Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

AT&T routers, for example, ship like this. There's a wifi network and a wifi password printed onto the device.

But that also means then that often anyone with physical access can easily get into the device. The complicated password provides an additional layer of illusion of security, because people then figure "it's not a default admin password, it should be good". The fundamental problem seems to be "many people are bad at passwords and onboarding flows", and so trying variations on shipping passwords seem to result in mostly the same problems.



If you have physical access you can just factory reset the device and onboard it with the normal flow though


That's fair, though at least resetting would indicate that an attack happened. Default passwords and printed passwords can result in undetected attacks, which are arguably worse.


It doesn't change anything in this case though, you can't use the default password against a tp-link device after it's been onboarded.


Same with Orange branded ones. There is even a QR code that you can scan on your phone - no more typing 16-24 hex characters.

It's hard to decide whether it's good or bad. It is definitely easier. Which I guess matters most in consumer grade routers.


I feel seen. Why is the security illusory? I still don't understand the problem with this. Is the concern that someone will break into my house to covertly get access to my wifi password?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: