Your router’s default admin password is probably on Google. Default credentials are public knowledge — and the usual suspects know them. Most people set up a router once and never touch it again. Here’s how to actually lock the door.
Every WiFi network is a potential entry point. Unsecured or poorly configured networks allow attackers to intercept traffic, position themselves between you and the internet, and compromise connected devices. Your home router is the gateway between your private network and everything else — and most folks have never changed its default settings.
WiFi Encryption Standards
| Standard | Security Level | Notes |
|---|---|---|
| WEP | None — broken | Do not use. Crackable in minutes. Deprecated. |
| WPA | Poor | Significant vulnerabilities. Replaced by WPA2. |
| WPA2 (Personal) | Good | Current standard. Use WPA2-PSK with AES encryption. |
| WPA2 (Enterprise) | Better | Requires RADIUS server — for businesses. |
| WPA3 | Best | Newer standard. Use if your router and devices support it. |
Check your router’s encryption: Log into your router admin panel → WiFi settings → ensure WPA2 or WPA3 is selected. WEP and WPA should never be used.
Router Hardening
Access your router admin panel:
- Typically at: 192.168.1.1 or 192.168.0.1 (check the sticker on your router)
- Default username/password is printed on your router — that means everyone knows it
Steps to actually lock this down:
- Change the default admin username and password — default credentials are documented publicly; change them now
- Update router firmware — routers receive security updates just like your phone; check the admin panel for updates
- Disable remote management — prevents access to the admin panel from the internet
- Disable WPS (WiFi Protected Setup) — WPS has known vulnerabilities; disable it entirely
- Enable the firewall — most routers have a built-in firewall; ensure it’s active
- Review connected devices — check the device list regularly; anything you don’t recognize is a problem
- Change the default DNS to a privacy-respecting DNS: Cloudflare (1.1.1.1) or Quad9 (9.9.9.9)
SSID Configuration
Your SSID is the name of your WiFi network as it appears to anyone in range — in your building, on the street, in a parked car outside.
What NOT to do:
- Do NOT use your name, address, or apartment number: “Johnson Family WiFi” or “Apt 4B” tells anyone within range who you are and where you live
- Do NOT use your ISP’s default name — it identifies your router model, which tells attackers which vulnerabilities to try
Best practices:
- Use a generic or humorous name that reveals nothing about you or your location
- Disable SSID broadcast (optional) — makes your network invisible to casual scanners; devices you trust can still connect by entering the name manually. Note: this is obscurity, not security — it doesn’t replace proper encryption
- Guest network: Create a separate SSID for guests and IoT devices — isolates them from your main network
WPA2-PSK + AES — The Target Configuration
For most home networks, this is what your settings should show:
- Protocol: WPA2-Personal (WPA2-PSK)
- Encryption: AES — do NOT select TKIP; it is weaker
- Password: Minimum 12 characters, random mix — use your password manager to generate one you’ll never have to remember
- If your router supports WPA3, enable it with WPA2 as fallback for older devices
MAC Address Filtering
Every network device has a unique MAC address — a hardware identifier. MAC filtering lets you create an allowlist: only pre-approved devices can connect.
How to enable:
- Log into router admin panel → WiFi or Security settings → MAC Filtering
- Enable MAC filtering → add the MAC addresses of all your devices
- Deny all others
Limitation: MAC addresses can be spoofed (faked) by attackers who know what they’re doing. MAC filtering is an additional layer, not a primary defense. Don’t skip strong encryption just because you enabled this.
HTTPS
HTTPS encrypts the connection between your browser and the websites you visit. Even on a compromised network, HTTPS prevents attackers from reading the content of your traffic — they can see you’re connected somewhere, but not what you’re doing or sending.
Verify HTTPS:
- Look for the padlock icon in your browser’s address bar
- The URL should begin with
https://— nothttp:// - Never enter passwords, payment information, or personal data on an
http://site
Enable HTTPS-only mode:
- Chrome: Settings → Privacy & Security → Security → Always use secure connections
- Firefox: Settings → Privacy & Security → Enable HTTPS-Only Mode in All Windows
- Edge: Settings → Privacy, search, and services → Security → Automatically switch to more secure connections
Public WiFi
Assume all public WiFi is compromised. Treat it like someone is watching — because on some networks, someone is.
- Use a VPN (see the VPN section) when on any public network — it encrypts your traffic even when the network itself isn’t trustworthy
- Avoid financial transactions on public WiFi
- Disable WiFi auto-connect — prevents your phone from joining networks automatically
- Forget public networks after use — prevents auto-reconnect next time you’re in range
Log into your router admin panel today. Change the default admin password. Check that WPA2-AES is selected. These take five minutes and most people rolling the dice on default settings have been rolling them for years.