Router configuration - easy security and improvements
This article is a list of best practices for home router and WiFi security. [Page last updated 2016-11-23]
1. What you'll need
First, we're going to your router's management webpage and logging in so you can make changes. You'll need to know your router's manufacturer and model, which should be on a sticker on it.
With that info, find your router's default admin password here: www.routerpasswords.com
Click each of these common links to router admin pages below, or go here for instructions on finding it.
Why is this so complicated? Because nerds valorize deleterious individualism.
2. Upgrade firmware
Routers are in fact small computers running Linux, and they have vulnerabilities and bugs like any computer. Fixes for these are called firmware updates. Often, they will also improve performance and resolve WiFi issues, so if you're not running the latest version you're just hurting yourself.
Here are links to the support pages of some popular manufacturers. Note that cable modems can only be updated by the cable company.
3. Change admin password
It sounds crazy, but if you leave the default password on your router, in some cases just clicking a link on the Internet can change the settings. Or, if one of your computers gets infected, some malware tries the most common router passwords to try to hijack the settings. It's important you change it!
You do not need a complex password, it just needs to be something that's not common. For example, your last name and year.
Once you change the password, write it on a piece of paper and tape it to your router. You should log out of your router when you're not actively administering it.
4. Change DNS to two different redundant services
When you hear about major home Internet outages on the news, it's often because the servers the ISP was using that operate as the phonebook of the Internet were attacked or were down. Related, the major internet attack on October 2016 against Dyn was against DNS. I personally didn't even notice because the services I use mitigated the issue for me.
Or, how about when you type in a website address incorrectly and a search website from your ISP appears? That's actually not supposed to happen, your ISP is hijacking DNS NXDOMAIN to show you ads.
Change your DNS servers to the following to fix both these issues.
- DNS1: 126.96.36.199
- DNS2: 188.8.131.52
The first is OpenDNS and the second is Google. OpenDNS is first because they do special caching to hide DNS outages from hurting you. OpenDNS no longer does NXDOMAIN hijacking, they make their money from their business product.
5. WiFi encryption type and password
There have been multiple generations of WiFi security, and for that reason many people's devices are configured with outdated settings. For years, manufacturers set up routers with the most lenient configuration to try to avoid any possible customer support calls. Unfortunately, as time has gone on this means many people do not have proper protection, using technology that's over 10 years old and broken.
- Encryption type: WPA2 Personal + AES
- Password: Make it 12 characters or more. WiFi passwords can be brute-forced over a long period of time and you should rarely have to type it in, so just make a good password that will last you.
6. SSID hiding and MAC filtering: Off
- SSID hiding doesn't do anything against hackers, it wastes your time and makes your laptop constantly yell out the name
- MAC filtering is useless as a security mechanism
These settings have uses, but they are not for normal home users. If you're using either, turn them off and just forget these options exist. The only layer of security that works is a strong WiFi password.
7. WiFi Protected Setup: Off (Probably)
Turn this off. "WPS" is a poorly-implemented security nightmare that's often easily exploited to hack into your network. Turn it off unless you have, or plan to have, a WiFi printer that requires it to set up the system.
8. Remote Management: Off
Turn this off. There's no need for teenagers in another country to scan the Internet and find your router's administration page. That would be bad.
9. Respond to ping: Off
Turn this off to cloak your router from cursory Internet sweeps. There's no reason for it to be on unless you have a reason.
Extra: Guest network
[Need to write this section] Use for Internet-only devices that don't need local LAN access to other electronics, enable guest isolation
Extra: Recommended hardware upgrades
If you're still on an ancient router that's not getting security updates, or renting your modem from your cable company for $10 a month, you might be interested in the below recommendations from WireCutter, which is owned by the New York Times. I do not get any revenue from you clicking these links.
Recommended routers: http://thewirecutter.com/reviews/best-wi-fi-router/
Recommended modems: http://thewirecutter.com/reviews/best-cable-modem/