Changing the administrative password to something strong and unguessable is crucial. With the administrative password, the bad guys have complete control of your router and can do nasty things, including turning it into a spyware tool and gateway through which they perform other nefarious acts.
Making the password strong will make it very difficult to guess, and harder to get through using brute-force methods. Changing the passwords regularly will also make them that much harder to crack.
If the administrative password is compromised by hackers,the results can be devastating. They can completely control your WiFi router and use it as a stepping stone to compromise every device and network that connects to it.
While a strong password makes it harder for hackers to guess at, it can still be guessed—it just takes longer. If the router is not configured properly, then the password can be retrieved by the hackers (see Universal Plug-N-Play below).
Making the Administrator password strong and rotating it periodically is a great way to keep hackers at bay. Unfortunately, there are so many ways hackers can retrieve and derive even strong passwords on WiFi routers that this is still only a 4/5 shields rating. It needs to be done, but other precautions also need to be taken in order to protect the router.
Think of your router as being its own website. It is a web server that provides configuration and administration screens to manage your router.
The first time you power on a router, the administrator username and password to access the configuration are usually set to well-known values (meaning even the bad guys know it!) and are probably published in the WiFi router’s documentation. In the case of my demonstration router, the initial username and password is found on page 125 of the documentation:
The default IP address is 192.168.0.1. When logging in, the username is admin and leave the password box empty.
The scary thing is that the bad guys have access to the same documentation, so they know your initial password too. So change it!
Most routers provide a navigation menu to get you to a variety of configuration and administration functions. Check your documentation on how to change the password. In the case of the demonstration router, it is found on the tools page.
When changing any password, there are a few rules to follow:
- Never re-use a password. Make each one unique.
- Use a random set of letters (both upper and lower case), numbers, and special symbols. 14 characters is a nice password length.
- Never use words, names or anything else that can be found on your social network (like the name of your first dog, or favourite beach!).
Once you have settled on a nice, strong password, go ahead and write it down first, then change it on the WiFi router. The router will likely ask you to log in using the new password.
One other piece of advice: if you cannot log into your WiFi router and you are sure that you are using the correct password, then you most likely are typing it wrong or you’re not actually using the current password. Worst case, the password may have been changed by hackers.
If you absolutely cannot log in, then consider performing a Factory Reset. Check your documentation—most WiFi routers have a recessed reset button (typically pushed with a paper clip) that allows the router to be reset to where it was when you first took it out of the box. You can then set it up all over again.
If, after a factory reset, the router administrative console looks and behaves differently than your documentation says it should, or you are still unable to log in with the original default credentials, then you may need to consider that hackers have replaced your firmware with their own.
If that is the case, the safest thing to do is consider the WiFi router compromised and seek professional technical assistance. The easiest (but possibly expensive) fix is to buy a new router and start over. The less expensive, but more technically challenging and time consuming fix is to replace the firmware with a known-good version. This can be very complicated, and does not guarantee success depending on how the router has been compromised.