By far the largest vulnerability that routers have is not even related to problems in the firmware – it’s a human problem, namely bad passwords. The administrator password on a router is usually the last line of defense against people trying to wreck havoc on your network, and it’s far too often overlooked or ignored.
Defaults are well known
Routers are shipped from manufacturers with default passwords set. These devices often mysteriously allow lazy users to use them without forcing them to choose a new password. This is unfortunate because the default passwords to every router every built is well known. In fact, there are even websites set up to help you out if you forget your router’s default, such as routerpasswords.com.
Of course, router password sites are convenient for the people who forget their password, but they can also be used by others.
Routers don’t stop people from guessing
Getting a large list of commonly used passwords is pretty easy to do, and hackers have no problem using them to try and break into your router by guessing them. There are even programs to automate this process to make it that much easier for the hackers.
Websites often try to stop password guessing in a variety of ways. Sometimes, if too many failed attempts to login are made they’ll lock you out for a period of time or make you perform some other function to re-enable the ability to login. Other times, a site will use a CAPTCHA system (those website things where you have to decode the funny letters) to weed out the humans from the automated systems.
Routers typically do none of this. They’ll let you sit there and fail to login time after time without doing anything about it. They’ll also respond very quickly to allow you to perform very many guesses each second. It’s safe to say that unless you have a very good password, hackers will be able to break into your router eventually.
Examples of real life problems with passwords can be found here.