Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Change Your Password – No, not that one…

You probably need to change a password, but not the one you think.

Become a Patron of Ask Leo! and go ad-free!


Transcript

This is Leo Notenboom for askleo.info.

News reports surfaced this week telling of a newly discovered vulnerability.
Well, it’s certainly not a new vulnerability, and whether or not it’s really
been “newly discovered” is arguable too. But it’s definitely making the
news.

As well it should.

So, let me ask you this: what’s the password to your router? The password
that you use to gain access to the router settings.

If you don’t know, or you’ve never changed it you’re probably at risk.

Here’s how the vulnerability works:

A virus, some spyware, or even some Javascript from a malicious web site can
try to connect, over your LAN, to the administration interface of your router.
If you haven’t changed that password, this malware can simply use the default
password to login. Once that happens, all bets are off. One scenario is that
the router might be silently reconfigured to, without warning, take you to some
phishing site when you might think you’re going to a legitimate site like eBay,
Paypal or your bank.

“This vulnerability
masquerades as an internal user on your LAN …”

Scary, right?

So how many of you LinkSys owners have a password of “admin” on your router?
That’s the default password, and if that’s the password to your
router, you’re at risk. If you have a different brand of router, the
default is probably something else, but given the overwhelming popularity of
brands such as LinkSys, Cisco, NetGear, DLink, and a handful of others, it’s
pretty easy for malware to just try them all until something works.

So, if you make only one security change today, change the password on your
router. Remember to keep it in a safe place, of course, so you’ll have it when
you need it later.

Oh, and if you do forget the password later, almost all routers have a
master reset sequence that will restore the router to its initial
configuration, including that default password. Master reset not something you
can do remotely; it typically involves actually pushing a button on the router. You’ll
lose any configuration changes you’ll have made, but at least you’ll be able to
get back in.

Routers are an incredibly important part making sure your local network and
the computers on it are safe from external threats. This vulnerability
masquerades as an internal user on your LAN, so making sure that your router is
configured securely with it’s own unique password is extra important.

And yep … until this morning my router’s password was “admin”.

Not any more.

I’d love to hear what you think. Visit askleo.info and enter 11177 in the go
to article number box and leave me a comment. While you’re there, search over
1,000 technical questions and answers on the site.

Till next time, I’m Leo Notenboom, for askleo.info.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

31 comments on “Change Your Password – No, not that one…”

  1. Suggestion: Keep the password in meatspace.
    I keep it on a post-it-note on the bottom of the router…. I don’t have to remember it, and there is just about zero chance it can be discovered online (use the roomba to turn the router on its back and point it at the webcam?).

    Reply
  2. When I set up a router for friends I always change the password and enable WPA. I also tell them to take full advantage of the 63 characters that they can use for the WPA key, write it down in a safe place, show them how to reset the master password if they forget the WPA key, and, by all means, don’t tell me the password!!!

    Reply
  3. Some routers have an option not to allow remote administration. This prevents anyone outside the LAN from accessing the configuration page. If your router has this option, I highly recommend turning that on as well. Most home users should have no need to configure their router from anywhere other than home.

    Reply
  4. Everyone should be using full 63 bits for the the WPA PSA key. Also change the SSID and turn off broadcasting, and use MAC address filtering limited to the machines you use. For long PSA keys and SSID’s simply type out the info into Notepad and save the file somewhere on your PC where you can find it. Use ALL and/or ANY of the first 128 ASCII characters. Don’t use words or names. You can easily load/reload the key and/or SSID to router, wireless device, etc. by simple copy and paste. Full security and nothing to remember.

    Reply
  5. How can you change the password? The prompt screen for my Linksys WRT54G offers no apparent way to change from “ADMIN”. Please tell me how to do this– I must be overlooking something obvious.

    Reply
  6. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    It varies some, but after I’ve logged into my LinkSys, across the top
    there’s a tab labeled “Password” right inbetween “Setup” and “Status”.

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFF7ZsiCMEe9B/8oqERAsvMAJ4r9sckMH53p5dyzFuwfqp9RxEMSQCfVki5
    u1kVu1kb0Or+j6GzIvzNxEE=
    =oOup
    —–END PGP SIGNATURE—–

    Reply
  7. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    That should be documented in the manual that came with your router. If
    you don’t have that, then I’d look for support information or
    documentation on the dlink site: http://www.dlink.com/

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFF702ZCMEe9B/8oqERAt7UAJ9QSYKlT//GUTClkfo6eWWEQReUpgCbB3qG
    5O6WJQJ02f2SJlmvKf8cytg=
    =9ADf
    —–END PGP SIGNATURE—–

    Reply
  8. I initially changed the admin password of my d-link router but I forgot it. Is there way I can recover the password?

