# [Solved] Why should I bother changing my broadband router's default password?



## qubit (Jan 29, 2014)

Ok, this isn't quite the numpty question that it first appears and here's my reasoning:

Firstly, there's no threat at all from inside my network from malicious household members, naughty kids etc. So no one's gonna log into it and screw it up. What about an infected PC? Well, I don't remember ever getting a malware infection in the 15+ years I've had PCs since I take all the usual precautions, so this is a very unlikely problem.

Secondly, the external web interface is switched off so no one can attempt to try and log in to it.

Thirdly I have the SPI firewall switched on.

I leave it like this, because I find it very convenient to leave the default password as it is since it prevents me having to do a potential router factory reset should I forget it and can't find it written down somewhere.

So, if you think I have a gaping security hole here, I'd like to hear about it. 

EDIT: I have Wi-Fi turned off on my router too. It's ethernet only for me.


----------



## brandonwh64 (Jan 29, 2014)

They are ways around it but really pointless to try. I usually set them to something other than the default though.


----------



## micropage7 (Jan 29, 2014)

its up to your situation
if theres no threat its ok to leave it default


----------



## FordGT90Concept (Jan 29, 2014)

If you want to have unprotected sex, you're responsible for the consequences.


----------



## FX-GMC (Jan 29, 2014)

FordGT90Concept said:


> If you want to have unprotected sex, you're responsible for the consequences.



Those viruses can be slightly more permanent tho.....


----------



## qubit (Jan 29, 2014)

FordGT90Concept said:


> If you want to have unprotected sex, you're responsible for the consequences.


You'll have to do better than that.

Given my scenario, I'd be grateful if you could explain exactly why it's such a risk.


----------



## erocker (Jan 29, 2014)

Even a simple password that anyone can remember is probably better than using the default password. It's really not a hard choice to make.


----------



## qubit (Jan 29, 2014)

erocker said:


> Even a simple password that anyone can remember is probably better than using the default password. It's really not a hard choice to make.


Oh I know and everywhere else I do just that. It's just so convenient to leave it like this for my routers.

Also, it's just that I've been doing this for years with my routers and have never had a problem so I'm curious to know if I've missed something. From the answers I'm getting here, it looks like I'm doing ok.

In any security related advice one reads you always see them say to change the password and I agree with that in general. It's just that in my scenario, it would seem that I can get away without doing this.


----------



## jihadjoe (Jan 29, 2014)

The answer really is why not?
It takes minimal effort to set a new password, and in the off chance that you do contact malware that makes use of a table of default router passwords you'll be safer for having changed it.


----------



## Sasqui (Jan 29, 2014)

Mussels will use one of his Cantennas and take over your network, then your world.  Be warned.


----------



## Kreij (Jan 29, 2014)

It's true that there is but a slim chance your router may be compromised, but if you can make that chance even slimmer through a simple password change it would seem prudent to do so, no?


----------



## FordGT90Concept (Jan 29, 2014)

qubit said:


> It's just that in my scenario, it would seem that I can get away without doing this.


Sure, but for how long?  I could envision someone compromising one of your computers through a software exploit then using that terminal to access the router to forward ports, start a service to listen on that port (e.g. RDC), and then they have a backdoor to do whatever they want with your computer, whenever they want.  That includes highly illegal things like distributing illegal content (e.g. child porn).

Point is: it's easy to establish reasonable security.  There's absolutely no reason not to except general laziness and that is never a valid excuse.


----------



## Divide Overflow (Jan 29, 2014)

It might be really inconvenient to have to lock my front door and carry a house key around with me everywhere.  The area is pretty safe and the chances of someone actually attempting to get in are pretty small.  But the cost of that happening?  It's well worth the trivial task of securing things properly.


----------



## qubit (Jan 29, 2014)

Ok thanks people, so it looks like there really isn't much chance of getting nailed by doing this and you have answered my question.

I agree that it's prudent to change it just in case something does find a way in and I've now done it.


----------



## 95Viper (Jan 29, 2014)

I am going to say change it.  Why? Depends on your own level of paranoia; and, it is simple for most who understand how to.
And, if need be, you can always set the router back to default, with the original password, anytime you wish.

If the router was supplied by your ISP... chances are they recorded it and you can figure that one out.
Manufacturers probably record them; and, if that data were to leak; all someone would need to do is pull your router info and compare it to get the default passwords. (remote possibility, however, still a possibility)

I do know of a particular (ISP) company that does record the default passwords; so, if they need to access the router they can (for maintenance,customer problems, etc.).

Now, if you block the outside access, all fine and dandy... but, your average user does not even understand what a router actually is... much less blocking outside access or router settings.

And, then there is what Ford stated in post #12.

Three letters... NSA.  Be paranoid... be very paranoid!


