Recently, in the techie Q&A column in the New York Times, someone asked about changing the password in their router. Due to space limitations, the answer by J. D. Biersdorfer was short, too short. This is what you need to know.
Every router, wired or wireless, has an internal website used to make configuration changes. Accessing this internal website requires a userid/password, something totally independent of any wireless network passwords.
A year ago, in my prior blog, I discussed why it is so important to change the default router password (see Home routers can be dangerous. VERY dangerous). In brief, if your router is using the default password, your computer is vulnerable to an attack where the router is re-configured. Specifically, the dangerous configuration option is the DNS server. For an introduction to the concept of DNS servers, see my prior posting on OpenDNS.
Malicious DNS servers can result in your visiting to a website, any website, and ending up at a phony version of the site run by bad guys. If the website is that of a bank or credit card company, and you enter a userid/password, you can kiss your identity, and money, good-bye.
There are three steps to changing the password in a router:*
1. Find the router on the network
2. Log in to the website built into the router
3. Hunt around for the appropriate web page
If your router was setup by a good techie, there should be a piece of paper next to it with the IP address, userid and password. I'm sure this is rare.
Step 1: Find The Router On Your Network
Every computer on a network is assigned a unique number. The most common networking protocol, TCP/IP, uses a 32 bit binary number which is written as four decimal numbers separated by periods (such as 192.168.1.1). The unique number for computers on a TCP/IP network is called an IP address.
You can find the IP address of the router in the following ways:
1. The person who set it up tells you.
2. If you have the manual for the router, it will have the default IP address. In my experience, the default IP address is rarely changed.
3. You can download an electronic version of the manual from the website of the company that manufactured the router. Again, this will have the default IP address.
Output from the ipconfig command in Windows
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain2
IP Address. . . . . . . . . . . . : 192.168.1.88
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
4. The most reliable method is to ask the TCP/IP software running on your computer. It always knows where the router is. In Windows XP, Vista and 2000, open a command prompt window and enter the command "ipconfig" (see above). The IP address of the router is identified by Windows as the "Default Gateway".
Open your web browser and type this number into the address bar, as shown below.
This will connect you with the website that lives inside the router. This website will look and act like any other website even though, technically, it is not on the world wide web.
Step 2: Find The Password
Before you can see the router configuration website, you have to provide a password and possibly a userid. Usually you can't change the userid, so I'll focus on the password. In the example below, of logging in to a Belkin router, there isn't even a userid, just a password.
Logging in to a Belkin Router
Below is a screen shot of logging into a Linksys router. Note that you are instructed to leave the userid blank, and only enter a password.
Logging in to a Linksys Router
If you don't now the router password, start by trying the default one. The New York Times article mentioned two websites where you can find the default userid and password for many routers (here and here). Be aware though, that the sites are neither authoritative nor comprehensive. You can also find the default userid and password in the manual for the router.
If the default password doesn't work, you are safe from malicious software changing the DNS servers. Still, it's a good idea to know the password for your router.
To change a non-default password without knowing it, requires reseting the router back to the factory default settings. There should be a small Reset button for just this purpose. You may have to unwind a paper clip to press the button and may have to hold it pressed for a few seconds. The manual should explain the procedure.
Step 3: Change The Password
Simply put, you'll have to do some hunting around the website to find the page for changing the password. Every router I've seen has a different interface.
In a Linksys router it may be in the Administration tab. In a Belkin router, try the System Settings. In a recent D-Link router, you changed the password in the Admin sub-section of the Tools section.
Rather than hunt, if you have the manual in Adobe Acrobat PDF format, try doing a find for the word "password". Unfortunately, routers are complicated and there are many passwords. The password to login to the router is not the PPoE password, or the PPTP password or the L2TP password. It also has nothing to do with the password for the wireless network.
D-Link may add more complication. Their routers may have an admin password for logging in to the router and making changes, and, a separate user password for logging in to the router in read-only mode.
After changing the password, you will likely get bounced out of the website and forced to login with the new password. Do so, just to be sure the new password is working. Now write down the userid and password on a piece of paper and tape it to the router. For good luck, include the IP address too.
If the person that setup your router did not tell you the IP address, userid and password, they are incompetent. It's like buying a new car and not being able to open the hood to get to the engine. The car will run and work fine, for a while. Maybe quite a while. But there will come a time when you need to poke around the engine and you won't be able to.
If your router was using the default userid/password then the person that set it up is worse than incompetent, they are guilty of negligence. It's not inconceivable for this to result in a lawsuit someday.
Update. March 11, 2008: I just set up a new Belkin N Mimo router. Not only does the new model continue the tradition mentioned above of supporting only a password (no userid), the default password is no password.
*Note: There may also be software for managing the router, but finding and installing the software can be a headache of its own. Also, there is no standard for how the software works.
See a summary of all my Defensive Computing postings.