Question : Strength of routers default password
#1
Hello there,

My friend just got his router changed and while talking with him I strongly suggested to change its default password to something both ok to remember and hard to crack/guess. As he thought the default password was good enough, I made a try and get some handshake exported in hccapx (with his approval of course)
In short, the format is 13 characters that are lower-alpha + num. Under a mask attack, hashcat gives me an Overflow that I understand, it is non doable in term of time.
Therefore :
- As passwords weaknesses often lie in users' choice and predictability, should we assume that routers default passwords are way better than anything we could choose, and let's say, not crackable ?

- Regarding such format, is there any other way to improve an attack than :
hashcat -O -m 2500 -a 3 try.hccapx -1 ?l?d ?1?1?1?1?1?1?1?1?1?1?1?1

Thank for your opinions,
#2
Often the algorithms to create those default passwords are weak. There are several instances of such algorithms having been reversed, allowing to crack such a default password with very few tries. Default passwords should not be trusted.

see for example those threads: https://hashcat.net/forum/thread-6170.html https://hashcat.net/forum/thread-4463.html

or this very detailed article documenting the reversing of one specific router: https://deadcode.me/blog/2016/07/01/UPC-...rsing.html
#3
Really good information there, thanks undearth