Router Security WiFi Encryption Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I will be speaking about Router Security at the O'Reilly Security Conference in New York City at the midtown Hilton Hotel (Sixth Ave and 53rd Street). The conference runs from Oct. 30 to Nov. 1, 2017. I am slated for Nov 1st at 3:50pm in the Sutton South room on the second floor.


WiFi Over-The-Air Encryption: WEP, WPA and WPA2

At first, you might be thinking what more is there to say about WiFi encryption? The basic rules have not changed in a long time and can be boiled down to USE WPA2. But, there is more to it.

Introduction: WiFi supports three different schemes for over-the-air encryption: WEP, WPA and WPA2 (WPA version 2). All of the options encrypt data traveling between a WiFi device and the router or Access Point (AP) that is the source of the wireless network. Once data leaves the router, bound for the Internet at large, WEP, WPA and WPA2 are no longer involved.

As noted everywhere, WPA2 is the best option. However, WPA2 is not a simple On/Off checkbox, there are further options. These additional options are TKIP, AES or CCMP. Do not choose TKIP. Doing so, means you are, in effect, using the less-secure WPA encryption. AES and CCMP are two names for the same thing. Whichever your router uses, chose it.

And, some routers may not offer just WPA2. I have seen routers that only offered a combination of either WPA or WPA2. Stand-alone or exclusive WPA2 is more secure.

For more on the three types of encryption see Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? by Chris Hoffman (December 2014).

Wi-Fi Passwords

And, you are still not done. WPA2-AES (the same as WPA2-CCMP) can still offer miserable security if the password is too short. Nothing can be done to prevent an attacker from capturing network traffic and using a brute force attack to decrypt it off-line, making billions of guesses a second.

The shortest password allowed with WPA2 is 8 characters long. A password of 14 or 15 characters should be long enough to defeat most brute force guessing. WPA2 passwords can be up to 63 characters long, and can contain a host of special characters.

But wait, there's more.

A long password can still be guessed with a dictionary attack. Despite the name, this type of attack can include many passwords that are not words in the dictionary. Things like "Denver2013" or "I like MickeyMouse". Many websites have been breached over the years and bad guys can find massive databases of passwords that people have actually chosen. Thus, defending against a thorough dictionary attack means not using a password that any other human has used before. A tall order indeed, but not impossible.

For advice on choosing a globally unique password, see my November 2014 blog: Wi-Fi security vs. government spies.

To get a feel for how bad guys crack Wi-Fi passwords, see How I cracked my neighbors WiFi password without breaking a sweat by Dan Goodin (August 2012). One eight-character password was hard to guess because it was a lower-case letter, followed two numbers, followed by five more lower-case letters with no discernible pattern. That is, it didn't spell any word either forwards or backwards. Resisting the temptation to use a human-readable word made guessing much harder. I suspect having the numbers in the middle also made it harder, as most people don't do this. Still, even back in 2012, guessing every possible 8-character password was a do-able thing. Goodin suggests using four or five randomly selected words - "applesmithtrashcancarradar" for instance - to make a password that can be easily spoken yet prohibitively hard to crack. I would add a number and an upper case letter.

Some routers ship with default Wi-Fi passwords that look like they were randomly chosen. Do not trust this. Pick a new password. For more on this, see Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers August 2015

Old Devices

If you have an old device that is capable of WPA encryption but not the more recent WPA2 variety, then create a new network on the router that uses WPA encryption and chose an extra long password for it. If possible, this should be a guest network that is isolated from the private network.

If you have an old device that is not capable of either WPA or WPA2 encryption (that is, all it can do is WEP), get rid of it. WEP should not be used.

New Devices

A March 2017 article in PC Magazine, The Best Wi-Fi Mesh Network Systems of 2017 starts with a feature overview of nine different mesh systems. The most secure devices only offer WPA2: Plume, Eero, Securifi Almond 3 and Google Wifi. Two devices, Luma and Ubiquiti Amplifi offer both WPA and WPA2. In the "what were they thinking" category are devices that still offer WEP: Netgear Orbi, Linksys Velop and Amped Wireless Ally Plus.

Bad WiFi Passwords

  kyPeQ3!khx     (Too short and can't remember it)

  Dandelion     (Never use a word in the dictionary)

  Denver2012     (It is likely that someone else has used this before)

  DBF9fkhu28FF!ca4$cc5C1795ecc     (can't remember it)

Good WiFi Passwords - Long and Easy to Remember

  Yankee fan?     22New22York22Yankees22

  Like red tulips?     red123TULIPS123

  Like Shakespeare?     tobeornottobe-->THATisthe?

  From New York City?     new-yawk-RULES!!!!

  Like XKCD comics?     BatteryHorseStaple.etcetcetc

  Like to remember a date/place?     Denver///2012///

  Like your iPhone?     iOSiscoolerthanandroidhaha

  Like math?     6====ahalfdozen

  Like golf?     Icandriveagolfball300inches

  Like being a smartass?     >>>>>>>>thisismypassWORD

This page was last updated: March 29, 2017 4PM CT     
Created: July 13, 2015
Viewed 17,553 times since July 12, 2015
(21/day over 834 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2017