Question Router / Wifi Passwords

[Luulune]

Hello,

I'm getting really tired of the mass panic attacks of SECURE YOUR PASSWORDS1121@!!, and these are the google results I of course get when I google this to get an answer for this undoubtfully idiotic question. (And yes, I use strong passwords on sites that matter. No worries.)


BUT FOR MY ROUTER..... For my router and wifi, I use relatively simple passwords that are easy for me and my family to remember, and they've been the same for me on every router I've ever used in the past 15 years.

Now after a firmware upgrade my Asus has been whining at me that my password is ** and that I MUST change it. Really?


Why?


1. Who on earth can access my router without being on my network? is that possible other than the vague requests a site can make to reboot your router and the like? I have Remote Access off.

2. And for any serious attacks on my router (why would anyone even bother?), don't they have to be within my network to begin with?

3. And I mean, can people from the internet actually GET on my network? Surely Wifi can only be accessed by people nearby and you'd need an actual cable otherwise, or am I wrong?

4. I mean sure if my pc gets compromised, but that's a whole different story, but at that point I think my Wifi /router password would be the least of my concerns.

And sure, if I have evil neighbours.... but to be fair, I'm not counting on that.


Am I being too naive? That's why I'm here. Educate me, please.

Thanks for your info.

 

[ElectrO_90]

Am I being too naive? That's why I'm here. Educate me, please.

Thanks for your info.

Yes you are and look at the state of Baltimore because they have your attitude. - Nuff said

2 - no they dont
3 - they can get through from anywhere in the world (that's why it's called the internet)
4 - that's the entire point, they will/can get into it via your wifi... are you really so ... yes you are

 

[USAFRet]

#3. For a while, I had my NAS box open for outside access. Many people want this functionality, to share files with their friends, or when at work or on vacation.
Strong password, and the default admin account disabled.

I'd get access attempts 2,3,4 times a week. Sometimes multiple times a day. From all over the world. Russia, China, Portugal, Ohio, etc, etc.
Not just a ping, but actual log on attempts. All failed, but they happened.

Without a strong password, they might have gotten in.

 

[Luulune]

Yes you are and look at the state of Baltimore because they have your attitude. - Nuff said

2 - no they dont
3 - they can get through from anywhere in the world (that's why it's called the internet)
4 - that's the entire point, they will/can get into it via your wifi... are you really so ... yes you are

Ah, the jackassery of forums, how could I forget - the reason why I went from superactive forumposter across the internet to, well, not at all anymore. A shame, really. Nonetheless, thanks for your somewhat vague but still instructive reply.

#3. For a while, I had my NAS box open for outside access. Many people want this functionality, to share files with their friends, or when at work or on vacation.
Strong password, and the default admin account disabled.

I'd get access attempts 2,3,4 times a week. Sometimes multiple times a day. From all over the world. Russia, China, Portugal, Ohio, etc, etc.
Not just a ping, but actual log on attempts. All failed, but they happened.

Without a strong password, they might have gotten in.

Thanks for your reply. How does this work though? Like the technical side? What possibilities does this really open for them? I'm open for any links too. I really do wish to understand & learn. It basically and obviously is just completely outside my understanding of the WAN/LAN/modem/router machinations as I have, incorrectly, believed them to be true. As an edited note, as far as I'm aware, do not have anything open to the outside, no NAS functionality as you are using, no router setting, nothing, but again within my obvious spectrum of ignorance I could be wrong. Also, I don't actually use WIFI on my pc, it's wired. It's the other stuff that are on wifi (tablet etc)

 

[USAFRet]

Thanks for your reply. How does this work though? Like the technical side? What possibilities does this really open for them? I'm open for any links too. I really do wish to understand & learn. It basically and obviously is just completely outside my understanding of the WAN/LAN/modem/router machinations as I have, incorrectly, believed them to be true. As an edited note, as far as I'm aware, do not have anything open to the outside, no NAS functionality as you are using, no router setting, nothing, but again within my obvious spectrum of ignorance I could be wrong

If I were to ping your IP address...111.222.111.222...something might answer.
"Oh look, its a Netgear router." or a NAS box.

