RouterIn my opinion it is a no brainer that not changing your default password on your router will increase the chances that you might lose control of the router. Think about how many times you have come across an unsecured wireless router and have been very tempted to try and login to it using the default username/password.

If you were really mean you could even go and block the person from being able to access their own router, and if that person was smart enough they would just use the reset button typically located on the back of the unit. Where’s the problem though? If the person doesn’t realize that they should be using any kind of wireless security or know to change the default password, then they will probably not notice that they can reset the router to see if that works.

A new threat discussed over at CNet can really take advantage of anyone who still has the default username/password set on their router. Here’s how it works:

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in “,” the request could be sent to a similar-looking fake page created to steal sensitive data.

A researcher from Symantec said that he was able to get this to work on Linksys, D-Link, and Netgear routers without any trouble. He fears that phishers could start using this to inadvertently trick users into thinking that they are visiting a safe site.

I think the reason most people still have the default passwords set is because they have never been prompted to change them. Some routers will come with “installation” CD’s that will walk you through creating a password and WEP key for wireless protection, but others a lot of people (like myself) will just plug the router in and configure it via its IP address. My guess is that a large portion of people plug the router in and say “hey, it already works so why read the manual?” Then the user doesn’t even bother to setup any wireless protection and they don’t even think twice about changing the password.

I do have to admit that finding unsecured wireless networks is becoming increasingly hard, even though WEP and WAP protection is crackable. Out of the 12 wireless networks that I currently have access to at this location, only 2 of them are unsecured (1 is unsecured and has the default “Netgear” router name, so I’m sure I could access that one in a matter of seconds). Sometimes I wonder if I would be better off logging into the unsecured routers and making my own password so that other people can’t break into it. I’m sure if people still have all of the defaults set on their router then they wouldn’t notice if I create my own password to protect them, after all they could just reset the router later on if they want access to it. ;)