WPA2, WEP, And Friends: What’s The Best Way To Encrypt Your Wi-Fi?


WPA2, WEP, And Friends: What’s The Best Way To Encrypt Your Wi-Fi?

When setting up wireless encryption on your router, you’ll come across a variety of confusing terms — WPA2, WPA, WEP, WPA-Personal, and WPA-Enterprise. Understanding what these terms mean and how they’re different will help you protect your Wi-Fi network from eavesdroppers, Wi-Fi leeches, and criminals.

We’ll also look at which Wi-Fi encryption standard is the truly secure way to encrypt your Wi-Fi. This is a tough question without a one-size-fits-all answer.

WEP

WEP is the oldest, least secure way to encrypt your Wi-Fi — short of leaving it unencrypted! Its name stands for “Wired Equivalent Privacy,” which is humorous now that so many flaws have been discovered in it. It’s very easy to crack a WEP password and gain access to a WEP-secured network. WEP will only stop the most casual of Wi-Fi users from connecting to your network. Anyone who really wants access to your network can easily gain access if you’re using WEP.

There’s no reason to use WEP. If you have an ancient router that only supports WEP, you should upgrade it right now. If you have an older device that only supports WEP, you should upgrade it, too. Every recent device should support stronger WPA encryption.

WPA vs. WPA2

WPA is the newer Wi-Fi security standard. WPA stands for “Wi-Fi Protected Access.” There are two versions of WPA — WPA and WPA2. WPA was implemented first as a temporary solution for devices that originally only supported WEP. These devices could be upgraded to WPA encryption for additional security, allowing them to escape WEP and its many flaws. The original WPA was always a stop-gap solution and just isn’t as secure as WPA2.

WPA2 is the final version of Wi-Fi Protected Access. It’s the most secure option available and the one you should be using. If you have a router or another device that only supports WEP and WPA, it’s probably very old and you should upgrade. New devices that are properly set up for security should be using WPA2 out of the box. Note that there are two versions of WPA2 you can choose from, which we’ll cover below.

The Wi-Fi Protected Setup — or WPS — method of connecting to WPA-secured wireless networks is fairly insecure, however. You shouldn’t be using WPS along with WPA2.

disable-insecure-wps

WPA2-Personal or WPA2-PSK

The PSK in WPA2-PSK stands for Pre-Shared Key. This is also known as Personal mode. It’s intended for homes and small office networks, as it’s a much easier option to set up than the alternative, which we’ll look at below.

Your wireless router encrypts network traffic with a key. With WPA-Personal, this key is calculated from the Wi-Fi passphrase you set up on your router. Before a device can connect to the network and understand the encryption, you must enter your passphrase on it.

The primary real-world weaknesses with WPA2-Personal encryption are weak passphrases. Just as many people use weak passwords like “password” and “letmein” for their online accounts, many people will likely use weak passphrases to secure their wireless networks. A strong passphrase should be used to properly secure the network or WPA2 won’t protect you much.

WPA2 is still fairly secure, but it’s not perfect. Some potential vulnerabilities have been found, but they’re nowhere near as easy to exploit as they are with WEP. Your main concern should be enabling WPA2-Personal on your home network and setting a strong passphrase.

enable-wpa2-on-router

WPA2-Enterprise or WPA2-802.1X

WPA2-Enterprise is also referred to as WPA2-802.1X mode because of the standard it implements. The Enterprise in the name is no joke — this is a solution that’s intended for enterprise networks as it requires more hardware and is more difficult to set up and maintain.

To use WPA2-Enterprise, you’ll need a RADIUS authentication server. RADIUS stands for Remote Authentication Dial In User Service. To authenticate with such a server, a variety of EAP — Extensible Authentication Protocols — can be used. After connecting to the Wi-Fi network, each client would have to log in with a username and password. Traffic to each client would be encrypted with a unique encryption key which isn’t derived from a pre-shared key. This is more secure than simply deriving a key from the same pre-shared key on each device. This also allows network administrators to monitor who’s connecting to the network and revoke access to specific users at any time without affecting other users.

Large businesses should implement WPA2-Enterprise for additional security, but there’s no reason home users and small businesses should set up WPA2-Enterprise. It’s much more complicated to set up and manage a RADIUS authentication server than it is to simply set a wireless passphrase on your router.

wpa2-enterprise-radius

So Which Is Truly Secure?

The most secure way to set up a Wi-Fi network is with WPA2-Enterprise, so if you run a Wi-Fi network for a large business, you should be setting up a RADIUS authentication server.

Of course, you probably only have a small Wi-Fi network to manage. For regular people and small businesses, WPA2-Personal is the ideal encryption option to use. WPA2-Personal along with a strong passphrase will provide you with very good security.

WEP is very easy to crack and should not be used for any purpose.

But is WPA2 really good enough? Well, security isn’t about absolutes. Saying WPA2-Enterprise is more secure than WPA2-Personal is like saying a bank vault door is more secure than the door on your house or apartment. It’s true, but that doesn’t mean you should replace your front door with a bank vault door — it’s more expensive and difficult to manage, just like a RADIUS authentication server. For another thing, the bank needs protection from bank robbers, just as Wi-Fi networks at large corporations need more protection from corporate espionage and criminals targeting high-end targets.

In the real world, WPA2-Personal with a strong passphrase is plenty secure.

Image Credit: Keith Williamson on Flickr