You understand that your router came with the username 'admin' and the password 'password' when you bought it right?
(don't get me wrong, there's some weird stuff going on with that kickstarter, but the password/username thing is such a strawman it hurts me to see people talking about it)
It's not really a strawman. By default OpenWRT doesn't have a root password, and asks you to set one in order to be able to log into the interface or over SSH.
A lot of devices running OpenWRT that are shipped these days (e.g. mainly routers of some sort) come with WPA-PSK encrypted wireless network, not an open wireless network. It's common to see the password put on a sticker on the device or supplied with it, and it's usually algorithmically or randomly generated.
Because the default wifi is open anyone in the local area will be able to connect to the device, passively sniff wireless traffic going through the bridge etc. before it hits tor, including any usernames and passwords used to log into the router other than through SSH.
Here in Europe, standalone routers are not very popular, since ISPs provide CPEs (customer premises equipment) that are a combination of a modem and router with multiple Ethernet ports and Wi-Fi. The norm is for the ISP to configure them with unique web-interface passwords, WiFi SSIDs as well as WPA keys, printed on the back of the device [1].
Outstanding. Sounds like any banner ad you happen across could own your network with a variant of <img src="hxxp://192.168.0.1/admin.cgi?op=login&password=sky">.
To protect against these kinds of attacks (and DNS rebinding attacks), most (?) modern browsers won't allow a webpage to make requests to non-routable IP addresses unless the page itself came from a non-routable IP address. Not that that's a fix, but it definitely helps mitigate the issue.
I just tested Firefox and Chrome, both made a HTTP request successfully to my laptop's rfc1918 address referenced from a web page on the internet. Maybe you are thinking of IE's "zones" feature?
I've literally never encountered a router that didn't have a default password on it.
Some times service providers will set a random (or user) password before shipping the device, but they all reset to the default one when you factory reset it.
I thought it was just universal.
I'm actually quite interested to know which manufacturers ship a custom rom per device with a unique password.
Fritz Boxes have a unique password, it's printed on the sticker on the back. My consumer grade Telekom router does the same, same for the vodafone router my brother owns. It's de-facto standard for all consumer grade adsl/cable modems/routers that german telkos hand off to their customer.
Maybe confusing the WiFi password and the admin password? I just got a new modem/router today and the WiFi is WPA2 secured by default with a random passcode printed on a sticker on the base of the unit... but once connected, the login for configuring the unit itself is your standard default admin/password deal.
ADSL/Cable modems are usually set up to download firmware from the ISP, at least in cable modems throttling is usually done on the device as well, so it is sort of resets every time you turn it off and on.
