There's a little sticker on the bottom of your router. It's got the network name, a password, and maybe a PIN, all printed at the factory. It feels reassuring — official, even. Here's the uncomfortable truth: that sticker is closer to a liability than a convenience, and default credentials are one of the most reliably exploited weaknesses in home and small-business security. Let me explain why, and then what to do about it, because the fix is genuinely simple.
Two passwords, and people confuse them
First, an important distinction that trips almost everyone up. Your router has two separate passwords, and they do very different jobs:
- The Wi-Fi password — what you type into a new phone to join the wireless network.
- The admin password — what you type to log into the router's settings and change how it works.
Most people change the first one at some point, or at least think about it. Almost nobody changes the second. And the admin password is the one that really matters, because whoever controls the router's settings controls your entire network — they can redirect your traffic, snoop on it, or quietly open doors for later. When I say I don't trust default passwords, the admin password is what keeps me up at night.
Why defaults are so dangerous
The core problem with a default password is that it isn't really a secret. Here's why that matters more than it sounds:
They're published
Manufacturers use predictable default credentials — often the same "admin / admin" or "admin / password" across an entire product line. Those defaults are documented in manuals that are freely available online. Entire websites exist for the sole purpose of listing default logins by make and model. A "secret" that anyone can look up in ten seconds isn't protecting anything.
They're guessed automatically, at scale
You don't have to be an interesting target. Automated bots continuously scan the internet, and when they find a router, the very first thing they try is the list of known defaults for that brand. This is how enormous botnets get built — not through clever hacking, but by walking through unlocked doors, millions at a time. Your router doesn't need to be singled out; it just needs to be reachable and unchanged.
The pattern to notice: nearly every large-scale router compromise in the last decade came down to the same root cause — credentials that were never changed from the factory default. Not exotic exploits. Defaults.
The sticker isn't as unique as it looks
Even when a router ships with a "unique" factory password printed on the label, those passwords have sometimes turned out to be generated by a predictable algorithm — derived from the device's serial number or Wi-Fi name in a way that can be reverse-engineered. And a password printed on the hardware is visible to anyone who has been in your home: a guest, a contractor, a repair technician. It's a secret you can't actually keep.
What to do instead
The fix is refreshingly boring, which is exactly why it works. You don't need special tools — just fifteen minutes and this short routine:
1. Log into your router
Type your router's address into a browser — commonly something like 192.168.1.1 or 192.168.0.1, and it's often printed on that same label. Log in with the current admin credentials.
2. Change the admin password immediately
This is the non-negotiable step. Replace the default admin password with a long, unique passphrase that exists nowhere else. Don't reuse your email password or your Wi-Fi password. Because you'll rarely type it, store it in a password manager so you're never tempted to pick something weak just to remember it.
3. Set a strong, separate Wi-Fi password
While you're in there, give your Wi-Fi its own strong passphrase — several random words work beautifully; they're both harder to crack and easier to type than a short jumble of symbols. Keep it distinct from the admin password.
4. Change the default network name if it reveals your gear
If your Wi-Fi name still announces the router's make and model, change it. There's no need to hand a passerby a head start on knowing exactly which default credentials and known vulnerabilities to try.
5. Turn off remote admin access
Make sure the router's settings can only be reached from inside your home, not from the wider internet. This shrinks the problem dramatically: even a weak admin password is far harder to exploit when an attacker has to already be on your network to reach the login page at all.
The bottom line
I don't distrust default passwords because I'm paranoid. I distrust them because they're the single most predictable weakness on a network, and because fixing them is so easy that leaving them in place is hard to justify. A default password is a key that the manufacturer cut thousands of copies of and handed out to anyone who asked. The first thing you should do with any new router — before you connect a single device — is change the locks.
Fifteen minutes now closes one of the most exploited doors in home security. And if you'd like a second set of eyes to confirm nothing else is quietly wide open, that's exactly what a Network Security Assessment covers — starting with the boring basics that matter most.