Helping people with computers... one answer at a time.

You probably need to change a password, but not the one you think.

Listen:
Download the mp3

Transcript

This is Leo Notenboom for askleo.info.

News reports surfaced this week telling of a newly discovered vulnerability. Well, it's certainly not a new vulnerability, and whether or not it's really been "newly discovered" is arguable too. But it's definitely making the news.

As well it should.

So, let me ask you this: what's the password to your router? The password that you use to gain access to the router settings.

If you don't know, or you've never changed it you're probably at risk.

Here's how the vulnerability works:

A virus, some spyware, or even some Javascript from a malicious web site can try to connect, over your LAN, to the administration interface of your router. If you haven't changed that password, this malware can simply use the default password to login. Once that happens, all bets are off. One scenario is that the router might be silently reconfigured to, without warning, take you to some phishing site when you might think you're going to a legitimate site like eBay, Paypal or your bank.

"This vulnerability masquerades as an internal user on your LAN ..."

Scary, right?

So how many of you LinkSys owners have a password of "admin" on your router? That's the default password, and if that's the password to your router, you're at risk. If you have a different brand of router, the default is probably something else, but given the overwhelming popularity of brands such as LinkSys, Cisco, NetGear, DLink, and a handful of others, it's pretty easy for malware to just try them all until something works.

So, if you make only one security change today, change the password on your router. Remember to keep it in a safe place, of course, so you'll have it when you need it later.

Oh, and if you do forget the password later, almost all routers have a master reset sequence that will restore the router to its initial configuration, including that default password. Master reset not something you can do remotely; it typically involves actually pushing a button on the router. You'll lose any configuration changes you'll have made, but at least you'll be able to get back in.

Routers are an incredibly important part making sure your local network and the computers on it are safe from external threats. This vulnerability masquerades as an internal user on your LAN, so making sure that your router is configured securely with it's own unique password is extra important.

And yep ... until this morning my router's password was "admin".

Not any more.

I'd love to hear what you think. Visit askleo.info and enter 11177 in the go to article number box and leave me a comment. While you're there, search over 1,000 technical questions and answers on the site.

Till next time, I'm Leo Notenboom, for askleo.info.

Article C2937 - February 18, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

32 Comments
Tom
February 18, 2007 5:58 PM

This is the first thing I do when I get a new router. I change that master password ASAP. I also make it non-pingable.

Thor Johnson
February 21, 2007 10:36 AM

Suggestion: Keep the password in meatspace.
I keep it on a post-it-note on the bottom of the router.... I don't have to remember it, and there is just about zero chance it can be discovered online (use the roomba to turn the router on its back and point it at the webcam?).

Scott
February 23, 2007 6:50 PM

Also, use MAC address filters!!!

Tony
February 24, 2007 5:10 AM

When I set up a router for friends I always change the password and enable WPA. I also tell them to take full advantage of the 63 characters that they can use for the WPA key, write it down in a safe place, show them how to reset the master password if they forget the WPA key, and, by all means, don't tell me the password!!!

Brian
February 25, 2007 1:43 PM

Some routers have an option not to allow remote administration. This prevents anyone outside the LAN from accessing the configuration page. If your router has this option, I highly recommend turning that on as well. Most home users should have no need to configure their router from anywhere other than home.

Anand Gounder
February 28, 2007 8:46 AM

Very interesting and scary. I have a linksys router. I am going to change my default username and password. Thanks.

Michael Horowitz
March 3, 2007 3:53 PM

Here is another explanation of the same problem.

http://michaelhorowitz2.blogspot.com/2007/03/home-routers-can-be-dangerous-very.html

And while on the subject of router configuration, I agree to use very long WPA passwords and to turn off remote admin. Let me also suggest turning off UPnP.

Chuck
March 5, 2007 8:55 AM

Everyone should be using full 63 bits for the the WPA PSA key. Also change the SSID and turn off broadcasting, and use MAC address filtering limited to the machines you use. For long PSA keys and SSID's simply type out the info into Notepad and save the file somewhere on your PC where you can find it. Use ALL and/or ANY of the first 128 ASCII characters. Don't use words or names. You can easily load/reload the key and/or SSID to router, wireless device, etc. by simple copy and paste. Full security and nothing to remember.

