Router Security WiFi Encryption Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
See my June 17th blog: Debunking the New York Times on Router Security and VPNFilter

WiFi Over-The-Air Encryption: WEP, WPA and WPA2

At first, you might be thinking what more is there to say about WiFi encryption? The basic rules have not changed in a long time and can be boiled down to USE WPA2. But, there is more to it.

Introduction: WiFi supports three different schemes for over-the-air encryption: WEP, WPA and WPA2 (WPA version 2). All of the options encrypt data traveling between a WiFi device and the router or Access Point (AP) that is the source of the wireless network. Once data leaves the router, bound for the Internet at large, WEP, WPA and WPA2 are no longer involved.

As noted everywhere, WPA2 is the best option. However, WPA2 is not a simple On/Off checkbox, there are further options. These additional options are TKIP, AES or CCMP. Do not choose TKIP. Doing so, means you are, in effect, using the less-secure WPA encryption. AES and CCMP are two names for the same thing. Whichever your router uses, chose it.

And, some routers may not offer just WPA2. I have seen routers that only offered a combination of either WPA or WPA2. Stand-alone or exclusive WPA2 is more secure.

For more on the three types of encryption see Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? by Chris Hoffman (December 2014).

Wi-Fi Passwords

And, you are still not done. WPA2-AES (the same as WPA2-CCMP) can still offer poor security if the password is too short. Nothing can be done to prevent an attacker from capturing network traffic and using a brute force attack to decrypt it off-line, making billions of guesses a second.

Just how many billions of guesses per second? According to Paul Moore (Passwords: Using 3 Random Words Is A Really Bad Idea! October 2017) it varies based on the hashing algorithm. A computationally expensive algorithm, SHA512, slows things down to 8 billion a second. If a password is encrypted with SHA256, then we can expect 23 billion guesses/second, with SHA1 expect 70 billion/second. The fastest, and thus least secure, algorithm is MD5. Moore says MD5 is still very common and it can be brute-forced at the rate of 200 billion guesses/second.

The shortest password allowed with WPA2 is 8 characters long. A password of 14 or 15 characters should be long enough to defeat most brute force guessing. WPA2 passwords can be up to 63 characters long. Of course, it is better to include both upper and lower case letters along with numbers. WPA2 passwords can also contain a host of special characters.

But wait, there's more.

A long password can still be guessed with a dictionary attack. Despite the name, this type of attack can include many passwords that are not words in the dictionary. Things like "Denver2013" or "I like MickeyMouse". Many websites have been breached over the years and bad guys can find massive databases of passwords that people have actually chosen. Thus, defending against a thorough dictionary attack means not using a password that any other human has used before. A tall order indeed, but not impossible.

For advice on choosing a globally unique password, see my November 2014 blog: Wi-Fi security vs. government spies.

To get a feel for how bad guys crack Wi-Fi passwords, see How I cracked my neighbors WiFi password without breaking a sweat by Dan Goodin (August 2012). One eight-character password was hard to guess because it was a lower-case letter, followed two numbers, followed by five more lower-case letters with no discernible pattern. That is, it didn't spell any word either forwards or backwards. Resisting the temptation to use a human-readable word made guessing much harder. I suspect having the numbers in the middle also made it harder, as most people don't do this. Still, even back in 2012, guessing every possible 8-character password was a do-able thing. Goodin suggests using four or five randomly selected words - "applesmithtrashcancarradar" for instance - to make a password that can be easily spoken yet prohibitively hard to crack. I would add a number and an upper case letter.

Some routers ship with default Wi-Fi passwords that look like they were randomly chosen. Do not trust this. Pick a new password. For more on this, see Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers August 2015

In April 2018 the Boston Red Sox were caught using "baseball" as the Wi-Fi password in the visitors clubhouse at Fenway Park. I wrote about this on the Routers in the news page and commented on the strength of assorted new suggested passwords.

Old Devices

If you have an old device that is capable of WPA encryption but not the more recent WPA2 variety, then create a new network on the router that uses WPA encryption and chose an extra long password for it. If possible, this should be a guest network that is isolated from the private network.

If you have an old device that is not capable of either WPA or WPA2 encryption (that is, all it can do is WEP), get rid of it. WEP should not be used.

New Devices

A March 2017 article in PC Magazine, The Best Wi-Fi Mesh Network Systems of 2017 starts with a feature overview of nine different mesh systems. The most secure devices only offer WPA2: Plume, Eero, Securifi Almond 3 and Google Wifi. Two devices, Luma and Ubiquiti Amplifi offer both WPA and WPA2. In the "what were they thinking" category are devices that still offer WEP: Netgear Orbi, Linksys Velop and Amped Wireless Ally Plus.

Bad WiFi Passwords

  kyPeQ3!khx     (Too short and can't remember it)

  Dandelion     (Never use a word in the dictionary)

  Denver2012     (It is likely that someone else has used this before)

  DBF9fkhu28FF!ca4$cc5C1795ecc     (can't remember it)

Good WiFi Passwords - Long and Easy to Remember

  Yankee fan?     22New22York22Yankees22

  Like red tulips?     red123TULIPS123

  Like Shakespeare?     tobeornottobe-->THATisthe?

  From New York City?     new-yawk-RULES!!!!

  Like XKCD comics?     BatteryHorseStaple.etcetcetc

  Like to remember a date/place?     Denver///2012///

  Like your iPhone?     iOSiscoolerthanandroidhaha

  Like math?     6====ahalfdozen

  Like golf?     Icandriveagolfball300inches

  Like being a smartass?     >>>>>>>>thisismypassWORD

This page was last updated: April 14, 2018 12PM CT     
Created: July 13, 2015
Viewed 29,742 times since July 12, 2015
(27/day over 1,099 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2018