Wi-Fi Passwords vs. Admin Passwords
Before we look at the topic of default manufacturer-supplied Wi-Fi login credentials, let’s take a moment to clarify what we’re talking about.
Every router has a default set of administrative login credentials that are, by their very nature, not secure as they are intended to be used by the consumer to perform the initial configuration of their router.
The default logins are usually something very simple like admin/admin, admin/password, or the company name like motorola/motorola. Finding these credentials is meant to be easy.
Although the admin credentials aren’t what we’re focused on today, we’re highlighting what they are both for clarity and because everyone should be aware of them. You should immediately change the administrator login and password on your router after setting it up because the default credentials are a significant security risk.
Your Wi-Fi network name (the SSID) and password are a separate set of login credentials and used to log into your home’s wireless network, not into the control panel for your router.
Are Default Random Wi-Fi Passwords a Security Risk?
The vast majority of consumer routers on the market have a sticker on them that includes not just the basic information about the device such as the model number, FCC ID, and MAC address, but a random pre-generated default SSID and password.
At first glance, that would seem to be very secure, but there are a few compelling reasons to change the pre-generated password.
It’s Readily Visible to Anyone
One of the most obvious reasons to change the default SSID password (as well as the default administrative password too) is that it is printed in plain text right on the device it is supposed to secure.
Obviously, somebody walking by on the street or war driving around your neighborhood won’t have access to the sticker, but anyone in your home—kids, whoever your roommate happens to invite home, etc.—will.
Perhaps it might seem a bit paranoid to care about that, but in any context having a password written down in plaintext and in plain sight is not a good security practice.
There’s No Guarantee the Password Is Actually Random
If you ask manufacturers if the SSID passwords supplied with their routers are random, they will tell you that they are. But the complexity of the process usually leads to a system that isn’t actually random.
Because the manufacturers aren’t simply printing stickers with random letters and numbers on them, they are printing login credentials that have to match up with the device they are attached to—the sticker data has to correspond to the data encoded into the firmware of the device.
As a result, many manufacturers use shortcuts like basing the SSID password on the MAC address of the hardware or using other seemingly “random” data that isn’t actually random.
That’s not a strictly theoretical concern, either. Dutch computer science students at Radboud University were able to reverse engineer the algorithms used to generate the default “random” password on various consumer routers.
Random or Not, Many Default Passwords Use Patterns
Even if the default SSID password on your router is truly random, each manufacturer uses a particular style of password for any given product line (and sometimes for their entire product line).
For example, there are hundreds of thousands of older TP-Link routers where the default random SSID password is simply an 8-digit string. Every default password falls between 00000000 and 99999999.
For years, Charter/Spectrum ISP-supplied modems have used a simple random password convention that uses the format of adjective + noun + three numbers, with all lowercase letters. The default passwords for these routers are always combinations like tiredpiano958 or greenboat129.
If you poke around the internet, it’s trivial to find Wi-Fi cracking tools and companion datasets that take advantage of these simple patterns.
Default Passwords Aren’t Long Enough
Even when there is no discernable pattern, and the password actually is completely random, far too many generated SSID passwords are too short. It’s common for them to only be 8-12 characters long.
The minimum character length for a WPA, WPA2, and WPA3 password is 8 characters, which is far too short. Bumping it up to 12 characters helps you reach the bare minimum recommended password length. But modern routers support much longer passwords, and you should take advantage of that.
If for no other reason than replacing the shorter default SSID password with a longer, more secure, and easier-to-remember passphrase, you should change the password.
And while you’re thinking about router security, now is a good time to consider upgrading your old router to a more modern router that supports WPA3 and other security enhancements.