Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should I change my router's password, and if so, how often?

Question:

We use a D-Link 2.4 GHz router, about 7-8 years old, for our home LAN. I
read recently we ought to change passwords occasionally on the router. But I
also had the thought that it might be time to upgrade. Any recommendations?

This question gets my standard answer #2: it depends.

It depends on things like having ever changed your password and whether or
not you’re using wireless access to your network, and if so, what kind of
encryption you’re running.

And yes, there’s a scenario where an upgrade might be called for, but it’s
not age-related, it’s about capability.

Become a Patron of Ask Leo! and go ad-free!

First off, let me ask this: have you ever changed your router’s
administrative password? If you answered “no”, then go change it now.

The default password for most routers is something that’s very easy to
either just know or to look up. The reason you want to change it is that there
is malicious software out there that, using Javascript in your browser, can
actually attempt to access your router. Knowing the administrative password, if
you’ve never changed it, that software can then reconfigure your router to
disable many of its firewall characteristics and allow more serious malware to
infect your system.

“So you should change your router’s password at least
once.”

So you should change your router’s password at least once. That was
easy.

How often kind of depends.

In most cases, in my opinion, you never need to change it again. As long as
it’s not the default there’s rarely a reason to change it.

However … (and there’s almost always a “however”)

The “problem” with most router admin login security is that it’s
sniffable.

You’ll note that you don’t (and can’t) use “https” to login
to your router, only http. That means the traffic can be monitored by anyone on
your network, and if they want, they can see the password that’s being used to
login to your router.

The good news is that most networks are “closed”, meaning that you probably
only have your own machines on the network, or machines that you implicitly
trust. In addition, you probably don’t access your router’s administrative
interface that often, so the login password isn’t actually being transmitted
very often for it to be visible in the first place.

The bad news is that many people have what they think are closed networks
that are really open and to which anyone can connect.

Those are folks with unencrypted wireless connections or wireless
connections using WEP encryptions. Any computer within signal range can connect
to these networks and may be able to monitor the traffic on your network.
That includes the router admin traffic if that’s done wirelessly as well.

WEP encryption? Isn’t that supposed to be secure? It was, but not any more.
In fact I recently heard someone say that it’s now often quicker to crack WEP
security than it is to try and type in the password that’s been used. The
bottom line is that WEP is broken and practically equivalent to no encryption
at all. WPA encryption, on the other hand, is secure.

So there’s my upgrade recommendation:

  • If you use WiFi on your network

  • … and the router or access point does not support WPA encryption

  • … and you’re in a situation where you don’t control who could be in range
    of your wireless network

… then you need to upgrade either your router or access point (and perhaps
even your computer’s WiFi hardware) to equipment that supports WPA. Or I
suppose you could stop using WiFi.

Now, if you must operate an open WiFi hotspot – say you’re an
internet cafe owner – then you’ll not only need to make sure your router has a
non-default password, but you’ll also need to make sure that you never
change or access it using a wireless connection yourself. Changing your
router’s password or even accessing the admin interface using your wireless
connection could expose the password to anyone in range who might be listening.
Instead, make a wired connection to your router and administer it via
that connection.

But after all that, I still don’t really see a reason to then change the
router’s password periodically. It doesn’t hurt, I suppose, but I’m not sure I
see a real benefit as long as it’s been changed at least once. If you’ve
discovered that you’ve accessed your router via an insecure and sniffable
route, then you might want to consider changing it (via that secure, wired
connection).

And as long as your router is working for you and meets the WPA requirement
if that applies to your situation, I see no real reason to upgrade either.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

3 comments on “Should I change my router's password, and if so, how often?”

  1. Some routers, especially Linksys ones, but probably others as well can be configured to be administered over using HTTPS protocol thereby (presumably) encrpying any admin passwords that could be transmitted.

    Reply
  2. i am all ready configure router and set the password presently this router is working in good condition but few day later i forget the password —–if any process to recover or change password of without change the configuration i want only password —–

    No. Most routers have a procedure to reset it to factory settings, including the original password and settings. But there’s no way to just get or reset only the password.

    – Leo
    29-Jan-2009
    Reply
  3. So i have a WPA security enable on my wireless router. You need to enter a 24 character key to get access. I decided to reset my security settings and it gave me a new 24 character password. The issue i have is this- I have several computers that pick of the wifi signal that used the old access key, and they still can connect to the internet. I don’t want certain computers to connect anymore, that’s why i reset it. How is it possible that they still can access it??

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.