Helping people with computers... one answer at a time.

Routers typically require a login and password for configuration that comes set to a factory default. Should you change it? Yes. How often? It depends.

We use a D-Link 2.4 GHz router, about 7-8 years old, for our home LAN. I read recently we ought to change passwords occasionally on the router. But I also had the thought that it might be time to upgrade. Any recommendations?

This question gets my standard answer #2: it depends.

It depends on things like having ever changed your password and whether or not you're using wireless access to your network, and if so, what kind of encryption you're running.

And yes, there's a scenario where an upgrade might be called for, but it's not age-related, it's about capability.

First off, let me ask this: have you ever changed your router's administrative password? If you answered "no", then go change it now.

The default password for most routers is something that's very easy to either just know or to look up. The reason you want to change it is that there is malicious software out there that, using Javascript in your browser, can actually attempt to access your router. Knowing the administrative password, if you've never changed it, that software can then reconfigure your router to disable many of its firewall characteristics and allow more serious malware to infect your system.

"So you should change your router's password at least once."

So you should change your router's password at least once. That was easy.

How often kind of depends.

In most cases, in my opinion, you never need to change it again. As long as it's not the default there's rarely a reason to change it.

However ... (and there's almost always a "however")

The "problem" with most router admin login security is that it's sniffable.

You'll note that you don't (and can't) use "https" to login to your router, only http. That means the traffic can be monitored by anyone on your network, and if they want, they can see the password that's being used to login to your router.

The good news is that most networks are "closed", meaning that you probably only have your own machines on the network, or machines that you implicitly trust. In addition, you probably don't access your router's administrative interface that often, so the login password isn't actually being transmitted very often for it to be visible in the first place.

The bad news is that many people have what they think are closed networks that are really open and to which anyone can connect.

Those are folks with unencrypted wireless connections or wireless connections using WEP encryptions. Any computer within signal range can connect to these networks and may be able to monitor the traffic on your network. That includes the router admin traffic if that's done wirelessly as well.

WEP encryption? Isn't that supposed to be secure? It was, but not any more. In fact I recently heard someone say that it's now often quicker to crack WEP security than it is to try and type in the password that's been used. The bottom line is that WEP is broken and practically equivalent to no encryption at all. WPA encryption, on the other hand, is secure.

So there's my upgrade recommendation:

  • If you use WiFi on your network

  • ... and the router or access point does not support WPA encryption

  • ... and you're in a situation where you don't control who could be in range of your wireless network

... then you need to upgrade either your router or access point (and perhaps even your computer's WiFi hardware) to equipment that supports WPA. Or I suppose you could stop using WiFi.

Now, if you must operate an open WiFi hotspot - say you're an internet cafe owner - then you'll not only need to make sure your router has a non-default password, but you'll also need to make sure that you never change or access it using a wireless connection yourself. Changing your router's password or even accessing the admin interface using your wireless connection could expose the password to anyone in range who might be listening. Instead, make a wired connection to your router and administer it via that connection.

But after all that, I still don't really see a reason to then change the router's password periodically. It doesn't hurt, I suppose, but I'm not sure I see a real benefit as long as it's been changed at least once. If you've discovered that you've accessed your router via an insecure and sniffable route, then you might want to consider changing it (via that secure, wired connection).

And as long as your router is working for you and meets the WPA requirement if that applies to your situation, I see no real reason to upgrade either.

Article C3234 - December 11, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

3 Comments
Eli Coten
December 15, 2007 4:33 PM

Some routers, especially Linksys ones, but probably others as well can be configured to be administered over using HTTPS protocol thereby (presumably) encrpying any admin passwords that could be transmitted.

pepsi das
January 28, 2009 10:00 PM

i am all ready configure router and set the password presently this router is working in good condition but few day later i forget the password -----if any process to recover or change password of without change the configuration i want only password -----

No. Most routers have a procedure to reset it to factory settings, including the original password and settings. But there's no way to just get or reset only the password.
- Leo
29-Jan-2009

JimBob
March 4, 2010 12:51 PM

So i have a WPA security enable on my wireless router. You need to enter a 24 character key to get access. I decided to reset my security settings and it gave me a new 24 character password. The issue i have is this- I have several computers that pick of the wifi signal that used the old access key, and they still can connect to the internet. I don't want certain computers to connect anymore, that's why i reset it. How is it possible that they still can access it??

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.