BT have done a good job of making the BTHH more secure with 6.2.6.E with stopping telnet, stopping root access, encrypting the firmware config file, stopping access to admin pages without password and the need to reset the password using the serial number. All apart from the last bit because BT give you the tools to get this over wireless aswell as ethernet.

Scenario
Once you have you have got the WEP/WPA key then goto the router in your browser. If you this then the password hasn't been changed yet as most users wont bother with going into their router.

If you don't then the user has changed the password but that isn't a problem because the page is still the router. Goto http://192.168.1.254/cgi/b/users/cfg/changedefpsswd/?ce=1&be=0&l0=-1&l1=-1&nm=1

BT made a bit of a fuss about it being a lot safer because you have to have the router in front of you to read the serial number but you don't because you can download the firmware tool off the BT website to get the number for you. From here http://www.btopenworld.com/broadband/adhoc_pages/hub_firmware.html

Download, extract and run. Make sure you aren't connected to any other network, LAN or wireless. When it connects to the router and starts the process a login window will appear. Look at the top of the login window and you will see the some letters and numbers, put 'CP' in front of it and you have the serial number. The rest you can do yourself.

BT, try harder.