Log In Sign Up Free

Wi-Fi Security

Your Wi-Fi password isn't the only thing protecting your home network. The security protocol determines how resistant your connection is to eavesdropping and attacks. WPA3 is the current standard — here's what you need to know and what to change.

Wi-Fi security protocols compared

Protocol Year Encryption Status
WEP 1997 RC4 (40-bit or 104-bit) Broken — crackable in minutes
WPA (TKIP) 2003 TKIP (RC4-based) Deprecated — do not use
WPA2-Personal (CCMP) 2004 AES-128 (CCMP) Acceptable — still widely used
WPA2-Enterprise (802.1X) 2004 AES-128 + RADIUS auth Strong — used in corporate environments
WPA3-Personal (SAE) 2018 AES-128/256 + SAE handshake Recommended — current standard
WPA3-Enterprise 2018 AES-256 + enhanced RADIUS Strongest — corporate/sensitive use

WPA2 weaknesses

WPA2-Personal is still widely deployed and offers reasonable security for home networks, but it has known vulnerabilities:

  • KRACK (2017): Key Reinstallation Attack allows an attacker within Wi-Fi range to potentially decrypt traffic. Most devices received patches, but unpatched devices remain vulnerable
  • Offline dictionary attacks: The WPA2 4-way handshake can be captured passively and attacked offline. A weak password can be cracked with a GPU-based brute force attack in hours or days
  • PMKID attack: Allows an attacker to capture the PMKID from a router without waiting for a client to connect, enabling offline cracking attempts without active clients being present

The practical implication: WPA2 with a strong, random password (20+ characters, mixed case, numbers, symbols) is very difficult to crack in practice. A weak password or dictionary word is the real vulnerability, not the protocol itself. If your router supports WPA3, upgrading eliminates these attack vectors entirely.

What WPA3 improves

WPA3 replaces the Pre-Shared Key (PSK) handshake with SAE (Simultaneous Authentication of Equals), also known as Dragonfly. This provides:

  • Forward secrecy: Each session uses unique encryption keys. Capturing traffic today and cracking the password later doesn't allow decrypting that captured traffic
  • Protection against offline dictionary attacks: The SAE handshake doesn't expose a capturable hash that can be attacked offline
  • Protection with weak passwords: SAE is resistant to offline attacks even with shorter passwords — though strong passwords are still good practice
  • Opportunistic Wireless Encryption (OWE): WPA3 enables encrypted connections even on open networks (coffee shops, hotels), preventing passive eavesdropping on open Wi-Fi

How to check and upgrade your Wi-Fi security

Check your current security mode

Log into your router's admin interface (typically 192.168.1.1 or 192.168.0.1 — check the label on your router). Look for the Wi-Fi or Wireless settings section. You'll see the current security mode (WPA2, WPA3, or a combined WPA2/WPA3 transition mode). Not sure what your router does? Modem vs router — understanding your hardware →

Upgrading to WPA3

If your router supports WPA3 (most routers made after 2019 do), you can switch in the router admin panel. If older devices on your network don't support WPA3, use "WPA2/WPA3 Transition Mode" — this allows WPA3 devices to use WPA3 while legacy devices fall back to WPA2. It provides WPA3 security for capable devices without breaking older hardware.

Essential Wi-Fi security checklist

  • Use WPA3 or WPA2/WPA3 transition mode — never WEP or WPA/TKIP
  • Use a strong, unique password — at least 16 characters; a random passphrase works well (three random words + numbers + symbols)
  • Change the default router admin password — the default login credentials for your router model are publicly documented; anyone on your local network can access the admin interface with factory defaults
  • Disable WPS (Wi-Fi Protected Setup) — WPS PIN has known brute-force vulnerabilities; the push-button method is safer but WPS can generally be disabled if you don't use it
  • Keep router firmware updated — security patches are delivered via firmware updates. Outdated firmware is also a cause of Wi-Fi instability — see Wi-Fi keeps dropping
  • Disable remote management — unless you specifically need to manage the router from outside your home, remote management should be off
  • Consider a guest network — IoT devices (smart lights, cameras, speakers) can be isolated on a guest network with no access to your main devices. Using a filtering DNS resolver adds another protection layer →

Open Wi-Fi and public hotspots

On an open Wi-Fi network without a password, all traffic between your device and the router is unencrypted by default (unless WPA3-OWE is deployed, which most public networks don't yet use). Anyone on the same network using a packet capture tool can read unencrypted traffic. Modern HTTPS encryption protects the content of most web traffic, but DNS queries and unencrypted HTTP requests remain visible.

Using a VPN on public Wi-Fi encrypts all your traffic at the device level before it leaves your device, preventing local network eavesdropping. How VPNs work and their speed impact →

Related Guides
What Is Wi-Fi 6?
The latest Wi-Fi standard and its security improvements.
How VPNs Affect Speed
When to use a VPN on public Wi-Fi.
2.4 GHz vs 5 GHz
How band selection affects both speed and range.
IPv4 vs IPv6
IP addressing and privacy implications.
← All Guides FAQ → Methodology → Run a Speed Test →