The Great Default Password Debate
Almost every wireless access point and wireless router has a Web interface that an administrator can use to configure the device to work with their network. This interface is typically accessible by opening a Web browser and going to http://192.168.0.1. Believe it or not, it’s this interface that represents a major threat to a wireless network’s security.
To give you an idea of what I mean, consider this. A couple of months ago, I got a phone call from a friend. Her ISP had sent her a letter saying that they were going to be switching to a different set of DNS servers and that customers needed to update their Internet routers with the new addresses. Not being very computer literate, my friend didn’t know what this meant or how to make the required change.
Since my friend lives on the other side of the country, I couldn’t just go to her office and modify her settings for her. I had to talk her through the process over the phone. The first thing that I asked her to do was to log into her wireless router. Of course she didn’t know how to do that, so I asked her what brand of router she was using. When she told me that she was using a Netgear router, I did a quick Internet search to find out what default password Netgear uses. I was immediately able to tell her that the default username was admin (all lower case) and that the default password was password (all lower case). Older Netgear routers use 1234 as the default password.
My point is that I knew absolutely nothing about my friend’s network, and yet I was able to get her logged in within a matter of a couple of minutes by doing a simple Google search. There is absolutely nothing stopping a hacker from doing the same thing. As such, one of your top priorities in securing your wireless network should be changing the access point’s default password.
Several years ago, I gave a presentation on wireless network security to a group of IT professionals. At the end of my presentation, I mentioned changing the wireless access point’s default password among my list of security recommendations. Imagine my surprise when someone in the audience told me that it is better to keep the default password.
Several years ago, I had heard a myth about wireless access point passwords being irrelevant, but admittedly I didn’t put enough stock in the myth to even bother investigating it further. Now I had an IT professional challenging me on the issue in front of a room full of other IT pros.
I didn’t want to look silly if I was wrong to dismiss the myth, but I didn’t want to be a jerk and tell the guy to quit interrupting me either. I decided to ask him to explain his reasoning so that we might all learn from each other.
The guy explained that wireless access points aren’t something that you configure every day, and that you can lock yourself out of a router if you forget its password. He also argued that my security concerns about the default password were invalid because the 192.168.x.x address range that wireless access points use by default is unroutable. As such, someone would have to be physically connected to the network before they would even be able to interact with the access point.
Well, he was right about one thing. The 192.168.x.x address range is unroutable, and you must be connected to the network in order to interact with it. I think that what the man was probably thinking is that nobody is going to be able to access the 192.168.x.x address range through your Internet connection.
While the likelihood of someone accessing that address range over the Internet is low, the truth is that they don’t have to. A user can connect directly to a wireless access point directly through a wireless connection. As such, anybody within close proximity who knows the wireless access point’s default IP address, username, and password can log into the access point’s Web interface.
So what does that mean? Well, if an intruder manages to log into your access point, it does not mean that they have compromised the computers on your network (yet). Wireless access points have their own built in authentication mechanism that is completely separate from your Windows domain controllers. As such, a user who is able to log into your access point’s Web interface is not automatically able to log into your Windows domain.
Having said that, if a user is able to log into your access point, they own that access point. There is nothing stopping that user from changing the access point’s password and locking you out. The user may also be able to gain other sensitive information by exploring the access point’s logs and security settings.
This leads me to another point. The guy who questioned the need for changing a wireless access point’s default password said that if you were to change the password and forget what you changed it to then you would be locked out of the access point. Well, the same thing could be said for a situation in which a rogue user breaks into your access point and changes its password on your behalf.
In either situation though, you will not be permanently locked out. Wireless access points include a reset button that you can use to restore the access point to its factory defaults. Granted, if you reset an access point you will have to reconfigure it, but the reset button keeps you from being permanently locked out.
In my opinion, the question of whether you should continue to use the default password on a wireless access point, or if you should change the password to something else isn’t even up for debate. There is simply no denying the fact that continuing to use the default password presents security risks that can easily be mitigated by using a different password. Of course there is a lot more to securing your wireless network than just changing your wireless access point’s default password (although that is an important first step).
In Part 3 of this series, I want to talk about another aspect of wireless network security that is often debated. Some IT security insist that you should not broadcast your wireless network’s Security Set Identifier (SSID), while others claim that broadcasting an SSID is harmless. I will show you both sides of the issue, and offer you my own opinion as to whether or not you should disable SSID broadcasting.