Wireless security is extremely important. The vast majority of us connect a mobile device to a router at some point during each day, be that a smartphone, tablet, laptop, or otherwise. Furthermore, Internet of Things devices connect to the internet using Wi-Fi.They're always on, always listening, and always in dire need of additional security.That's where Wi-Fi encryption steps in. There are several different ways to protect your Wi-Fi connection. But how do you know which Wi-Fi security standard is best? Here's how.

Wi-Fi Security Types

The most common Wi-Fi security types are WEP, WPA, WPA2, and the most recent standard, WPA3.

WEP vs. WPA: What is WPA?

Wired Equivalent Privacy (WEP) is the oldest and least secure Wi-Fi encryption method. It is laughable how terrible WEP is at protecting your Wi-Fi connection, and all good security advice suggests that you should not use WEP Wi-Fi encryption.

Furthermore, if you're using an older router that only supports WEP, you should upgrade that, too, for both security and better connectivity.

Why is it bad? Crackers figured out how to break WEP encryption, and it is easily done using freely available tools. In 2005, the FBI gave a public demonstration using free tools to raise awareness. Unfortunately, almost anyone can do it. As such, the Wi-Fi Alliance officially retired the WEP Wi-Fi encryption standard in 2004.

By now, you should be using a version of WPA—ideally, the most recent version! Handily, there are ways you can figure out which type of Wi-Fi encryption your current connection is using.

WPA and WPA2

Wi-Fi Protected Access (WPA) is the evolution of the insecure WEP standard. WPA launched in 2003 but was only a stepping stone to WPA2, which launched in 2004.

When it became apparent WEP was woefully insecure, the Wi-Fi Alliance developed WPA to give network connections an additional layer of security before the development and introduction of WPA2. The security standards of WPA2 were always the desired goal. You can read more about the security and encryption offered by WPA2 in the next section.

WPA3

The vast majority of routers and Wi-Fi connections use WPA2. At least, that should be the minimum level of encryption because even with the WPA2's vulnerabilities, it is still secure.

However, the latest upgrade to Wi-Fi Protected Access, WPA3, officially launched in 2018. Unfortunately, despite the updated standard launching to take the place of WPA2, the majority of Wi-Fi routers still use the older standard. That's because most routers are not backward compatible with the new standard, and most people do not change their routers frequently enough to upgrade.

However, WPA3 includes some important upgrades for modern wireless security, including:

  • Brute Force Protection: WPA3 will protect users, even with weaker passwords, from brute-force dictionary attacks (attacks that attempt to guess passwords over and over again).
  • Public Network Privacy: WPA3 adds "individualized data encryption," theoretically encrypting your connection to a wireless access point regardless of the password.
  • Securing the Internet of Things: WPA3 adds security support for Internet of Things (IoT) device developers who remain under pressure to improve IoT security.
  • Stronger Encryption: WPA3 adds much stronger 192-bit encryption to the standard, drastically improving the level of security.

There are now many WPA3 routers on the consumer router market, though it did take a period from WPA3's launch in 2018 for them to begin to appear. As with all new standards, uptake is typically slow, to begin with, and the jump from WEP to WPA to WPA2 also took some time.

As of July 2020, all devices seeking Wi-Fi certification must support WPA3. So, if you bought a Wi-Fi router from 2020-onwards, it will support WPA3, and you can begin using the stronger Wi-Fi encryption standard. You should note that although your new router uses WPA3, your devices may not. WPA3 routers support WPA2/WPA3 Transitional mode, a special mixed mode that uses WPA3-Personal (more on this below) and WPA2-Personal, allowing older devices without WPA3 support to connect to the router.

Setting your Wi-Fi router to use only WPA3 is likely to cause connection issues for older devices that do not support the newer Wi-Fi encryption standard.

WPA vs. WPA2 vs. WPA3: What's the Difference?

There are three Wi-Fi Protected Access iterations. But what makes them different from one another? Why is WPA3 better than WPA2?

WPA Is Inherently Vulnerable

WPA was doomed from the outset. Despite featuring stronger public key encryption (than WEP), using 256-bit WPA-PSK (Pre-Shared Key), WPA still contained a string of vulnerabilities it inherited from the older WEP standard (both of which share the vulnerable stream encryption standard, RC4).

The vulnerabilities centered on the introduction of the Temporal Key Integrity Protocol (TKIP).

TKIP itself was a big step forward in that it used a per-packet key system to protect each data packet sent between devices. Unfortunately, the TKIP WPA rollout had to take into account old WEP devices.

The new TKIP WPA system recycled some aspects of the compromised WEP system, and, of course, those same vulnerabilities eventually appeared in the newer standard.

WPA2 Supersedes WPA

WPA2 officially superseded WPA in 2006. WPA, then, had a short run as the pinnacle of Wi-Fi encryption.

WPA2 brought with it another raft of security and encryption upgrades, most notably the introduction of the Advanced Encryption Standard (AES) to consumer Wi-Fi networks. AES is substantially stronger than RC4 (as RC4 has been cracked multiple times) and is the security standard for many online services.

WPA2 also introduced the Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP, for a much shorter version!) to replace the now vulnerable TKIP.

TKIP remains part of the WPA2 standard as a fallback and offers functionality for WPA-only devices.

