mixture,

Sorry, I was referring to the ISP password, as in the password used for the authentication required prior to establishing the virtual link from the router to the ISP's access router (next hop from the Dlink). There was no information about the type of link to the ISP - DSLAM, cable, etc..- so there was one or two assumptions too many there, from my side.... too eager to help....

Your comment related to Telnet is correct, in that the telnet client/server command/password exchange is "in clear", like everything else, unless the Encryption option is used. Certain proprietary OS Telnet implementations have used options to exchange OS info, and based on a match between client and server, exchange a rough compression/encryption of the user name and password.

For accuracy purposes, I would call Telnet a Network Application Protocol, even if some Internet references may call it Network Protocol It is a layer 7 protocol, (or 4, depending on the reference model), using a network layer protocol as a transport. Network Protocols are usually equated with network later protocols, which are layer 3 (TCP/IP is the most common in case of Telnet).

Someone snooping on a wire in a home between the laptop and the router could be quite a stretch, particularly when happening in the same room and a short wire..

Configuring the router over a wireless link, may be risky, depending on what is being configured, as the router may disconnect during the configuring for a reboot, and after reboot, depending on what has been done, the link between laptop/PC and router may not get re-established, which would require a reset, and start from scratch.

I never run my wireless network in clear, so there is always a link layer (layer 2) encryption of some sort, which is the lowest packet later, and which takes care of everything put in the packet by the layers above, which includes user data (telnet exchanged characters for instance - they go forth and back, as the characters typed on the keyboard go first from the client to the server, from where they're echoed back before being displayed on the client's screen).