WiFi and Router Security
WiFi for Dummies ;-)
Suppliers of routers
let unsuspecting users set up insecure WiFi networks. They
want to make it as easy as possible for anyone, including "dummies",
to get WiFi going with their routers.
They know if they send
routers out with secure settings, many people would give them poor
reviews, and/or return them. They would also get way too many support
calls (which cost money). :^)
As a result, users don't
have to do much more than plug in a WiFi router to start using it, and
people don't. Fortunately, it's easy to set up your
router to give you good WiFi security.
We're not dummies. We'll learn to set up WiFi securely. :-)
Securing wireless networks
- Your job is to think of everything. The
attacker's job is easy. If you forget one thing the
attacker wins. :-(
- The steps below give you an index and brief
discussion of what you need to know to set up secure WiFi.
- links in the block below take you to additional
information that you might need.
- Don't pay any attention to persistent
but harmful myths about turning off SSID beacons and
adding MAC filtering.
- See Security at
WiFi Hotspots to learn about security at WiFi
Steps to a secure WiFi network.
Follow the steps below - more or less in order - to secure your
WiFi network. When you have finished, go through the steps again to
double-check the settings.
Screenshots that illustrate some critical security
| Security Mode | Firewall
| UPnP |
If the router itself is not connected to the Internet (via the
modem) you will not be able to follow the links on this page at
the same time you configure your router, so study the steps and
linked information before you begin.
- Each computer that will be
connected to the network needs sound security to start with:
It should have a firewall, up-to-date software, protection against
malware, etc. If one of them becomes infected, it can easily
compromise the others, because the router does not ordinarily
block computers on the local (internal) network from each other. [more below] [security
- Pick a router that includes a
firewall, and be sure this firewall is turned on. The
added layer of security that this "hardware firewall" adds is good
to have. You could even use a router just to get the hardware
firewall, even if you don't set up a network (but be sure to
turn off WiFi/wireless in that case).
- Do not configure your router
or change its settings via a WiFi connection. Always use a
direct, wired (Ethernet) connection from the PC you're using to
configure the router. Your router password is not
encrypted before it is sent, and a hacker could easily sniff it
for an attack later.
- Make sure both
remote management and Wireless (WiFi) Access are turned off: Remote
management allows access from anywhere on the Internet. WiFi
Access might allow a nearby snoop to hack your router. You don't
want either of those. It's a hacker's dream. ;-)
- Enable WPA2-Personal
encryption and use a strong shared key: Never,
ever rely on WEP. It's also better to upgrade devices that don't
support WPA2 than to compromise on WPA encryption. [more
on shared keys and encryption]
- Use an obscure and preferably
random SSID: Hackers now have powerful
computing power that can crack WPA-2, and simple SSIDs
make it easier for them. [How-to]
[more on obscure SSIDs]
off UPnP on your router when it's not needed:
(You only need it on temporarily when you're adding new UPnP
(universal plug and play) devices to your network.) UPnP lets
devices self-configure on your network. An attacker can often
to hack your router.
your router's default administrative username and
replace your administrative password with a strong
one. [see below]
- Use OpenDNS as a pre-emptive
measure to guard against DNS poisoning. [instructions]
OpenDNS will also
improve your computer's Internet performance, and provide other
- Do not turn off the SSID
beacon or bother with MAC filtering. These
security measures offer little or negative defense against
modestly skilled WiFi hackers, even though there are countless persistent
but harmful myths that claim these steps add real
More on security for each PC:
Windows grants "trusted" status by default to all the computers
connected to the same router. If any one of them is infected with
malware, the rest are likely to become infected too. That's
because the defenses that Windows maintains against intrusion from
the Internet are dropped for computers on the local
area network (LAN).
It's important to provide independent protection for each
computer connected to the LAN by installing an effective
security system on each one of them.
Update: Windows 7 and
Windows 8 allow you to set network connection types -wireless or
wired - to "Public", which adds addition protection against
cross-infection between computers.
Securing your wireless network is not just important to
protect your network and your computers. You could be held
accountable for illegal activity by someone who piggybacks on your
Internet connection, since it's your IP address that will be
Useful information on securing
- Use your browser's "web access" administrative interface to
change your router's settings. Typical addresses are 192.168.1.1
or 192.168.1.0, and 10.0.0.1.
- Your router manual will give you the ethernet interface
address, along with the router's default username and password.
Your browser manual should be on a CD that came with your
router. It may also be available online at the manufacturers
website. Or you can "Google" the interface information.
- If you can't get in to the browser's admin interface, push the
(recessed) "reset" button for 30 seconds to reset the username,
password and all settings back to the defaults.
to set up your home wireless network - a nice
article by Microsoft
To Secure Your Wireless Network - a nice little
video, which explains the basic ideas, but which does not go far
enough, in particular, he doesn't show the step to disable UPnP.
8: Set up a wireless router - evidently Windows 8
makes it easy for "Windows Connect Now" routers, which
sound suspiciously like UPnP routers, which are vulnerable to
attack. It's an informative article anyway.
Administrative username and password for your router
The password for your router - the one
you need to log in to make configuration changes - needs to be
strong. And the username should be unique. It's easy for hackers to
break in and redirect your computer(s) to their own evil website if
they are not.
Worse yet, if you don't change the
username and password from the default values it is even easier to
waltz right in. Cyber-criminals even use automated
malware to corrupt the settings of routers that still have
If a hacker gets in to your router's
administrative settings, he can do anything from directing you to
malicious sites to intercepting all the data that goes to and from
the Internet. It's the ultimate "wiretap".
A strong username or password has 14 or
more random characters. The Linksys WRT54GL appears to allow 16
characters, but it will actually accept 32. I recommend that you use
at least one uppercase letter, one lowercase letter and one numeral,
and a total of 20 or more characters for your router password. Other
routers undoubtably have different requirements and limitations.
Don't confuse your administrative
password with the shared key that is used for
encryption. Your shared key
should be much stronger than the password.
More on changing your router's password
to] Change the Default Password on a Network Router.
your router, and your identity, with a password change.
Related WiFi security topics