Schneier on Security

A blog covering security and security technology.

« Friday Squid Blogging: Knitted Squid | Main | Windows for Warships »

February 26, 2007

List of Default Router Passwords

Useful information.

EDITED TO ADD (2/26): More lists here, here, and here.

Posted on February 26, 2007 at 7:38 AM • 39 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

alfora • February 26, 2007 8:02 AM

Bruce, you are sooooooo evil. Now somebody has to blow up a router because it can be used as a bomb...

;-)

Hugo • February 26, 2007 8:16 AM

I don't want to be rude, but that list is on the internet for many years. Just google for 'default password' and you'll find a lot more.

Alistair McDonald • February 26, 2007 8:24 AM

I think you've just "brucedotted" the server - no response after one minute.

(Oops I used my real name - does that mean I'm gonna be "looked at?"

Dear authorities: I DID NOT look at the list - because there were too many others getting it!
)

Authorities • February 26, 2007 8:30 AM

Dear mr. McDonald,

don't worry about your name. We won't use it. On the other hand, we've logged your IP address, which tells us a lot more about you than your name. See you soon!

greetings,
Authorities

Baron Dave • February 26, 2007 8:30 AM

Props to Cisco for the default password "changeme".

merkelcellcancer • February 26, 2007 8:41 AM

Hello. Far to easy.

Da Scritch • February 26, 2007 8:41 AM

Ia m sorry, i'm just a French guy, but, as I do remember, isn't a legal offense in US to publish this kind of list ? It's soooooo evil, certainly a Al-Qaeda secret plan to conquer Christianity....

nzruss • February 26, 2007 8:43 AM

What if a terrorist finds this link!!!???

ok, kidding. Just joining in on mass hysteria.

madkawa • February 26, 2007 8:45 AM

Bully for you (and thanks... I forgot my default password... now I can change it) ;)

greg • February 26, 2007 8:47 AM

Everyone knows that terrorist can only find usfull information on US web sites. And are incapable of using google.....

John • February 26, 2007 8:48 AM

I didn't see 'squid' listed there so you're safe, Bruce.

noamt • February 26, 2007 8:58 AM

At least one of the 3com routers (don't know which model) is very helpful, and makes this list obsolete for its hackers:
when you try to log in to it, it tells you that the default password is "admin".

alisgray • February 26, 2007 9:12 AM

gosh, that amber text in black screen is remiscent of childhood.

tanj • February 26, 2007 9:27 AM

Come on people, routers with default passwords are old news. I'm still laughing out loud every time I stop at a 7-11. Wired blogged about ATM default passwords last September, http://blog.wired.com/27bstroke6/2006/09/...

James Townsend • February 26, 2007 9:39 AM

At least you can change a default username and password combination. What is more scary is a particular router/switch manufacturer that hard codes back doors. You need console access, but still...

Mort666 • February 26, 2007 9:48 AM

The Phenoelit list is nice, but there is another here

http://www.virus.org/default-password/

Has a few more than the Phenoelit list and is searchable.

Anonymous • February 26, 2007 9:52 AM

I've used this list several times increasing security of routers belonging to family and friends. Default password and how to reset the firmware are the two most important pieces of information in the manual.

I actually like the idea of a router putting it's default password on the admin screen. Default passwords aren't secure so there's no point in pretending they are.

an67 • February 26, 2007 10:11 AM

@Mort666,

I tend to find + the best way to search

All your ATM belong to us • February 26, 2007 10:29 AM

A quick google:
http://cryptome.org/atm/atm-passwords.htm ...
The default Master password is "123456" !?!? When will we start shipping devices in a secure state? Makes me remember my high school French, what was the phrase, "je suis dans la merde", no that wasn't it, ah yes, "plus ca change, plus c'est la meme chose."

Skippern • February 26, 2007 10:33 AM

I am too paranoid NOT to change password, besides nobody have ever been able to hack my secret password "byteme"

Bruce • February 26, 2007 11:35 AM

"I don't want to be rude, but that list is on the internet for many years. Just google for 'default password' and you'll find a lot more."

Don't worry; I don't think that comment is rude.

I regularly post old things. Sometimes because they're interesting even though they're old, and sometimes because they're interesting and I don't realize that they're old.

Craig • February 26, 2007 11:37 AM

@nzruss:

For real hysteria, you have to throw in "But what about the children?"