So now I know something is there that might respond to a log on attempt. First, I'd try the default admin account and password.
That fails, then I might run through some basic passwords.
"Hey, now I'm in!"

Once an outside person has access, all is fair game. Access any connected device. PC, tablet, baby cam...
If this access is to your router, one could change the settings, and lock YOU out. Or delete the log entries, so you may never know he was there.

And many people try/want to access their router from elsewhere, to manage something.
With a strong password, the possibilities are reduced.

Many devices and applications open ports and access by default.
"Monitor your WiFi camera from your smart phone!" "Forget to lock your front door? A simple click locks it and arms your alarm system!" (or unlocks it... )

Your router telling you your password wasn't strong enough is just one layer of trying to protect you.
Having Remote Access off is another.


Bottom line...if you can access it from outside, maybe someone else can as well.

 

[kanewolf]

Why have a strong password? Because most attempts to attack your home are from programs, not people. Having 1,000 already compromised PCs searching for new victims doesn't "cost" the perpetrator anything. It is just like robo-calls to your cell phone. It isn't personal, it is strictly a percentage game. If desired, a program could go through all likely passwords that have been used, but disclosed in various data breaches. Is yours one of the 1,000 most used passwords they already have? Maybe.

 

[USAFRet]

One and only one warning, to all parties involved:
No personal attacks. Period.

 

[Luulune]

If I were to ping your IP address...111.222.111.222...something might answer.
"Oh look, its a Netgear router." or a NAS box.

So now I know something is there that might respond to a log on attempt. First, I'd try the default admin account and password.
That fails, then I might run through some basic passwords.
"Hey, now I'm in!"

Once an outside person has access, all is fair game. Access any connected device. PC, tablet, baby cam...
If this access is to your router, one could change the settings, and lock YOU out. Or delete the log entries, so you may never know he was there.

And many people try/want to access their router from elsewhere, to manage something.
With a strong password, the possibilities are reduced.

Many devices and applications open ports and access by default.
"Monitor your WiFi camera from your smart phone!" "Forget to lock your front door? A simple click locks it and arms your alarm system!" (or unlocks it... )

Your router telling you your password wasn't strong enough is just one layer of trying to protect you.
Having Remote Access off is another.


Bottom line...if you can access it from outside, maybe someone else can as well.

Thanks so much for this very elaborate answer. How do I know if I can access it from the outside? I wouldn't know where to begin.
Can this be done to anyone regardless of any settings and so on used? How does Remote Access affect this? how about using VPNs? Internet of Things?

Why have a strong password? Because most attempts to attack your home are from programs, not people. Having 1,000 already compromised PCs searching for new victims doesn't "cost" the perpetrator anything. It is just like robo-calls to your cell phone. It isn't personal, it is strictly a percentage game. If desired, a program could go through all likely passwords that have been used, but disclosed in various data breaches. Is yours one of the 1,000 most used passwords they already have? Maybe.

Thank you for your answer, this is a valid point of course, shame on me for not considering botscans.

 

[USAFRet]

Thanks so much for this very elaborate answer. How do I know if I can access it from the outside? I wouldn't know where to begin.
Can this be done to anyone regardless of any settings and so on used? How does Remote Access affect this? how about using VPNs? Internet of Things?

"Internet of Things" is just a buzzword for "More crap connected to the outside world".
And a LOT of these things have abysmal security. Hardcoded passwords left in there by the clueless dev team. Apps on your phone that demand access to your contact list, when they don't need it. Etc etc etc.

Also, there is uPNP. Universal Plug and Play.
https://en.wikipedia.org/wiki/Universal_Plug_and_Play

Your new device talks to the router, and automagically opens up the relevant port. You didn't have to do anything, those devices just talk to each other and do it. And might leave you compromised.
Actually talking the user through all the settings is TooHard. So let's just do it for them.

