Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Knitted Squid | Main | Windows for Warships »
February 26, 2007
List of Default Router Passwords
EDITED TO ADD (2/26): More lists here, here, and here.
Posted on February 26, 2007 at 7:38 AM • 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce, you are sooooooo evil. Now somebody has to blow up a router because it can be used as a bomb...
;-)
Posted by: alfora at February 26, 2007 8:02 AM
I don't want to be rude, but that list is on the internet for many years. Just google for 'default password' and you'll find a lot more.
Posted by: Hugo at February 26, 2007 8:16 AM
I think you've just "brucedotted" the server - no response after one minute.
(Oops I used my real name - does that mean I'm gonna be "looked at?"
Dear authorities: I DID NOT look at the list - because there were too many others getting it!
)
Posted by: Alistair McDonald at February 26, 2007 8:24 AM
Ia m sorry, i'm just a French guy, but, as I do remember, isn't a legal offense in US to publish this kind of list ? It's soooooo evil, certainly a Al-Qaeda secret plan to conquer Christianity....
Posted by: Da Scritch at February 26, 2007 8:41 AM
What if a terrorist finds this link!!!???
ok, kidding. Just joining in on mass hysteria.
Posted by: nzruss at February 26, 2007 8:43 AM
Bully for you (and thanks... I forgot my default password... now I can change it) ;)
Posted by: madkawa at February 26, 2007 8:45 AM
Everyone knows that terrorist can only find usfull information on US web sites. And are incapable of using google.....
Posted by: greg at February 26, 2007 8:47 AM
I didn't see 'squid' listed there so you're safe, Bruce.
Posted by: John at February 26, 2007 8:48 AM
At least one of the 3com routers (don't know which model) is very helpful, and makes this list obsolete for its hackers:
when you try to log in to it, it tells you that the default password is "admin".
Posted by: noamt at February 26, 2007 8:58 AM
gosh, that amber text in black screen is remiscent of childhood.
Posted by: alisgray at February 26, 2007 9:12 AM
Come on people, routers with default passwords are old news. I'm still laughing out loud every time I stop at a 7-11. Wired blogged about ATM default passwords last September, http://blog.wired.com/27bstroke6/2006/09/...
Posted by: tanj at February 26, 2007 9:27 AM
At least you can change a default username and password combination. What is more scary is a particular router/switch manufacturer that hard codes back doors. You need console access, but still...
Posted by: James Townsend at February 26, 2007 9:39 AM
The Phenoelit list is nice, but there is another here
http://www.virus.org/default-password/
Has a few more than the Phenoelit list and is searchable.
Posted by: Mort666 at February 26, 2007 9:48 AM
I've used this list several times increasing security of routers belonging to family and friends. Default password and how to reset the firmware are the two most important pieces of information in the manual.
I actually like the idea of a router putting it's default password on the admin screen. Default passwords aren't secure so there's no point in pretending they are.
Posted by: Anonymous at February 26, 2007 9:52 AM
A quick google:
http://cryptome.org/atm/atm-passwords.htm ...
The default Master password is "123456" !?!? When will we start shipping devices in a secure state? Makes me remember my high school French, what was the phrase, "je suis dans la merde", no that wasn't it, ah yes, "plus ca change, plus c'est la meme chose."
Posted by: All your ATM belong to us at February 26, 2007 10:29 AM
I am too paranoid NOT to change password, besides nobody have ever been able to hack my secret password "byteme"
Posted by: Skippern at February 26, 2007 10:33 AM
"I don't want to be rude, but that list is on the internet for many years. Just google for 'default password' and you'll find a lot more."
Don't worry; I don't think that comment is rude.
I regularly post old things. Sometimes because they're interesting even though they're old, and sometimes because they're interesting and I don't realize that they're old.
Posted by: Bruce at February 26, 2007 11:35 AM
@nzruss:
For real hysteria, you have to throw in "But what about the children?"
Posted by: Craig at February 26, 2007 11:37 AM
My favorite is the tty port password for certain Proxim access points. The default at one time was "brando". Later they changed it--To "notbrando".