Sue Donym • February 26, 2007 11:47 AM

My favorite is the tty port password for certain Proxim access points. The default at one time was "brando". Later they changed it--To "notbrando".

JW • February 26, 2007 11:48 AM

My personal fav: Integral Technologies with "letmein".

Cheers

dragonfrog • February 26, 2007 12:01 PM

Not just routers of course - network printers, IP phones, probably the odd Internet toaster.

It's tremendously useful.

Crim • February 26, 2007 1:24 PM

I've used this in the past to get into the admin pages on insecure WiFi routers (sometimes months of free access). Some models let you see URLs that other users are viewing. This sure isn't news but lots of stuff out there is still running with default passwords.

P-Air • February 26, 2007 1:36 PM

Thanks for posting this, I lost my documentation and now I can work on set-up stuff my router again. If I changed the password then I'd never be able to take advantage of great sites like this one that can remind me of it :)

Bill • February 26, 2007 1:43 PM

@tanj

Guess you missed it here in September

http://www.schneier.com/blog/archives/2006/09/...

SillyGoose • February 26, 2007 4:53 PM

Default router password lists are old news. ;)

Within a mile radius of my home there's about 60 wide open wireless routers. I've made it a project to secure each and every one with a very strong admin password at least. As a public service. I don't steal bandwidth. I just lock down the router admin. If I find one set up insecurely a second time I secure the network with whatever is available. As a public service.

99% of these people never notice, and when they do just about every router has a reset button so I figure no harm, no foul. It's a public service after all!

Steve Geist • February 26, 2007 6:32 PM

SillyGoose:

That sounds like a denial-of-service attack to me.

Would you consider it a public service if someone came around to your home, and if the front door was open, they changed the lock and locked the door?

Whether it takes pressing a reset button or hiring a locksmith to undo, it's rather questionable to mess with people's stuff like that.

Crim • February 26, 2007 7:26 PM

@SillyGoose

"I've made it a project to secure each and every one with a very strong admin password at least."

I did the same but for less good reasons. I wanted to hamper my free Internet providers from turning on crypto and spoyling my fun.

Just curious what type of antenna did you use? I used a powerful (9 dbi) Omnidirectional antenna with an SMA extension cable so that I could hang the antenna high up behind curtains (not externaly visible). It's amazing how far you can reach out if there is nothing in the way.

I hope you didn't go outside with the equipment (dumb! dumb!). That is very risky because if you are caught with the laptop and WiFi bits you are screwed.

Don • February 27, 2007 2:20 AM

@SillyGoose

"I've made it a project to secure each and every one with a very strong admin password at least."

We couldn't agree more on this point...

We've previously wrote an article on why we think passwords do not live up to today's needs. Feel free to read it and leave your opinion on our blog.

http://maltainfosec.org

David • February 27, 2007 8:35 AM

Hey, great. Now I have a place to find it if I forget my router's password...

Fenris Fox • February 27, 2007 10:59 PM

:: laughs @ "Authorities'" post ::

@Crim

I'd like to see a study (amateur, of course), where someone wardrives for a while, compiling a list of:

1.) How many WAPs are open (not even needing to crack WEP - poor ignorant souls =;o)

2.) How many of those open WAPs use default passwords on the admin pages.

Of course nowadays, this would probably border on the illegal (it's definitely gray-hat) - so whoever published the results, might have to go to some lengths to hide the origin of the paper.

Hmm.. how about one of the open WAPs on the list? =;o)

Ryan • March 1, 2007 2:42 AM

Change the password on my luggage!

Elmo • March 2, 2007 7:22 AM

So, I sign up for DSL, router comes in the mail. I plug it in and it works.

Now you guys scare me with this...

Whos fault is it that I did not know there is a administrative password?

Whats better, ship a prouct that does not work out of the box, or a product covered with warning stickers and a giant manuel (or like I got a product that works, no warning)?

Got no info on my router. Not sure how to make use of this new found administrative password.

Maybe I should stay in bed.

Johnathen B • March 8, 2007 11:24 AM

if you want a good printable router password list check
uhmm... i think its http://www.cyberpunkcafe.com/routerpasses.html

boomer • August 21, 2009 5:16 PM

you can do a lookup here:
http://wireless.comxa.com/index.php/...

boomer • January 10, 2011 7:56 PM

^scratch that, site moved here:

http://urbanwireless.info/...

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M J
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D