How do you think your new doorbell camera is accessed from your phone, while you're at work? Outside access....outside of your physical LAN.
A hole (port) is opened up through your router, to allow the phone, or your PC at work, to talk through the router to your doorbell camera.
The device and the app on your phone did this all by itself.
Combine that with a poor password, or the default password....you're screwed.

Your router is a hard wall between you and the outside world. Until you, or some device, opens up a port for access.
Lock your front door, but leave all the ground floor windows open.

Remote Access on your router settings is to allow administration from 'outside'...not connected via internal ethernet cable.
Generally this is OFF by default on most consumer routers. But turn it ON without a strong password, and you're wide open.

 

[Luulune]

"Internet of Things" is just a buzzword for "More crap connected to the outside world".
And a LOT of these things have abysmal security. Hardcoded passwords left in there by the clueless dev team. Apps on your phone that demand access to your contact list, when they don't need it. Etc etc etc.

Also, there is uPNP. Universal Plug and Play.
https://en.wikipedia.org/wiki/Universal_Plug_and_Play

Your new device talks to the router, and automagically opens up the relevant port. You didn't have to do anything, those devices just talk to each other and do it. And might leave you compromised.
Actually talking the user through all the settings is TooHard. So let's just do it for them.

How do you think your new doorbell camera is accessed from your phone, while you're at work? Outside access....outside of your physical LAN.
A hole (port) is opened up through your router, to allow the phone, or your PC at work, to talk through the router to your doorbell camera.
The device and the app on your phone did this all by itself.
Combine that with a poor password, or the default password....you're screwed.

Your router is a hard wall between you and the outside world. Until you, or some device, opens up a port for access.
Lock your front door, but leave all the ground floor windows open.

Remote Access on your router settings is to allow administration from 'outside'...not connected via internal ethernet cable.
Generally this is OFF by default on most consumer routers. But turn it ON without a strong password, and you're wide open.

I know about Internet of Things and its abysmal security, which is why I asked.

Well that's exactly it, I don't have a doorbell camera or anything crazy like that. Do people have this? Why do people have this? My washing machine cannot talk to my phone, or my microwave or whatever, in that sense I have NO internet of things ..anyway, so I don't have any of this kind of stuff. There's nothing in my house that can be accessed from the outside.

I guess this is where my initial confusion came from and why people come down so hard on me. if I am not accessing anything inside my house from outside, how is anyone/anything else?

 

[USAFRet]

No one was coming down on you...just that your router manufacturer wanted you to change your password for something better.
Your router is being pinged continuously for access. Bots from all over the world.
It rightly tosses them out.
And IoT? Your phones, playstations, TV...all count as "Things"

The "S" in IoT stands for Security.


Any comments in here were aimed at "That info could have been found with some basic research".

Doorbell cameras? Ring.
Alexa, Amazon Echo, Siri, etc, etc. Yes, people have and use these.

A few years ago, I was shopping for a touchpad deadbolt. I specifically wanted one that did not talk to my phone. A coworker was shopping for one as well, but he specifically wanted one that DID lock/unlock via the phone. I just shook my head.

I have a 4 camera surveillance setup. They are hardwired to their own little DVR. Cannot access from outside.
Many, many people want and buy WiFi cameras. Because the setup is much easier. Again...shaking my head.

 

[Luulune]

My basic research yielded nothing, nothing specific that I was looking for other than the "yo just put a pw on your router k?"- type articles. I post like.. twice on forums a year. Maybe my google skills are rusty, but also, I put a lot of trust in you guys and this site.

At any rate, I'm still a bit muddy on the technical side of things, but I got a lot of the basic info that will hopefully aid me to find more info.

And, yes, I changed my router's pw.

