March 8, 2008 5:59 PM PST

Defending your router, and your identity, with a password change

Posted by Michael Horowitz

Recently, in the techie Q&A column in the New York Times, someone asked about changing the password in their router. Due to space limitations, the answer by J. D. Biersdorfer was short, too short. This is what you need to know.

Every router, wired or wireless, has an internal website used to make configuration changes. Accessing this internal website requires a userid/password, something totally independent of any wireless network passwords.

A year ago, in my prior blog, I discussed why it is so important to change the default router password (see Home routers can be dangerous. VERY dangerous). In brief, if your router is using the default password, your computer is vulnerable to an attack where the router is re-configured. Specifically, the dangerous configuration option is the DNS server. For an introduction to the concept of DNS servers, see my prior posting on OpenDNS.

Malicious DNS servers can result in your visiting to a website, any website, and ending up at a phony version of the site run by bad guys. If the website is that of a bank or credit card company, and you enter a userid/password, you can kiss your identity, and money, good-bye.

There are three steps to changing the password in a router:*
  1. Find the router on the network
  2. Log in to the website built into the router
  3. Hunt around for the appropriate web page

If your router was setup by a good techie, there should be a piece of paper next to it with the IP address, userid and password. I'm sure this is rare.

Step 1: Find The Router On Your Network

Every computer on a network is assigned a unique number. The most common networking protocol, TCP/IP, uses a 32 bit binary number which is written as four decimal numbers separated by periods (such as 192.168.1.1). The unique number for computers on a TCP/IP network is called an IP address.

You can find the IP address of the router in the following ways:

1. The person who set it up tells you.

2. If you have the manual for the router, it will have the default IP address. In my experience, the default IP address is rarely changed.

3. You can download an electronic version of the manual from the website of the company that manufactured the router. Again, this will have the default IP address.

Output from the ipconfig command in Windows
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix  . : localdomain2
IP Address. . . . . . . . . . . . : 192.168.1.88
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

4. The most reliable method is to ask the TCP/IP software running on your computer. It always knows where the router is. In Windows XP, Vista and 2000, open a command prompt window and enter the command "ipconfig" (see above). The IP address of the router is identified by Windows as the "Default Gateway".

Open your web browser and type this number into the address bar, as shown below.

This will connect you with the website that lives inside the router. This website will look and act like any other website even though, technically, it is not on the world wide web.

Step 2: Find The Password

Before you can see the router configuration website, you have to provide a password and possibly a userid. Usually you can't change the userid, so I'll focus on the password. In the example below, of logging in to a Belkin router, there isn't even a userid, just a password.

Logging in to a Belkin Router

Below is a screen shot of logging into a Linksys router. Note that you are instructed to leave the userid blank, and only enter a password.

Logging in to a Linksys Router

If you don't now the router password, start by trying the default one. The New York Times article mentioned two websites where you can find the default userid and password for many routers (here and here). Be aware though, that the sites are neither authoritative nor comprehensive. You can also find the default userid and password in the manual for the router.

If the default password doesn't work, you are safe from malicious software changing the DNS servers. Still, it's a good idea to know the password for your router.

To change a non-default password without knowing it, requires reseting the router back to the factory default settings. There should be a small Reset button for just this purpose. You may have to unwind a paper clip to press the button and may have to hold it pressed for a few seconds. The manual should explain the procedure.

Step 3: Change The Password

Simply put, you'll have to do some hunting around the website to find the page for changing the password. Every router I've seen has a different interface.

In a Linksys router it may be in the Administration tab. In a Belkin router, try the System Settings. In a recent D-Link router, you changed the password in the Admin sub-section of the Tools section.

Rather than hunt, if you have the manual in Adobe Acrobat PDF format, try doing a find for the word "password". Unfortunately, routers are complicated and there are many passwords. The password to login to the router is not the PPoE password, or the PPTP password or the L2TP password. It also has nothing to do with the password for the wireless network.

D-Link may add more complication. Their routers may have an admin password for logging in to the router and making changes, and, a separate user password for logging in to the router in read-only mode.

After changing the password, you will likely get bounced out of the website and forced to login with the new password. Do so, just to be sure the new password is working. Now write down the userid and password on a piece of paper and tape it to the router. For good luck, include the IP address too.

Be Angry?

If the person that setup your router did not tell you the IP address, userid and password, they are incompetent. It's like buying a new car and not being able to open the hood to get to the engine. The car will run and work fine, for a while. Maybe quite a while. But there will come a time when you need to poke around the engine and you won't be able to.

If your router was using the default userid/password then the person that set it up is worse than incompetent, they are guilty of negligence. It's not inconceivable for this to result in a lawsuit someday.

Update. March 11, 2008: I just set up a new Belkin N Mimo router. Not only does the new model continue the tradition mentioned above of supporting only a password (no userid), the default password is no password.

*Note: There may also be software for managing the router, but finding and installing the software can be a headache of its own. Also, there is no standard for how the software works.

See a summary of all my Defensive Computing postings.

Topics:

Software,

FYI

Tags:

routers,

passwords,

Linksys,

D-Link,

Belkin,

DNS

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defensive Computing
The main problem with Windows Vista
Foxit PDF reader v2.3 updated with bug fixes
Cringely's iPhone Gripes
A warning about IE8 and Windows XP SP3
Be safer than NASA: Disable autorun
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
What you need in business class email.
Mailtrust

Click Here!
Never worry about email again. From mobility and shared calendaring to virus and spam protection starting at only $3 per mailbox. more>

Rackspace Mailtrust
Total Email Relief

We'll take care of your email so you can take care of your business.

14 Day Free Trial

With expert support 24x7x365 we guarentee 100% uptime. Try us for free for 14 days. Never worry about your email again.

Just $3 per mailbox

Choose the plan that is right for your company and only pay for what you need.

About Defensive Computing

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He views Defensive Computing as taking steps, when things are running well, to avoid or minimize the inevitable problems down the road. It's about educating yourself to the level where you can make your own intelligent decisions about keeping your computers and data happy and healthy. If you depend on computers, yet are on your own, without an IT department or nearby nerd, this blog's for you. His personal web site is michaelhorowitz.com.

He is a member of the CNET Blog Network and is not an employee of CNET.

Disclosure.

Add this feed to your online news reader

Defensive Computing topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    Creating a 'Facebook for spies'

    The CIA, FBI, and National Security Agency are reportedly testing a social-networking site designed for use by analysts within the 16 U.S. intelligence agencies.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Crossfade

    The Standard, 'A Different Skin': Free MP3 of the Day

    Eschewing the danceable beats favored by many of its post-punk brethren, while opting instead for more ominous and insistent rhythms, is what makes the Standard visceral and engaging. Download a free MP3 of "A Different Skin" courtesy of CNET Download Mus

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET