Water "may be wet", prominent water scientists claim.
And now a few words from my occasional co-writer, captain obvious.
"Home computer users who leave default passwords on network hardware unchanged could be at risk from attack say security experts." - the BBC, reporting on a Symantec / University of Indiana study.
Ummm. You think so, eh?
I'm really torn about this. Do I mock the obvious nature of the report, marvel that someone actually got paid to study this, as if the outcome was going to be in doubt, or do I pontificate on possible solutions.
In a turn-about from my usual response, I'll go for the latter. So what can be done here?
I suppose we could ask people to change their default router passwords. Of course, they might say "no". Or we could force them, and either watch them pick absolutely trivial passwords, or watch support costs soar as people lock themselves out of their routers, so we end up with a backdoor password needing to be installed to allow ISP or product support for these devices to fix the problem, and of course this password will get known... and someone else will be able to study the obvious problem this will cause and conclude that we should go back to how things are now.
To prevent spoofing attacks, the BBC says that one of the report authors suggests editing the DNS settings on LAN workstations underneath the umbrella of a router so that successful attacks on the router need not always cause problems for end users.
This sounds nice, and perhaps isn't bad advice for people who are up to the task of finding a DNS server on the internet and setting their machines up to use it, troubleshoot inevitable problems this might cause, etc. But I'm going to guess that the population set of people who understand DNS and the population set of people who understand why Routers need a good password are likely to be very similar, and not contain many of the sort of people who need the most protection here.
In all seriousness, if your home network (let alone, God forbid your business one) is using one of these routers, and it has a default password, you should go and change the password right now. Be sure to write it down somewhere safe and not stored on your computer if you think you might have problems remembering it. If you keep the box the router came in, or the receipt for the purchase, I'd suggest that on these might be the ideal place for a home users to make notes like this.
But as I've said before, normal people and "good password security" just don't mix. Perhaps it's time that the cheap USB storage devices that everyone seems to own 20 of these days were used as authentication tokens for things like this?
Editor's note: Captain obvious would like to thank his good friend Lewis Burgess for drawing the BBC article to his attention - Rob