Problem solve Get help with specific problems with your technologies, process and projects.

How to prevent hackers from accessing your router security password

In this Q&A, Joel Dubin unveils the best practices for protecting a router security password from compromise.

How do I change my router's password? What are best practices to protect against router security password compromise?
There are two basic rules for protecting router passwords: always change the default password that comes with the router out of the box and only log on to the router via a secure and encrypted connection.

Hackers not only know all the default passwords of routers commonly on the market, they also have posted these passwords on Web sites. If you don't think they try this as a first step to break into a router, then don't change the default password and see what happens.

Along with this, of course, use a strong password -- no dictionary words, at least eight characters long and mix of upper and lower case letters and numbers. Also, make sure to use different passwords on each system. If the same password is used throughout the network, and it's compromised, guess what? The whole network is now compromised.

As for an encrypted connection, only use protocols like SSH, which creates a secure connection with the router. Protocols and services like Telnet and TFTP are unencrypted, and therefore, weak. Routers are notorious for allowing the transmission of user IDs and passwords in clear text, which can be easily sniffed.

Cisco IOS, on the other hand, has two ways to encrypt passwords in the configuration file where they're stored on the router. Cisco can store passwords in the configuration file in one of three ways: clear text, Vignere encryption and the MD5 hash algorithm. Vignere is an encryption algorithm that is weaker than MD5, and unlike MD5, it's reversible, meaning it can be cracked.

There are three commands for encrypting passwords on Cisco routers: service password-encryption, enable password and enable secret. The first command uses Vignere encryption, while the other two use the MD5 hash. The enable secret command is a newer feature of Cisco routers and is stronger than enable password. The enable password command is only kept for backwards compatibility, while service password-encryption, though weak, is still needed for compatibility with some older network protocols.

These commands also allow passwords to be set and encrypted at different access level privileges, depending on the rights granted to staff by administrators.

Wherever possible, use the Cisco encryption commands to protect router passwords. There is extensive and detailed documentation on Cisco's Web site. If you're using another brand of router, stick with SSH or another encrypted connection.

For more information:

  • Network security expert Mike Chapple discusses if Snort can be configured with a FreeBSD router.
  • Learn if it is necessary for a router to be placed between an enterprise firewall and DMZ.
  • This was last published in December 2007

    Dig Deeper on Network device security: Appliances, firewalls and switches