----------



## redeye (Jan 29, 2014)

remember if you have physical access to the router it is moot point... meaning  to reset it to default, you just need to hit the reset button for what 20 seconds ...boom ...Your in.

now the The question is can you access the router set up menu from the Internet...?. dont know... have heard of exploits that change your DNS address, from the internet... (my old sagemcom modem, required the serial number to be entered in order to change the dns address... for example if i wanted to change it use unblock-us.com to get the US content from canada...)

their is also the question of the port 30005 (or others) that allow access to the router.

while i have changed the routers password on my router, it is a it is a trivial matter to reset it if you have access to the router...

so really you just need to determine if you can only access the router set up from a non-routable Internet address... (192.168....) i think you can set an apple airport extreme to allow setup over the WAN (internet) but apple does warn you about the security implications...


----------



## qubit (Jan 30, 2014)

95, redeye - yes, I have turned off web access as in my OP. Leaving the default password with web access on would indeed be a very numpty thing to do.

But I get the point about being extra careful from eveyone's reply and have already changed it.

My router is a TP-Link one, not the one the ISP provided me with, so their backdoors don't apply to me.


----------



## remixedcat (Jan 30, 2014)

Why wouldn't you change your admin password?


----------



## qubit (Jan 30, 2014)

remixedcat said:


> Why wouldn't you change your admin password?


For convenience, as I explained in my OP. However, you lot have convinced me to do it and I've already done it as I explained above.


----------



## remixedcat (Jan 30, 2014)

Yey Good jorb


----------



## Mussels (Jan 30, 2014)

qubit said:


> Ok, this isn't quite the numpty question that it first appears and here's my reasoning:
> 
> Firstly, there's no threat at all from inside my network from malicious household members, naughty kids etc. So no one's gonna log into it and screw it up. What about an infected PC? Well, I don't remember ever getting a malware infection in the 15+ years I've had PCs since I take all the usual precautions, so this is a very unlikely problem.
> 
> ...



because bad people like me with good knowledge of wifi security can breach your network in anything from 10 minutes to 2 weeks. the people who can hack it are limited to say, within 1KM of your location - but if you have a bunch of neighbours you dont know, you cant be sure they wont try and hack you. all it takes is one $30 wifi adaptor off ebay, a spare PC, and patience. the tools are automated these days.

me and a friend competed to see how many networks would could breach in a week (and yes, we left them alone - we just wanted to figure out what brands/settings were secure) and we managed anywhere from 1 to 5 networks a day, depending on security.

the major ISP around here has a flaw in all their older, very common wifi G routers that allows you to crack it within 48 hours, for example - so a scan for wifi G routers with their name in the SSID, start the attack, login to router with default admin/admin, save a backup of the routers settings and open the backup. we then have their phone number and last name (name is used for login) and we can login to their web account if we wanted to and snoop for even more details.

simply changing the routers password would mean we had internet access and possibly access to shared folders on the network, but nothing else.

(FWIW: use WPA2-PSK and a 10+ character password that is NOT a name or word. those take weeks to months to crack, and most people would merely give up. disable WPS 'pin code' features as well, those are a major weakness)


----------



## qubit (Jan 30, 2014)

Oh yes, using Wi-Fi is a definite no-no in my household - nothing worse than exposing your internal network to anyone within radio range. It's all ethernet cables for me. My bad I forgot to say in my OP that I don't use Wi-Fi. I've fixed this with an edit now.

Great explanation you've got there anyhow. 

And yes, I know you're a Bad Person, Mussels.


----------



## Tonduluboy (Jan 30, 2014)

Been using wireless router for the past 6-8 yrs, replaced few. However, due to my location etc etc i never change my any default password for the same reason with OP.
The closes neighbour is my relative which is 100m away.  I saw my cousin hacking other people wireless internet in just  a few mins using an illegal software n hardware bought thru internet cheaply.

My point is, most people dont go around n sneak into your router. Even if you have a new password, if somebody who know how to crack it really wanna break into your router there is always a way.
Anyway, if you wanna feel more secure, key in a new password is always a good move.


----------



## redeye (Jan 30, 2014)

remixedcat said:


> Why wouldn't you change your admin password?



sometimes, those that don't have great memory, prefer to leave "unimportant" passwords as is...

(if you forget the password to the router, it is a pain to factory reset your router, and recreate the setup... for example it is a pain in some routers to setup DHCP reservations... having to type in the mac address for each device (mythtv, 3 tuners)...  thus sometimes it is easier to leave it at the default password.)

but Mussel's explaination is a good reason to change it to something not stock(although he is explaining that you should not use the default ISP name/password for for SSID, which also applys to the setup page name/password.... if course, the strength of your password then becomes a concern.   (or your could allow wifi surfing only on the guest wifi channel... it only allows internet access)


----------



## 95Viper (Jan 30, 2014)

redeye said:


> sometimes, those that don't have great memory, prefer to leave "unimportant" passwords as is...
> 
> (if you forget the password to the router, it is a pain to factory reset your router, and recreate the setup... for example it is a pain in some routers to setup DHCP reservations... having to type in the mac address for each device (mythtv, 3 tuners)...  thus sometimes it is easier to leave it at the default password.)



Most routers that I have dealt with allow you to backup those settings, for those moments of need.


----------



## redeye (Jan 30, 2014)

duplicate...


----------

