NCSAM/2011–Post 7–Don’t use WEP or WPA
When setting up your wireless router at home or at work, there’s a dizzying array of options to choose, and most of them are, quite frankly, set at perfectly adequate defaults when the router leaves the shop, even if you’ve got quite an old router. Or if not, they affect basic functioning, so you’ll be able to tell if you need them anywhere else.
The exceptions to this are the authentication and encryption protocol choices. Each Wi-Fi router is a little different, so I’m only going to talk in the most basic terms, and illustrate from my own router’s settings.
These are the choices offered in my router’s Security Mode:
As you can see, I’ve selected “WPA2 Personal”, because this is my home router. This is a synonym for “WPA2 PSK Mode”, where PSK stands for “Pre-Shared Key”. So, every device in my house uses the exact same password – perhaps this is less than ideal, but it’s relatively secure – certainly compared to the other home-targeted options, of WPA2/WPA Mixed Mode, WPA Personal, WEP, or (shudder) Disabled.
So, why not those others?
I’d hope that, by now, “Disabled” seems like a really bad choice, when applied to Security. Please tell me you didn’t even consider that.
WEP – that one sounds like a really good idea, since “WEP” stands for “Wired Equivalent Privacy” (not “Wireless Encryption Protocol”). It sounds like it ought to protect you as much as if you were connecting through a piece of wire. As with many names, however, it describes an aspiration, rather than any guarantee. In fact, WEP has been significantly broken for some years now.
How “broken”?
An attacker can gain full access to service and traffic on a WEP-protected router in a minute or two.
WPA is a significant advance on WEP, but has itself been broken in a few ways that make it a far better idea to stick with WPA2.
Since this is Security Awareness Month, and I’m dealing more with small companies and home users than my usual enterprisey crowd, I’m going to leave it there, and not dig into RADIUS or the WPA2 Enterprise modes. Maybe a later article.