Jerry
March 6, 2007 8:36 AM

How can you change the password? The prompt screen for my Linksys WRT54G offers no apparent way to change from "ADMIN". Please tell me how to do this-- I must be overlooking something obvious.

Leo Notenboom
March 6, 2007 8:47 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It varies some, but after I've logged into my LinkSys, across the top
there's a tab labeled "Password" right inbetween "Setup" and "Status".

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF7ZsiCMEe9B/8oqERAsvMAJ4r9sckMH53p5dyzFuwfqp9RxEMSQCfVki5
u1kVu1kb0Or+j6GzIvzNxEE=
=oOup
-----END PGP SIGNATURE-----

Joe
March 7, 2007 10:32 AM

I have a dlink and im not sure what the password is or how i change it. Please help!!!

Leo Notenboom
March 7, 2007 3:41 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That should be documented in the manual that came with your router. If
you don't have that, then I'd look for support information or
documentation on the dlink site: http://www.dlink.com/

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF702ZCMEe9B/8oqERAt7UAJ9QSYKlT//GUTClkfo6eWWEQReUpgCbB3qG
5O6WJQJ02f2SJlmvKf8cytg=
=9ADf
-----END PGP SIGNATURE-----

Hilary
May 29, 2007 11:08 AM

I initially changed the admin password of my d-link router but I forgot it. Is there way I can recover the password?

Wilson
July 13, 2007 8:20 PM

Ok i changed my Linksys Password and i forgot how do i reset it?

Louis
March 14, 2008 10:40 PM

admin is the username and password is the default password on my LinkSys Router. I have changed the password but not the username. How do I do that?

Jordan
March 19, 2008 7:41 PM

haha, I have a mac and a mac airport extreme with a very long password and username

Gary Anderson
April 13, 2009 3:43 PM

I like Louis [March 14th 2008] have changed my password but can not change the username from "admin" how can this be done if at all?
Regrds Gazza.[11177]

Paul Mierop
May 5, 2009 11:09 AM

Hi Leo,
My new linksys router has the default set up 198.182.1.1 to connect to it. It also uses this same address for IP and gateway. So besides the "admin" password, which I changed to another one it will be possible that any one can get to these routers. I have changed my logon (default is blank) and my password (default is admin) I do not know if I can change the 198.182.1.1. address without getting into other problems with the firmware in the router. It is bad enough that this router sometimes has to restarted because it drops the connection. What are your views on it?

I'm not sure why you would want to change the local IP addresses used from 192.168.x.x - those are visible only on the local side of the router.
- Leo
07-May-2009

hyperbola
October 12, 2009 9:14 PM

hi,
whenever i open my intenet browser it ask for usrname and password on tp-link page everytime, my router is tp-link. how i can set it only for one time?

Bunny Rodwell
February 16, 2010 12:27 PM

I haven't changed my password for a long time, but then I don't use a router, I am talking about just email address or other log in's to sites such as facebook etc. I haven't had any problems by keeping the same password.

pcResolver
February 16, 2010 1:58 PM

I've always believed that the default passwords are safe because you needed to be physically connected to make changes.
How stupid am I!
All router passwords changed tonight (and written on the bottom :-))

Mike Peart
February 17, 2010 1:20 AM

What about mobile internet ie a Dongle, are they safe , Cheers

Jan Hunt
February 17, 2010 2:07 AM

Leo, please tell me HOW TO change the password on my Netgear router. Step by step please; I'm a novice. thank you
jan

I actually don't know, not having a netgear. Check the documentation that comes with the router, or visit the online support site for netgear.
Leo
17-Feb-2010

the Login Man
February 17, 2010 6:50 PM

I always change the router admin password whenever I set one up but that's not all;
when it's possible:
- I change the Admin name
- I use "extended" (ALT + code) characters in the routers admin login password ie. { } etc,
- I change the subnet which changes the login page address also ie. 192.168.0.1 > 192.168.205.1
- I disable uPnP, Remote Admin, etc.
- when there is a WAP included I use the full length passphrase string allowable and set it to highest encryption / security it supports
- I turn off the WAP radio if it's not going to be used by any wireless devices (ie all machines are CAT wire connected)


I prefer small business routers over home routers also, and they're only a few bucks more than a home router but offer so much more in terms of options & security.