WPA2 KRACK Attack

The somewhat amusingly named KRACK attack is no laughing matter; it was the first serious vulnerability found in WPA2. The Key Reinstallation Attack (KRACK) is a direct attack on the WPA2 protocol and, unfortunately, effectively compromises every Wi-Fi connection using WPA2.

Essentially, KRACK undermines a key aspect of the WPA2 four-way handshake, allowing a hacker to intercept and manipulate the creation of new encryption keys within the secure connection process.

Even with the potential for a KRACK attack, the likelihood of someone using it to attack your home network is slim.

WPA3: The (Wi-Fi) Alliance Strikes Back

Launched in 2018, WPA3 picks up the slack and offers much greater security while actively taking into account the oft-lacking security practices everyone is guilty of at times. For instance, WPA3-Personal provides encryption to users even if hackers crack your password after you connect to a network.

Furthermore, WPA3 requires all connections to use Protected Management Frames (PMF). PMFs essentially augment privacy protections, with additional security mechanisms in place to secure data.

The 128-bit AES remains in place for WPA3 (a testament to its enduring security). However, for WPA3-Enterprise connections, 192-bit AES is required. WPA3-Personal users will have the option of using the extra-strength 192-bit AES, too. On that, there are three versions of WPA3:

  • WPA3-Personal
  • WPA3-Enterprise
  • Wi-Fi Enhanced Open

The first two are fairly self-explanatory. The third, Wi-Fi Enhanced Open, is designed to provide Wi-Fi encryption to users on "open" networks. Previously, connecting to an open network was (and is!) a security issue. WPA3's Wi-Fi Enhanced Open delivers unauthenticated data encryption, which means you'll receive some protection against security threats, mitigating some of the risks of using public Wi-Fi. However, don't go connecting to any old Wi-Fi network assuming it uses WPA3. As previously mentioned, many Wi-Fi routers still use WPA2.

What Is a WPA2 Pre-Shared Key?

WPA2-PSK stands for Pre-Shared Key. WPA2-PSK is also known as Personal mode, and it is intended for home and small office networks.

Your wireless router encrypts network traffic with a key. With WPA-Personal, this key is calculated from the Wi-Fi passphrase you set up on your router. Before a device can connect to the network and understand the encryption, you must enter your passphrase on it.

The primary real-world weaknesses with WPA2-Personal encryption are weak passphrases. Just as many people use weak passwords like "password" and "letmein" for their online accounts, many people will likely use weak passphrases to secure their wireless networks. You must use a strong passphrase or unique password to secure your network, or WPA2 won't protect you much.

What Is WPA3 SAE?

When you use WPA3, you will use a new key exchange protocol called Simultaneous Authentication of Equals (SAE). SAE, also known as the Dragonfly Key Exchange Protocol, is a more secure method of key exchange that addresses the KRACK vulnerability. Eliminating the reuse of encryption keys is an important part of this process, ensuring anyone snooping or otherwise cannot reuse existing keys.

Specifically, it is resistant to offline decryption attacks through "forward secrecy." Forward secrecy stops an attacker from decrypting a previously recorded internet connection, even if they know the WPA3 password.

As well as this, WPA3 SAE uses a peer-to-peer connection to establish the exchange and cut out the possibility of a malicious middleman intercepting the keys.

Below is an explanation as to what "key exchange" means in the context of encryption, using the pioneering Diffie-Hellman exchange as its example.

What Is Wi-Fi Easy Connect?

Wi-Fi Easy Connect is a new connection standard designed to "simplify the provisioning and configuration of Wi-Fi devices."

Within that, Wi-Fi Easy Connect offers strong public key encryption for each device added to a network, even those "with little or no user interface, such as smart home and IoT products."

For instance, in your home network, you would designate one device as the central configuration point. The central configuration point should be a rich media device, like a smartphone or tablet.

The rich media device is then used to scan a QR code which runs the Wi-Fi Easy Connect protocol as designed by the Wi-Fi Alliance.

Scanning the QR code (or entering a code specific to the IoT device) gives the connecting device the same security and encryption as other devices on the network, even if direct configuration isn't possible.

Wi-Fi Easy Connect, in conjunction with WPA3, will drastically increase the security of IoT and smart home device networks.

Is WPA3 Secure? Has WPA3 Been Cracked?

WPA3 is more secure than WPA2 and absolutely more secure than WPA and WEP. However, WPA3 isn't without issues, and it does have vulnerabilities.

In 2019, researchers Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) uncovered a series of WPA3 vulnerabilities that allow an attacker to downgrade WPA3 and force a device to connect to a rogue WPA2 network instead. If successful, the Dragonblood vulnerability could theoretically steal sensitive information, especially if the device is not using HTTPS. Thankfully, most websites and services now use HTTPS by default, but it's still a WPA3 vulnerability.

WPA, WPA2, WPA3: What Should You Use?

WPA2 remains a relatively secure Wi-Fi encryption method, even taking the KRACK vulnerability into account. While KRACK undoubtedly is an issue, especially for Enterprise networks, home users are unlikely to encounter an attack of this variety (unless you are a high-worth individual, of course).

Where possible, it's worth upgrading to WPA3. While WPA3 has vulnerabilities, like many Wi-Fi encryption issues, the vast majority of home users are extremely unlikely to encounter such issues, and WPA3 comes with a host of other security upgrades that make it well worthwhile.

One thing that is for sure, though, is that WEP is very easy to crack, and you should not use it for any purpose. Moreover, if you have devices that can only use WEP security, you should consider replacing them to boost the security of your network.