.
But that aside, say a port scanner finds a port that it knows what service it’s being used for, say POP on port 110, or NNTP on 119. Aren’t firewalls configured to accept connections (in the appropriate protocols) through these ports? Can’t it then exploit them? and if not, why not? I understand that some protocols are inherently secure, like SSH.
I’ll also understand if you don’t reply to this one, as it is a little OT. Or maybe there is a more appropriate discussion thread to post this to?
But cheers anyway Leo, for the invaluable understanding and advice you impart.
Oh BTW Steve, are you sure you didn’t inadvertently change your internet account password (the one your ISP gave you), and not just the modem’s login password?
Another thing to consider is that, even if it only has one physical port, your “modem” is *also* a router. It serves up LAN IP addresses, as does your “router”. If by chance the router tries to use the same IP address as the modem (and I have seen that happen) you will have an IP address conflict. Resulting in the loss of your internet connection. But in any case, your modem/router is what’s facing the internet, so it’s a “no” to your paranoia question.
I really hope Leo doesn’t mind if I point you towards a page at portforward dot com. Learning about port forwarding has increased my knowledge of networking appreciably. Even if you never do port forwarding, this stuff worth knowing. You will at least learn why teck support tried to “bridge” your router. /smiles http://www.portforward.com/help/doublerouterportforwarding.htm
Best regards to all. ~Adrian (Lan Down Under)
No. The fundamental difference here is incomming versus outgoing – yes, you may use 110 for POP3, but that’s an outgoing connection from your PC to your mail server. Your firewall continues to block 110 incoming connections. In reality there are typically no valid incoming connections in a normal home or small business setup. All the connections you make are outgoing – i.e. initiated by your computers connecting to an outside service.
08-Mar-2010
Actually, for some routers, there might be several user/password combinations just as administrator, guest, etc. accounts in Windows. Example: admin/support/user in one of my modems. These may be disabled or not. If not, defaults may apply. I remember a friend claiming nobody could access his PC because of a fancy user/password combination he was using, but he simply forgot the other defauly accounts including the admin. Same goes true for many modems and should be checked and modified or disabled.
Leo, I was able to find the router website and changed the password successfully. BUT… I could not find how to log OFF of the router setup page once I was done. I close the tab (firefox) and re-enter the ip address for the router set up and it goes right back in without asking for my password. How so I successfully LOG OFF this page?
10-Aug-2011