Adrian
February 24, 2010 5:56 AM

I always change mine. Ever since I read years ago about the default user name and passwords being freely available on the web.

What do you think about port forwarding though? I know using a fairly random port helps, but is it then still a big security risk do you think? Is there an easy way to tell if my ports are being scanned? Moreover, is there an easy way to open and close individual ports at will? (without having to reconfigure the router that is) (doesn't look like you have covered this else where... but if you don't reply... :) )

Thanks for the great articles Leo. I usually find at least one or two that I want to "continue reading" each month. And nine times out of ten I do learn something, as well as being entertained! Nice work!

I'm glad you enjoyed your visit. Those cyclones we just had weren't participially big, but after two of them joined up, did it rain cats n' dogs or what! Cheers m8.

Port scanning is pretty much constant and one of the reasons we want firewalls. The good news, though, is that when you port forward using a fairly random port you remove the ability of the scanners to know what the port is being used for. Typically specific ports have specific purposes - port 22 is the "SSH" protocol, which is constantly being scanned for since it's a very common commandline interface service used on servers (including my own). By using and forwarding a different, random, port, then even if it does attempt to probe that port the scanner has no real way to know what service "language" (like SSH) it should talk to the port to make it operate. (Mosty scanners don't bother, and look only for those ports, like 22, that have well defined functions.)
Leo
24-Feb-2010

Bombay Granny
February 24, 2010 11:13 AM

Not only am I in the same novice level as Jan, who wanted step-by-step instructions on how to change the router's password, I'd need to learn how to find the router, and how to find what kind of router i have.

Step by step instructions for one model of router have been here on the site for almost a year now: How do I change my router's password? - Remember, ALL ROUTERS ARE DIFFERENT, so these instructions may not apply exactly to your situation, but it'll at least give you the basic concepts.
Leo
25-Feb-2010

Bombay Granny
February 24, 2010 11:37 AM

After reading this article, I followed the links to some of the related articles and now have these questions: My computer is a stand-alone, not networked with any other. Is there any reason to change the router's password as long as I don't network with any other computer? And, since I am not networked with any other computer, do I even have a router? (I get my internet access through my TV cable company, who supplied the modem, though I'm not computer-savvy enough to know if this makes any difference or not.)

If your computer connects directly to the modem provided by your ISP, then you need to check with your ISP to see whether or not it is acting as a router, and whether the password can or needs to be changed. Yes, evem if you have only a single computer you should change your router's password.
Leo
25-Feb-2010

Steve
February 26, 2010 10:09 AM

I've encountered this change router password subject in articles by several other tech newsletters. I promptly changed my Linksys (non-wireless) router ONLY TO FIND I COULD NOT CONNECT TO THE INTERNET! An ISP page came up instead wanting to run a diagnostic that ended up with a "call us" result. So I reset my router password but still got a failed connection.

So I called AT&T/SBCGLOBAL.NET (using a number I already had not the one I was given - paranoia pays, y'know!).

My ISP told me that there had to be some kind of password agreement with my user account...but several attempts by them to get things working again ended in disconnecting the router and straight connecting to the DSL modem.

There seemed to be some concern that the internet light on my modem was not lighting up (but I can tell you that it never did when the previous router and modem connection had ALWAYS worked).

Efforts focused on "bridging" and not bridging and PPO and PPOea, etc. and stuff the tech was vague about left my head spinning.

But I had a working modem-direct connection and since I had to leave for an appointment I thanked them, left it at that, and moved along. Later, I reinstalled the Linksys using the CD (which crashed 1/2 way through the install). In frustration, I cold booted the PC with the power off on the modem and the router. Waited a minute and powered them on and VOILA, everthing was working again.

