Should I change my router's password, and if so, how often?

Home » Networking » Small Business and Home Networking

Summary: Routers typically require a login and password for configuration that comes set to a factory default. Should you change it? Yes. How often? It depends.

We use a D-Link 2.4 GHz router, about 7-8 years old, for our home LAN. I read recently we ought to change passwords occasionally on the router. But I also had the thought that it might be time to upgrade. Any recommendations?

This question gets my standard answer #2: it depends.

It depends on things like having ever changed your password and whether or not you're using wireless access to your network, and if so, what kind of encryption you're running.

And yes, there's a scenario where an upgrade might be called for, but it's not age-related, it's about capability.

•

First off, let me ask this: have you ever changed your router's administrative password? If you answered "no", then go change it now.

The default password for most routers is something that's very easy to either just know or to look up. The reason you want to change it is that there is malicious software out there that, using Javascript in your browser, can actually attempt to access your router. Knowing the administrative password, if you've never changed it, that software can then reconfigure your router to disable many of its firewall characteristics and allow more serious malware to infect your system.

So you should change your router's password at least once. That was easy.

How often kind of depends.

In most cases, in my opinion, you never need to change it again. As long as it's not the default there's rarely a reason to change it.

However ... (and there's almost always a "however")

The "problem" with most router admin login security is that it's sniffable.

You'll note that you don't (and can't) use "https" to login to your router, only http. That means the traffic can be monitored by anyone on your network, and if they want, they can see the password that's being used to login to your router.

The good news is that most networks are "closed", meaning that you probably only have your own machines on the network, or machines that you implicitly trust. In addition, you probably don't access your router's administrative interface that often, so the login password isn't actually being transmitted very often for it to be visible in the first place.

The bad news is that many people have what they think are closed networks that are really open and to which anyone can connect.

Those are folks with unencrypted wireless connections or wireless connections using WEP encryptions. Any computer within signal range can connect to these networks and may be able to monitor the traffic on your network. That includes the router admin traffic if that's done wirelessly as well.

WEP encryption? Isn't that supposed to be secure? It was, but not any more. In fact I recently heard someone say that it's now often quicker to crack WEP security than it is to try and type in the password that's been used. The bottom line is that WEP is broken and practically equivalent to no encryption at all. WPA encryption, on the other hand, is secure.

So there's my upgrade recommendation:

• If you use WiFi on your network

• ... and the router or access point does not support WPA encryption

• ... and you're in a situation where you don't control who could be in range of your wireless network

... then you need to upgrade either your router or access point (and perhaps even your computer's WiFi hardware) to equipment that supports WPA. Or I suppose you could stop using WiFi.

Now, if you must operate an open WiFi hotspot - say you're an internet cafe owner - then you'll not only need to make sure your router has a non-default password, but you'll also need to make sure that you never change or access it using a wireless connection yourself. Changing your router's password or even accessing the admin interface using your wireless connection could expose the password to anyone in range who might be listening. Instead, make a wired connection to your router and administer it via that connection.

But after all that, I still don't really see a reason to then change the router's password periodically. It doesn't hurt, I suppose, but I'm not sure I see a real benefit as long as it's been changed at least once. If you've discovered that you've accessed your router via an insecure and sniffable route, then you might want to consider changing it (via that secure, wired connection).

And as long as your router is working for you and meets the WPA requirement if that applies to your situation, I see no real reason to upgrade either.

Related:

• Ask Leo! - What's the difference between a Hub, a Switch and a Router?

• Ask Leo! - How do I know if I'm behind a NAT router?

• Ask Leo! - Do I need a firewall, and if so, what kind?

Article 12072 | Posted December 11, 2007