My Wifi's PW is a bit stronger, but crackable in a very decent amount of time still. Should I also change that? (scratch that, I underestimated my Wifi's PW, i'd forgotten about it, it's actually really decent)

Thanks for all the help guys, honestly

 

[digitalgriffin]

Hello,

I'm getting really tired of the mass panic attacks of SECURE YOUR PASSWORDS1121@!!, and these are the google results I of course get when I google this to get an answer for this undoubtfully idiotic question. (And yes, I use strong passwords on sites that matter. No worries.)


BUT FOR MY ROUTER..... For my router and wifi, I use relatively simple passwords that are easy for me and my family to remember, and they've been the same for me on every router I've ever used in the past 15 years.

Now after a firmware upgrade my Asus has been whining at me that my password is ** and that I MUST change it. Really?


Why?


1. Who on earth can access my router without being on my network? is that possible other than the vague requests a site can make to reboot your router and the like? I have Remote Access off.

2. And for any serious attacks on my router (why would anyone even bother?), don't they have to be within my network to begin with?

3. And I mean, can people from the internet actually GET on my network? Surely Wifi can only be accessed by people nearby and you'd need an actual cable otherwise, or am I wrong?

4. I mean sure if my pc gets compromised, but that's a whole different story, but at that point I think my Wifi /router password would be the least of my concerns.

And sure, if I have evil neighbours.... but to be fair, I'm not counting on that.


Am I being too naive? That's why I'm here. Educate me, please.

Thanks for your info.

There are known hacks that attack router services. Things like UPNP you think arent exposed to the outside world yet are.

You see routors and many network devices are built upon commonly shared software stacks. The code is just tweeked here and there for the specific hardware they work on. Over the years these services grow and many become neglected. They are just there for backwards compatibility.

And a lot of services are exposed on network devices like printers. My printer has no less than 12 exposed services. Ie
Post script print or ftp and more. Yes my printer had an ftp port for some reason

So a hacker can hack into your router and then see your password. He can then keep it away someplace safe incase he needs a direct way back in. Once he has the password he can alter the router settings and then probe your network for weaknesses using automated tools.

Now if you dont think this is a problem remember that security papers show the state agencies using such exploits (heartbleed and smbv1) to hack into networks via routers. Its because the router sees everything on your network. And from that you can diagnose things like what hardware is attached to that network by testing internal services on each device that is attached. If you dont believe me try fing android app. It will largely be correct on guessing what kind of hardware each device is on your network. Im doing experiments with esp8266 and fing identified it as a an expressif device. Knowing that i can now directly attack known weaknesses with expressif devices and upload a new rom via wifi.

Its also how the infamous target corporation was hacked. They got a compromised vendor that was sloppy and didnt use active virus protection. Loggers then captured network credentials to target. The hackers then logged into target and roamed the system till they found the POS ROMS. The hackers then altered the roms and the new pos ros roms were instructed to direct credit card information to x y z.

Now why would they bother with you? Youre a nobody, am i right? Youre partially correct. This is mostly a cyt (cover your tail) to avoid lawsuits. But your network can be attacked and made into a botnet or to mine coin without you even knowing. Theres even worse potential which i wont cover.

So ask yourself if you would care if someone can log into your routers torrent or ftp services using your admin credentials (some routers do have them built in)

https://www.routersecurity.org/testrouter.php

These network device attacks and backwards support are a real problem. Our congress is trying to establish guidelines on requiring support for hardware via exploit fixes. Of course the big company lobbyist are fighting this tooth and nail. "We have 50000 products and testing a device we havent sold in 5 years isnt fair to us. Its too much burden.". And to be honest thats a fair assessment. I think it will be indefinitely stalled until theres a huge infrastructure attack that attacks critical services.

I think what it will eventually come down to is an equivalent of an annual car inspection. Your get a warranty with gaurenteed fixes for 3 years and then after that you must pay to have it fixed or the equipment must be replaced. If you dont you cant drive it on the internet highway. Thats part of the cost of being on the web.