Now, about the paranoia part...so now my internet light on my modem is always on and frankly I'm a little concerned that I'm less secure than I was before since I imagine that my IP address is not that of the router but of my PC.

Should I be concerned. Should I go back to the ISP? Back to Linksys? Back to bed?

Thanks.

Roger
March 5, 2010 2:52 PM

Thanks Leo and all of you commentators!
I first logged onto my ISP's website and went to their FAQs pages. There, they showed me how to get to my Netgear router webpage from which I just followed the step by step instructions to set a password of my own and by the way disable the wireless function altogether!
Drastic did you say?
I never overlook my teacher's advices!
Cheers to all!

Adrian
March 6, 2010 8:15 PM

Thanks for your reply Leo.
I didn't realise before, that port scanners had to know what service the port was being used for to exploit it. See, I am learning stuff! /grins.

Leo wrote:
"if it does attempt to probe that (random - ed) port the scanner has no real way to know what service "language" (like SSH) it should talk to the port to make it operate"

Snipped from Wikipedia:
"A port may be forwarded for use by either the TCP protocol, the UDP protocol, or both."

I guess I just assumed that port scanners these days would be intelligent enough to know that non-standard (hence forwarded) ports, must be using one or both of the accepted TCP or UDP protocols.

But that aside, say a port scanner finds a port that it knows what service it's being used for, say POP on port 110, or NNTP on 119. Aren't firewalls configured to accept connections (in the appropriate protocols) through these ports? Can't it then exploit them? and if not, why not? I understand that some protocols are inherently secure, like SSH.

I'll also understand if you don't reply to this one, as it is a little OT. Or maybe there is a more appropriate discussion thread to post this to?

But cheers anyway Leo, for the invaluable understanding and advice you impart.

Oh BTW Steve, are you sure you didn't inadvertently change your internet account password (the one your ISP gave you), and not just the modem's login password?

Another thing to consider is that, even if it only has one physical port, your "modem" is *also* a router. It serves up LAN IP addresses, as does your "router". If by chance the router tries to use the same IP address as the modem (and I have seen that happen) you will have an IP address conflict. Resulting in the loss of your internet connection. But in any case, your modem/router is what's facing the internet, so it's a "no" to your paranoia question.

I really hope Leo doesn't mind if I point you towards a page at portforward dot com. Learning about port forwarding has increased my knowledge of networking appreciably. Even if you never do port forwarding, this stuff worth knowing. You will at least learn why teck support tried to "bridge" your router. /smiles http://www.portforward.com/help/doublerouterportforwarding.htm

Best regards to all. ~Adrian (Lan Down Under)

"But that aside, say a port scanner finds a port that it knows what service it's being used for, say POP on port 110, or NNTP on 119. Aren't firewalls configured to accept connections (in the appropriate protocols) through these ports?"

No. The fundamental difference here is incomming versus outgoing - yes, you may use 110 for POP3, but that's an outgoing connection from your PC to your mail server. Your firewall continues to block 110 incoming connections. In reality there are typically no valid incoming connections in a normal home or small business setup. All the connections you make are outgoing - i.e. initiated by your computers connecting to an outside service.

Leo
08-Mar-2010


A. Orcan
March 23, 2010 3:50 AM

Actually, for some routers, there might be several user/password combinations just as administrator, guest, etc. accounts in Windows. Example: admin/support/user in one of my modems. These may be disabled or not. If not, defaults may apply. I remember a friend claiming nobody could access his PC because of a fancy user/password combination he was using, but he simply forgot the other defauly accounts including the admin. Same goes true for many modems and should be checked and modified or disabled.

Ronald Gard
August 10, 2011 1:40 AM

Leo, I was able to find the router website and changed the password successfully. BUT... I could not find how to log OFF of the router setup page once I was done. I close the tab (firefox) and re-enter the ip address for the router set up and it goes right back in without asking for my password. How so I successfully LOG OFF this page?

Again that too depends entirely on the router. Look for a log-off button or link. If there isn't one then completely closing and restarting your browser often does the trick.
Leo
10-Aug-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.