Last update: Mar 31 2013 09:55
Every few months I re-evaluate the state of Wi-Fi security to ensure that I'm keeping up with best practices, and to see which protocols and settings are no longer secure.
Executive Summary: Only WPA2 in AES mode (not TKIP), with a shared key (password) size of 32 or more (63 is best practice) using mixed case alphabetic, numeric and special characters (e.g. $#_-! etc.) at random with no dictionary words nor repeating sequences is potentially secure, and then only if you change the SSID (broadcast name, e.g. "linksys") of the Wi-Fi router to be something unique & uncommon, while running the latest firmware that truly respects the WPS Disabled setting.
Note: I'm using the shorthand term "insecure" below to mean that the security can be broken within a few seconds to a few minutes, i.e. routine and software automated, and that the traffic can either be sniffed & data mined (for passwords, credit cards or other detail), or that the attacker can choose to access your network or machines on your network. Depending on how your router and computers & devices on your network are configured, this can also mean man-in-the-middle style attacks as well.
- While turning off the SSID prevents people without sniffing/cracking software from seeing your network, this does not actually increase security.
- While turning on a MAC address restriction can prevent accidental connection from people who connect to your network if your SSID is visible (or cached), it does not increase security as sniffing/cracking software spoofs valid MAC addresses.
- Disable WPS (Wi-Fi Protected Setup), it renders the router insecure, regardless of the strength of the rest of the configuration. Some routers ignore the WPS Disabled setting - make sure you are running the latest firmware, and verify in the firmware's release notes that it now respects the disabling of WPS to close the security flaw.
- WEP is insecure.
- WPA is insecure.
- WPA2 TKIP is insecure.
- WPA2 AES can be secure, depending on configuration:
- The security strength of WPA2 AES is a combination of the uniqueness of SSID plus the length of the shared key size. If the SSID is not unique, WPA2 AES falls prey to pregenerated hash tables for common SSIDs, allowing quick brute-force cracking. If SSID is not changed from any of the industry default names (or other common personalizations), WPA2 AES is insecure.
- If the WPA2 AES shared key size is less than 16 characters, WPA2 AES is insecure.
- If the WPA2 AES shared key uses dictionary words or combinations of words and numbers, it is insecure.
- The minimum size for a WPA2 AES shared key to be considered potentially secure is 32 or more characters in length. It must use mixed case alphabetic, numeric and special characters (e.g. $#_-! etc.) at random with no dictionary words nor repeating sequences.
- A WPA2 AES shared key size of 63 characters is currently considered best practice secure (assuming it has a unique uncommon SSID), and that the shared key uses mixed case alphabetic, numeric and special characters (e.g. $#_-! etc.) at random with no dictionary words nor repeating sequences.