Why New Routers Come With a Random Password Sticker
Published July 6, 2026
Unbox a router made in the last two years and flip it over. Instead of admin/admin, the sticker probably shows a random jumble like K7pf2xQz9. Generosity had nothing to do with it. In a growing list of countries, it's the law.
For two decades, most routers shipped with the same login on every unit sold. Anyone could look up your model's defaults in ten seconds. Regulators eventually decided that was absurd. Here's what changed, which laws forced it, and what to check before your next router purchase.
The UK banned shared default passwords first
The UK's Product Security and Telecommunications Infrastructure Act is usually called the PSTI Act. It's been in force since April 29, 2024. It bans universal default passwords on connectable products sold in the UK. Routers are squarely covered, along with smart cameras, doorbells, and baby monitors.
Under PSTI, every device must ship with a password unique to that unit, or force you to create one during setup. The UK was the first country in the world to ban default-password devices outright. Manufacturers must also publish a vulnerability disclosure policy and state how long the product will get security updates.
The reason regulators cared is history. The Mirai botnet hijacked huge numbers of devices in 2016 by simply logging in with factory passwords. Nobody hacked anything in a clever way. The passwords were public, and the doors were open.
So that sticker on your new TP-Link or Asus is compliance, printed one unit at a time. Some models skip the sticker and make you set a password the first time you log in. Both approaches satisfy the law.
One detail trips people up. The sticker usually carries two passwords, one for joining the wifi and one for the admin panel where the settings live. The laws cover both, and both deserve your attention.
The fines are huge, but nobody's been fined yet
The PSTI Act has real teeth on paper. Fines can reach £10 million or 4 percent of a company's global revenue, whichever is higher. Continuing violations can add up to £20,000 per day on top of that.
Enforcement belongs to the Office for Product Safety and Standards, known as OPSS. Now the honest part. Through late 2025, OPSS's published enforcement lists showed no public actions under these product rules at all. The stick exists, but it hasn't been swung.
That doesn't make the law useless. Major brands rebuilt their factory processes rather than risk becoming the first test case. The random sticker on your router is the visible proof that they did.
The EU's rules start biting this September
The EU's Cyber Resilience Act goes further than the UK law, and its first deadline lands this September. From September 11, 2026, manufacturers must report actively exploited vulnerabilities through ENISA's Single Reporting Platform. They get 24 hours for an early warning and 72 hours for a full notification.
That reporting duty covers products already on the EU market, not just new ones. The heavier requirements, including secure-by-default design, apply from December 11, 2027. After that date, shipping a router with a shared default password into the EU won't be legal.
If you're reading this in the Philippines, India, or Latin America, these laws don't cover your local market. You still gain something, though. Manufacturers hate building separate hardware for each region, so routers designed to pass UK and EU rules often ship worldwide unchanged.
America's answer is a shield logo
The US went with a label instead of a ban. The FCC launched the Cyber Trust Mark on January 7, 2025. It's a voluntary shield logo that tells you a smart home product met baseline security standards.
Here's the catch for router shoppers. Routers were left out of phase one. NIST is currently defining the requirements for consumer-grade routers, planned for a second phase. So cameras and smart plugs will wear the shield before routers do.
California got there before everyone. Its SB-327 law has required unique preprogrammed passwords, or forced first-use password setup, since January 1, 2020. Nobody builds a California-only router, so in practice that law set the standard for the whole US market.
The support period matters more than the speed rating
The PSTI Act forces manufacturers to state how long a product will receive security updates. That window is called the support period, and it's the most underrated line on any router box.
Your router is a small computer that runs all day and faces the open internet directly. Once updates stop, every vulnerability discovered afterwards stays open for good. An unpatched router with a strong password is still a soft target.
So check the support period while the router is still in your cart. It's usually on the manufacturer's website, and sometimes on the box or the store listing. If one model promises years of updates and a cheaper one stays silent, I'd pay the difference. Wifi speed ratings age badly, but patches keep protecting you.
Routers made before these laws are still everywhere
None of these laws reached back in time. A router built in 2019 with admin/admin on the sticker is still sitting in millions of homes. ISP-supplied units are often the worst, since many providers handed out old stock for years.
If your router predates these rules, assume its login is public knowledge. Our default router password list shows exactly what an attacker would try first against your model. Finding your own credentials on that page should feel like a fire alarm.
The fix takes five minutes. Log in at 192.168.1.1, or whatever address your router's label shows, and set your own credentials. If you're unsure how, our guide on how to change the default router password covers every major brand.
One caveat about sticker passwords. Unique doesn't always mean strong. Some manufacturers derive the printed password from the serial number or wifi MAC address, and researchers have cracked several of those schemes. Treat the sticker as a floor, not a ceiling, and change it anyway.
What I'd check before buying a router in 2026
In the UK, look for the printed unique password plus a clear support period statement. In the US, watch for the Cyber Trust Mark shield reaching routers once the second phase lands. Anywhere in the world, a new router still shipping with admin/admin is a red flag. Walk away from it.
Once the new router is home, a few habits lock in what the law gave you. None of them takes long.
- Photograph the sticker before you plug anything in, since labels fade and peel.
- Log in with the printed credentials and install any waiting firmware update.
- Set your own admin password, even though the printed one looks random.
- Write the support period end date somewhere you'll actually see it, like a phone reminder.
The sticker era is a genuine win. Laws in the UK, EU, and California dragged manufacturers into doing what security people begged for across two decades. Your share of the work shrank, but it didn't vanish. Buy routers with long support periods, change the password anyway, and retire anything that's stopped getting updates.
Related Articles
A beginner's guide to subnet masks, CIDR notation, and network addressing.
Understanding the WiFi security protocols from WEP to WPA3 and which one you should use.
Network Address Translation explained — why every home router uses it and how it affects your internet connection.
Understand how your router automatically assigns IP addresses to every device on your network.
More from Other Topics
Router Guides
Popular Router Resources
- Default Router Passwords
- Router Brands
- Default IP Addresses
- What Is My IP?
- WiFi QR Code Generator
- Internet Speed Test
- Port Checker
- All Network Tools