    Reply
  9. I like Louis [March 14th 2008] have changed my password but can not change the username from “admin” how can this be done if at all?
    Regrds Gazza.[11177]

    Reply
  10. Hi Leo,
    My new linksys router has the default set up 198.182.1.1 to connect to it. It also uses this same address for IP and gateway. So besides the “admin” password, which I changed to another one it will be possible that any one can get to these routers. I have changed my logon (default is blank) and my password (default is admin) I do not know if I can change the 198.182.1.1. address without getting into other problems with the firmware in the router. It is bad enough that this router sometimes has to restarted because it drops the connection. What are your views on it?

    I’m not sure why you would want to change the local IP addresses used from 192.168.x.x – those are visible only on the local side of the router.

    – Leo
    07-May-2009
    Reply
  11. hi,
    whenever i open my intenet browser it ask for usrname and password on tp-link page everytime, my router is tp-link. how i can set it only for one time?

    Reply
  12. I haven’t changed my password for a long time, but then I don’t use a router, I am talking about just email address or other log in’s to sites such as facebook etc. I haven’t had any problems by keeping the same password.

    Reply
  13. I’ve always believed that the default passwords are safe because you needed to be physically connected to make changes.
    How stupid am I!
    All router passwords changed tonight (and written on the bottom :-))

    Reply
  14. Leo, please tell me HOW TO change the password on my Netgear router. Step by step please; I’m a novice. thank you
    jan

    I actually don’t know, not having a netgear. Check the documentation that comes with the router, or visit the online support site for netgear.

    Leo
    17-Feb-2010

    Reply
  15. I always change mine. Ever since I read years ago about the default user name and passwords being freely available on the web.

    What do you think about port forwarding though? I know using a fairly random port helps, but is it then still a big security risk do you think? Is there an easy way to tell if my ports are being scanned? Moreover, is there an easy way to open and close individual ports at will? (without having to reconfigure the router that is) (doesn’t look like you have covered this else where… but if you don’t reply… :) )

    Thanks for the great articles Leo. I usually find at least one or two that I want to “continue reading” each month. And nine times out of ten I do learn something, as well as being entertained! Nice work!

    I’m glad you enjoyed your visit. Those cyclones we just had weren’t participially big, but after two of them joined up, did it rain cats n’ dogs or what! Cheers m8.

    Port scanning is pretty much constant and one of the reasons we want firewalls. The good news, though, is that when you port forward using a fairly random port you remove the ability of the scanners to know what the port is being used for. Typically specific ports have specific purposes – port 22 is the “SSH” protocol, which is constantly being scanned for since it’s a very common commandline interface service used on servers (including my own). By using and forwarding a different, random, port, then even if it does attempt to probe that port the scanner has no real way to know what service “language” (like SSH) it should talk to the port to make it operate. (Mosty scanners don’t bother, and look only for those ports, like 22, that have well defined functions.)

    Leo
    24-Feb-2010

    Reply
  16. Not only am I in the same novice level as Jan, who wanted step-by-step instructions on how to change the router’s password, I’d need to learn how to find the router, and how to find what kind of router i have.

    Step by step instructions for one model of router have been here on the site for almost a year now: How do I change my router’s password? – Remember, ALL ROUTERS ARE DIFFERENT, so these instructions may not apply exactly to your situation, but it’ll at least give you the basic concepts.

    Leo
    25-Feb-2010

    Reply
  17. After reading this article, I followed the links to some of the related articles and now have these questions: My computer is a stand-alone, not networked with any other. Is there any reason to change the router’s password as long as I don’t network with any other computer? And, since I am not networked with any other computer, do I even have a router? (I get my internet access through my TV cable company, who supplied the modem, though I’m not computer-savvy enough to know if this makes any difference or not.)

    If your computer connects directly to the modem provided by your ISP, then you need to check with your ISP to see whether or not it is acting as a router, and whether the password can or needs to be changed. Yes, evem if you have only a single computer you should change your router’s password.

    Leo
    25-Feb-2010

    Reply
  18. I’ve encountered this change router password subject in articles by several other tech newsletters. I promptly changed my Linksys (non-wireless) router ONLY TO FIND I COULD NOT CONNECT TO THE INTERNET! An ISP page came up instead wanting to run a diagnostic that ended up with a “call us” result. So I reset my router password but still got a failed connection.

    So I called AT&T/SBCGLOBAL.NET (using a number I already had not the one I was given – paranoia pays, y’know!).

    My ISP told me that there had to be some kind of password agreement with my user account…but several attempts by them to get things working again ended in disconnecting the router and straight connecting to the DSL modem.