Posted by: Sue Donym at February 26, 2007 11:47 AM
My personal fav: Integral Technologies with "letmein".
Cheers
Posted by: JW at February 26, 2007 11:48 AM
Not just routers of course - network printers, IP phones, probably the odd Internet toaster.
It's tremendously useful.
Posted by: dragonfrog at February 26, 2007 12:01 PM
I've used this in the past to get into the admin pages on insecure WiFi routers (sometimes months of free access). Some models let you see URLs that other users are viewing. This sure isn't news but lots of stuff out there is still running with default passwords.
Posted by: Crim at February 26, 2007 1:24 PM
Thanks for posting this, I lost my documentation and now I can work on set-up stuff my router again. If I changed the password then I'd never be able to take advantage of great sites like this one that can remind me of it :)
Posted by: P-Air at February 26, 2007 1:36 PM
Default router password lists are old news. ;)
Within a mile radius of my home there's about 60 wide open wireless routers. I've made it a project to secure each and every one with a very strong admin password at least. As a public service. I don't steal bandwidth. I just lock down the router admin. If I find one set up insecurely a second time I secure the network with whatever is available. As a public service.
99% of these people never notice, and when they do just about every router has a reset button so I figure no harm, no foul. It's a public service after all!
Posted by: SillyGoose at February 26, 2007 4:53 PM
SillyGoose:
That sounds like a denial-of-service attack to me.
Would you consider it a public service if someone came around to your home, and if the front door was open, they changed the lock and locked the door?
Whether it takes pressing a reset button or hiring a locksmith to undo, it's rather questionable to mess with people's stuff like that.
Posted by: Steve Geist at February 26, 2007 6:32 PM
@SillyGoose
"I've made it a project to secure each and every one with a very strong admin password at least."
I did the same but for less good reasons. I wanted to hamper my free Internet providers from turning on crypto and spoyling my fun.
Just curious what type of antenna did you use? I used a powerful (9 dbi) Omnidirectional antenna with an SMA extension cable so that I could hang the antenna high up behind curtains (not externaly visible). It's amazing how far you can reach out if there is nothing in the way.
I hope you didn't go outside with the equipment (dumb! dumb!). That is very risky because if you are caught with the laptop and WiFi bits you are screwed.
Posted by: Crim at February 26, 2007 7:26 PM
@SillyGoose
"I've made it a project to secure each and every one with a very strong admin password at least."
We couldn't agree more on this point...
We've previously wrote an article on why we think passwords do not live up to today's needs. Feel free to read it and leave your opinion on our blog.
Posted by: Don at February 27, 2007 2:20 AM
Hey, great. Now I have a place to find it if I forget my router's password...
Posted by: David at February 27, 2007 8:35 AM
:: laughs @ "Authorities'" post ::
@Crim
I'd like to see a study (amateur, of course), where someone wardrives for a while, compiling a list of:
1.) How many WAPs are open (not even needing to crack WEP - poor ignorant souls =;o)
2.) How many of those open WAPs use default passwords on the admin pages.
Of course nowadays, this would probably border on the illegal (it's definitely gray-hat) - so whoever published the results, might have to go to some lengths to hide the origin of the paper.
Hmm.. how about one of the open WAPs on the list? =;o)
Posted by: Fenris Fox at February 27, 2007 10:59 PM
So, I sign up for DSL, router comes in the mail. I plug it in and it works.
Now you guys scare me with this...
Whos fault is it that I did not know there is a administrative password?
Whats better, ship a prouct that does not work out of the box, or a product covered with warning stickers and a giant manuel (or like I got a product that works, no warning)?
Got no info on my router. Not sure how to make use of this new found administrative password.
Maybe I should stay in bed.
Posted by: Elmo at March 2, 2007 7:22 AM
if you want a good printable router password list check
uhmm... i think its http://www.cyberpunkcafe.com/routerpasses.html
Posted by: Johnathen B at March 8, 2007 11:24 AM
you can do a lookup here:
http://wireless.comxa.com/index.php/...
Posted by: boomer at August 21, 2009 5:16 PM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F M A M
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments