Main Area and Open Discussion > Living Room
"Admin" is a BAD user name for anything! Change t!
Carol Haynes:
IIRC, my router actually offered to change the default admin password when I first logged in. I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it. :Thmbsup:
-Edvard (April 16, 2013, 01:36 AM)
--- End quote ---
May change the password but a lot of routers don't change the default user name - hell some routers don't even have a user name - just a password.
barney:
IIRC, my router actually offered to change the default admin password when I first logged in. I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it. :Thmbsup:
-Edvard (April 16, 2013, 01:36 AM)
--- End quote ---
Yep. Most of 'em do. But they don't let ya change the username. There's a back door built in to most hardware - and a lot of software! - so that the vendor can tell you how to recover if you have a memory lapse - read, screw things up - and maintain their pristine reputation.
Back when I was overseas - Asia, mid-sixties, combat pending - a captain in charge of our group misplaced a password, i.e., he lost the scrap of paper it was on. He had to contact what was then the equivalent of IT today, and IT promptly got him straightened out, restored his access. They had a back door :o. (Mind, this was a radio network, not PC, but the principle ...)
I've encountered software issues where a user was locked out because of a forgotten password. In every case but one (1), the vendor was able to provide a way back in. That single case was such that no one - at that time :huh: - could crack the database involved, not even the vendor. And it was clearly stated in the documentation that if you lost your login, your data couldn't be recovered. However, in every other instance, hardware or software, I've been able to contact the vendor, provide requisite bona fides, and regain access for the client.
If you cannot change the Admin username, any hacker is halfway to cracking the system involved. Brute force and a decent dictionary can still resolve ninety percent of passwords when Admin is still a viable username.
app103:
IIRC, my router actually offered to change the default admin password when I first logged in. I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it. :Thmbsup:
-Edvard (April 16, 2013, 01:36 AM)
--- End quote ---
Mine allowed login with default on first login, then demanded I set a user and pass for access, not allowing me to move on to what I logged in for, until setting that up. And once set up, the default no longer works.
Yep. Most of 'em do. But they don't let ya change the username. There's a back door built in to most hardware - and a lot of software! - so that the vendor can tell you how to recover if you have a memory lapse - read, screw things up - and maintain their pristine reputation.
-barney (April 16, 2013, 03:24 AM)
--- End quote ---
Mine is easy to bypass in that case, but only if you have physical access to the router. A paper clip in the back to reset it to factory defaults will do the trick, but there will be no normal internet access beyond the ISP's new user start page until you log in with your account, download and install their custom stuff, and set everything up again. So a name/pass is still required. ;)
If you cannot change the Admin username, any hacker is halfway to cracking the system involved. Brute force and a decent dictionary can still resolve ninety percent of passwords when Admin is still a viable username.
-barney (April 16, 2013, 03:24 AM)
--- End quote ---
In the case of Wordpress, it's not enough to not create the admin name as something else other than "admin" in the first place (Wordpress won't allow you to make a user name change later). You need to create at least a 2nd admin account and delete the first one, regardless of the user name chosen, or you risk getting locked out of your blog if it is attacked, and having to reset your password.
User ID 1 is the first created, first admin, and most targeted account, for things like SQL injections with the intent to change the password. If successful and the account name is "admin" then it's an easy in, without a brute force dictionary attack. They know the name (admin) and the password (they changed it themselves). If the account name is other than admin though, they don't have as easy of a time, but you still end up locked out.
If the account ID is something other than 1, it makes it a little harder, and you'll be less likely to end up locked out. Now they have to start guessing the ID, and maybe the user name too, since a default "admin" account no longer exists. Yes, there are ways to easily figure that stuff out too (in most cases), but it takes more time and is a bit more trouble, and unless the hacker is targeting your blog specifically, not as likely to happen, when there are so many other easier targets to hit with an automated attack.
There is a lot one can do to protect a wordpress blog, but people need to take the time to read and do the stuff required. A rough estimate of the time required to truly beef up the security on a WP blog is about 5 hours, if you have never done it before, and do everything in this checklist. Use the online version if you don't want to go through the registration to download the pdf. It's always the most up to date. Registration gets you an email notice of any changes to the checklist, though, so once done, it's a good idea, any way. ;)
And the first step in that checklist/tutorial is how to set up automation of backups, and how to have them automatically stored offsite is also covered at some point.
Edvard:
IIRC, my router actually offered to change the default admin password when I first logged in. I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it. :Thmbsup:
-Edvard (April 16, 2013, 01:36 AM)
--- End quote ---
May change the password but a lot of routers don't change the default user name - hell some routers don't even have a user name - just a password.
-Carol Haynes (April 16, 2013, 03:02 AM)
--- End quote ---
Aargh!! Dammit, I meant to say change the USERNAME, which it did allow and as I recall, it was actually part of the initial setup process to change the default username along with the password. :-[
I've encountered software issues where a user was locked out because of a forgotten password. In every case but one (1), the vendor was able to provide a way back in. That single case was such that no one - at that time - could crack the database involved, not even the vendor. And it was clearly stated in the documentation that if you lost your login, your data couldn't be recovered.-barney (April 16, 2013, 03:24 AM)
--- End quote ---
My chosen email provider - Lavabit.com - has just such a policy:
http://lavabit.com/secure.html
In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand.
Lavabit has developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it. We felt that this technical protection was necessary in addition to our Terms of Use and privacy policies.
...
--- End quote ---
J-Mac:
My ASUS RT-N16 router comes with the username "admin" and while I was able to change the password it does not allow changing the username. >:(
(Damn thing continually drops wireless connections for the past week, too! :mad: )
Jim
Navigation
[0] Message Index
[*] Previous page
Go to full version