    There seemed to be some concern that the internet light on my modem was not lighting up (but I can tell you that it never did when the previous router and modem connection had ALWAYS worked).

    Efforts focused on “bridging” and not bridging and PPO and PPOea, etc. and stuff the tech was vague about left my head spinning.

    But I had a working modem-direct connection and since I had to leave for an appointment I thanked them, left it at that, and moved along. Later, I reinstalled the Linksys using the CD (which crashed 1/2 way through the install). In frustration, I cold booted the PC with the power off on the modem and the router. Waited a minute and powered them on and VOILA, everthing was working again.

    Now, about the paranoia part…so now my internet light on my modem is always on and frankly I’m a little concerned that I’m less secure than I was before since I imagine that my IP address is not that of the router but of my PC.

    Should I be concerned. Should I go back to the ISP? Back to Linksys? Back to bed?

    Thanks.

    Reply
  19. Thanks Leo and all of you commentators!
    I first logged onto my ISP’s website and went to their FAQs pages. There, they showed me how to get to my Netgear router webpage from which I just followed the step by step instructions to set a password of my own and by the way disable the wireless function altogether!
    Drastic did you say?
    I never overlook my teacher’s advices!
    Cheers to all!

    Reply
  20. Thanks for your reply Leo.
    I didn’t realise before, that port scanners had to know what service the port was being used for to exploit it. See, I am learning stuff! /grins.

    Leo wrote:
    “if it does attempt to probe that (random – ed) port the scanner has no real way to know what service “language” (like SSH) it should talk to the port to make it operate”

    Snipped from Wikipedia:
    “A port may be forwarded for use by either the TCP protocol, the UDP protocol, or both.”

    I guess I just assumed that port scanners these days would be intelligent enough to know that non-standard (hence forwarded) ports, must be using one or both of the accepted TCP or UDP protocols.

    But that aside, say a port scanner finds a port that it knows what service it’s being used for, say POP on port 110, or NNTP on 119. Aren’t firewalls configured to accept connections (in the appropriate protocols) through these ports? Can’t it then exploit them? and if not, why not? I understand that some protocols are inherently secure, like SSH.

    I’ll also understand if you don’t reply to this one, as it is a little OT. Or maybe there is a more appropriate discussion thread to post this to?

    But cheers anyway Leo, for the invaluable understanding and advice you impart.

    Oh BTW Steve, are you sure you didn’t inadvertently change your internet account password (the one your ISP gave you), and not just the modem’s login password?

    Another thing to consider is that, even if it only has one physical port, your “modem” is *also* a router. It serves up LAN IP addresses, as does your “router”. If by chance the router tries to use the same IP address as the modem (and I have seen that happen) you will have an IP address conflict. Resulting in the loss of your internet connection. But in any case, your modem/router is what’s facing the internet, so it’s a “no” to your paranoia question.

    I really hope Leo doesn’t mind if I point you towards a page at portforward dot com. Learning about port forwarding has increased my knowledge of networking appreciably. Even if you never do port forwarding, this stuff worth knowing. You will at least learn why teck support tried to “bridge” your router. /smiles http://www.portforward.com/help/doublerouterportforwarding.htm

    Best regards to all. ~Adrian (Lan Down Under)

    “But that aside, say a port scanner finds a port that it knows what service it’s being used for, say POP on port 110, or NNTP on 119. Aren’t firewalls configured to accept connections (in the appropriate protocols) through these ports?”

    No. The fundamental difference here is incomming versus outgoing – yes, you may use 110 for POP3, but that’s an outgoing connection from your PC to your mail server. Your firewall continues to block 110 incoming connections. In reality there are typically no valid incoming connections in a normal home or small business setup. All the connections you make are outgoing – i.e. initiated by your computers connecting to an outside service.

    Leo
    08-Mar-2010

    Reply
  21. Actually, for some routers, there might be several user/password combinations just as administrator, guest, etc. accounts in Windows. Example: admin/support/user in one of my modems. These may be disabled or not. If not, defaults may apply. I remember a friend claiming nobody could access his PC because of a fancy user/password combination he was using, but he simply forgot the other defauly accounts including the admin. Same goes true for many modems and should be checked and modified or disabled.

    Reply
  22. Leo, I was able to find the router website and changed the password successfully. BUT… I could not find how to log OFF of the router setup page once I was done. I close the tab (firefox) and re-enter the ip address for the router set up and it goes right back in without asking for my password. How so I successfully LOG OFF this page?

    Again that too depends entirely on the router. Look for a log-off button or link. If there isn’t one then completely closing and restarting your browser often does the trick.

    Leo
    10-Aug-2011

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.