Comments

alforaFebruary 26, 2007 8:02 AM

Bruce, you are sooooooo evil. Now somebody has to blow up a router because it can be used as a bomb...

;-)

HugoFebruary 26, 2007 8:16 AM

I don't want to be rude, but that list is on the internet for many years. Just google for 'default password' and you'll find a lot more.

Alistair McDonaldFebruary 26, 2007 8:24 AM

I think you've just "brucedotted" the server - no response after one minute.

(Oops I used my real name - does that mean I'm gonna be "looked at?"

Dear authorities: I DID NOT look at the list - because there were too many others getting it!
)

AuthoritiesFebruary 26, 2007 8:30 AM

Dear mr. McDonald,

don't worry about your name. We won't use it. On the other hand, we've logged your IP address, which tells us a lot more about you than your name. See you soon!

greetings,
Authorities

Da ScritchFebruary 26, 2007 8:41 AM

Ia m sorry, i'm just a French guy, but, as I do remember, isn't a legal offense in US to publish this kind of list ? It's soooooo evil, certainly a Al-Qaeda secret plan to conquer Christianity....

nzrussFebruary 26, 2007 8:43 AM

What if a terrorist finds this link!!!???

ok, kidding. Just joining in on mass hysteria.

gregFebruary 26, 2007 8:47 AM

Everyone knows that terrorist can only find usfull information on US web sites. And are incapable of using google.....

noamtFebruary 26, 2007 8:58 AM

At least one of the 3com routers (don't know which model) is very helpful, and makes this list obsolete for its hackers:
when you try to log in to it, it tells you that the default password is "admin".

James TownsendFebruary 26, 2007 9:39 AM

At least you can change a default username and password combination. What is more scary is a particular router/switch manufacturer that hard codes back doors. You need console access, but still...

AnonymousFebruary 26, 2007 9:52 AM

I've used this list several times increasing security of routers belonging to family and friends. Default password and how to reset the firmware are the two most important pieces of information in the manual.

I actually like the idea of a router putting it's default password on the admin screen. Default passwords aren't secure so there's no point in pretending they are.

BruceFebruary 26, 2007 11:35 AM

"I don't want to be rude, but that list is on the internet for many years. Just google for 'default password' and you'll find a lot more."

Don't worry; I don't think that comment is rude.

I regularly post old things. Sometimes because they're interesting even though they're old, and sometimes because they're interesting and I don't realize that they're old.

Sue DonymFebruary 26, 2007 11:47 AM

My favorite is the tty port password for certain Proxim access points. The default at one time was "brando". Later they changed it--To "notbrando".

dragonfrogFebruary 26, 2007 12:01 PM

Not just routers of course - network printers, IP phones, probably the odd Internet toaster.

It's tremendously useful.

CrimFebruary 26, 2007 1:24 PM

I've used this in the past to get into the admin pages on insecure WiFi routers (sometimes months of free access). Some models let you see URLs that other users are viewing. This sure isn't news but lots of stuff out there is still running with default passwords.

P-AirFebruary 26, 2007 1:36 PM

Thanks for posting this, I lost my documentation and now I can work on set-up stuff my router again. If I changed the password then I'd never be able to take advantage of great sites like this one that can remind me of it :)

SillyGooseFebruary 26, 2007 4:53 PM

Default router password lists are old news. ;)

Within a mile radius of my home there's about 60 wide open wireless routers. I've made it a project to secure each and every one with a very strong admin password at least. As a public service. I don't steal bandwidth. I just lock down the router admin. If I find one set up insecurely a second time I secure the network with whatever is available. As a public service.

99% of these people never notice, and when they do just about every router has a reset button so I figure no harm, no foul. It's a public service after all!

Steve GeistFebruary 26, 2007 6:32 PM

SillyGoose:

That sounds like a denial-of-service attack to me.

Would you consider it a public service if someone came around to your home, and if the front door was open, they changed the lock and locked the door?

Whether it takes pressing a reset button or hiring a locksmith to undo, it's rather questionable to mess with people's stuff like that.

CrimFebruary 26, 2007 7:26 PM

@SillyGoose

"I've made it a project to secure each and every one with a very strong admin password at least."

I did the same but for less good reasons. I wanted to hamper my free Internet providers from turning on crypto and spoyling my fun.

Just curious what type of antenna did you use? I used a powerful (9 dbi) Omnidirectional antenna with an SMA extension cable so that I could hang the antenna high up behind curtains (not externaly visible). It's amazing how far you can reach out if there is nothing in the way.

I hope you didn't go outside with the equipment (dumb! dumb!). That is very risky because if you are caught with the laptop and WiFi bits you are screwed.

DonFebruary 27, 2007 2:20 AM

@SillyGoose

"I've made it a project to secure each and every one with a very strong admin password at least."

We couldn't agree more on this point...

We've previously wrote an article on why we think passwords do not live up to today's needs. Feel free to read it and leave your opinion on our blog.

http://maltainfosec.org

Fenris FoxFebruary 27, 2007 10:59 PM

:: laughs @ "Authorities'" post ::

@Crim

I'd like to see a study (amateur, of course), where someone wardrives for a while, compiling a list of:

1.) How many WAPs are open (not even needing to crack WEP - poor ignorant souls =;o)

2.) How many of those open WAPs use default passwords on the admin pages.

Of course nowadays, this would probably border on the illegal (it's definitely gray-hat) - so whoever published the results, might have to go to some lengths to hide the origin of the paper.

Hmm.. how about one of the open WAPs on the list? =;o)

ElmoMarch 2, 2007 7:22 AM

So, I sign up for DSL, router comes in the mail. I plug it in and it works.

Now you guys scare me with this...

Whos fault is it that I did not know there is a administrative password?

Whats better, ship a prouct that does not work out of the box, or a product covered with warning stickers and a giant manuel (or like I got a product that works, no warning)?

Got no info on my router. Not sure how to make use of this new found administrative password.

Maybe I should stay in bed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..