Router configuration - easy security and improvements
This article is a list of best practices for home router WiFi security. [Page last updated 2017-10-16]
1. What you'll need
First, we need to find your router's management webpage and then log in so you can make changes. You'll need to know your router's manufacturer and model, which should be on a sticker on it.
With that info, find your router's default admin password here: www.routerpasswords.com
Click each of these common links to router admin pages below, or go here for instructions on finding it.
Why is this so complicated and not standardized? Because nerds valorize deleterious individualism.
2. Upgrade firmware
Routers are in fact small computers running Linux, and they have vulnerabilities and bugs like any computer. Fixes for these are called firmware updates. Often, they will also improve performance and resolve WiFi issues, so you always want to be running the latest version. You don't even have to care about security, these updates can improve your signal and speeds.
Here are links to the support pages of some popular manufacturers. Note that cable modems can only be updated by the cable company.
3. WiFi encryption type and password
There have been multiple generations of WiFi security, and for that reason many people's devices are configured with outdated settings. For years, manufacturers set-up routers with the most lenient configuration to try to avoid any possible customer support calls. Unfortunately, as time has gone on this means many people do not have proper protection, using technology that's over 10 years old and broken.
- Encryption type: WPA2 Personal + AES (CCMP)
- Password: Make it 12 characters or more. WiFi passwords can be brute-forced over a long period of time and you should rarely have to type it in, so just make a good password that will last you.
4. Change admin password
It sounds ridiculous, but if you leave the default password on your router, in some cases just clicking a link on the Internet can change the router settings. Or, if one of your computers gets infected, some malware tries the most common router passwords to attempt to hijack the web on every computer in your house. Trust me this happens, but most people have no idea because antivirus doesn't scan routers. It's important you change the password!
Because outsiders can't get to the admin page, you do not need a complex password - it just needs to be something you won't lose when you need it.
Once you change the password, write it on a piece of paper and tape it to your router. You should log out of your router when you're not actively administering it.
5. Change DNS to redundant services
When you hear about major home Internet outages on the news, it's often because the servers the ISP was using that operate as the "phonebook of the Internet" were attacked, or were down. Related, the major internet attack on October 2016 against Dyn was against DNS. I personally didn't even notice because the services I use mitigated the issue for me.
Or, how about when you type in a website address incorrectly and a search website from your ISP appears? That's actually not supposed to happen, your ISP is hijacking DNS NXDOMAIN to show you ads.
Change your DNS servers to the following to fix both these issues.
- DNS1: 126.96.36.199
- DNS2: 188.8.131.52
- DNS3: 184.108.40.206 (you may not have this option)
- DNS4: 220.127.116.11 (you may not have this option)
The first is OpenDNS and the second is Google. OpenDNS is first because they do special caching to hide DNS outages from hurting you. OpenDNS no longer does NXDOMAIN hijacking, they make their money from their business security product.
The third is OpenNIC, the fourth is UltraDNS. There is no conceivable scenario you would ever need to fall-back to these, but I'm providing them since some routers do give you the option.
6. SSID hiding and MAC filtering: Off
- SSID hiding doesn't do anything against hackers, it wastes your time and makes your laptop constantly yell out the name.
- MAC filtering is useless as a security mechanism.
These settings have uses, but they are not for normal home users. If you're using either, turn them off and just forget these options exist. The only layer of security that works is a strong WiFi password.
7. WiFi Protected Setup: Off (Probably)
Turn this off, probably. "WPS" is a poorly-implemented security nightmare that's sometimes easily exploited. Turn it off unless you have, or plan to have, a WiFi printer that requires it to set up the system.
8. Remote Management: Off
Turn this off. There's no need for teenagers in another country to scan the Internet and find your router's administration page. That would be bad. This should already be off.
Extra: Guest network
Use for Internet-only devices that don't need local LAN access to other electronics, enable guest isolation.
Extra: Recommended hardware upgrades
If you're still on an ancient router that's not getting security updates, or renting your modem from your cable company for $10 a month, you might be interested in the below recommendations from WireCutter, which is owned by the New York Times. I do not get any revenue from you clicking these links.
Recommended routers: http://thewirecutter.com/reviews/best-wi-fi-router/
Recommended modems: http://thewirecutter.com/reviews/best-cable-modem/
2017-05-08: Changed Level3 DNS to OpenNIC since L3 is deprecating the feature
2017-10-16: Moved WPA2-AES recommendation up to step 3