Modernizing Authentication — What It Takes to Transform Secure Access
Congratulations for being here, for caring about the security of your wireless network and the router that creates it. The good news is that there isn't all that much you need to learn or do. The bad news is that the first step is likely to be the hardest.
Making any Wi-Fi changes requires access to a password-protected router. Thus the first step is learning the user ID/password needed to log onto the router. For many people, the Internet device in their home was installed by their ISP (Internet Service Provider) and it's a virtual black box. I have yet to run across an ISP that told their customer the router password.
If your ISP is lazy, the router will have a well-known user ID/password that can be learned through a Google search. If necessary, contact the ISP to learn both the user ID/password and the IP address of the router. Enter the IP address into a web browser's address bar to get access to the web interface of the router.
The latest trend in routers are mesh systems (Eero, Google Wifi, Netgear Orbi, AmpliFi, Linksys Velop, etc.), consisting of two or three devices that work together to increase the range of a wireless network. Most of the mesh routers don't have a web interface. They are administered instead with a mobile app. As of yet, ISPs are not providing mesh routers to their customers. If you have a mesh system, you will need both the mobile app and the router password to make any changes.
Free Security Resources
Wi-Fi Upgrade Guide: Make an Intelligent Wi-Fi Investment
The growing need for users to be productive on their mobile devices is driving organizations to look for ways to cost-effectively build and support Wi-Fi networks that deliver the best connectivity and user experience.
Aruba Networks surveyed over 4,000 individuals to better understand the current pain points and unique requirements of Wi-Fi buyers. Based on this research, we've outlined the top 6 factors to consider when choosing the right Wi-Fi solution for your small or medium business.Download
As soon as you gain access to the router, change its password to one that only you know.
The router password does not need to be the longest and most random password in the world, but make it at least 10 characters and don't use a word in the dictionary. I found it helpful to write the password on a piece of paper and tape it to the router, face down.
Types of Wi-Fi security
To begin with, there are multiple types of Wi-Fi. The three most common types are G, N and ac. G is the slowest, ac is the fastest. Security is handled the same for all three.
The two big aspects of Wi-Fi security are the encryption used to transmit data over the air, and the password for the Wi-Fi network.
Over-the-air encryption started out weak, was improved once, and then improved yet again. The third, and current, iteration has proven its worth over many years.
The first version was called WEP and it should be avoided at all costs. The second version, called WPA, was a big improvement, but in 2017, it too should be avoided. The only acceptable flavor of encryption is known as WPA2 (WPA version 2).
If your router offers a choice, then you also need to be aware of TKIP, AES and CCMP.
WPA is technically a certification rather than a security standard, but since it only includes one security protocol, TKIP, the two are often confused. WPA2, technically, includes two security standards, TKIP and CCMP. For our purposes, TKIP bad, CCMP good. For whatever reason, only computer techies refer to CCMP as CCMP. Most people refer to it as AES.
The bottom line: when configuring a router, the best security option is WPA2-AES. Avoid TKIP, WPA and WEP. WPA2-AES also gives you more resistance to a KRACK attack.
After selecting WPA2, older routers would then ask if you wanted AES or TKIP. The next generation of routers didn't ask; they always used AES when you selected WPA2. The very latest routers are secure by default; they always use WPA2-AES and don't ask you anything.
Another Wi-Fi security option that is falling by the wayside involves the number of passwords. In the old days, routers would ask if you wanted to use PSK (Pre-Shared Key) mode or Enterprise mode. PSK mode is what everyone uses. It allows for one shared password for a given wireless network.
In Enterprise mode, each person gets their own user ID and password. Enterprise mode is more secure but it's complicated, so much so that the device in your home can't handle it by itself. It needs to be pointed to a server computer that keeps track of the many different user IDs and passwords. If your router still has an option for PSK vs. Enterprise mode, it's probably quite old.
Wi-Fi passwords and hackers
With WPA2-AES, bad guys can't get onto a wireless network by hacking, but they can still try to guess the password.
When a new device logs onto a Wi-Fi network, it transmits an encrypted copy of the password. Bad guys can capture this as it is transmitted over the air and use special software to guess the password.
They don't even have to wait for a device to log on. A poor Wi-Fi design decision, made years ago, lets bad guys easily and quickly knock devices off a network. Most wireless devices save the password, so it takes only seconds to log back in. But logging in gives the bad guy the encrypted password.
There are three schemes bad guys use to guess Wi-Fi passwords.
First, they pick off the low hanging fruit - passwords that are a word in the dictionary or a simple variation. Obvious patterns such as a word followed by a number, or changing an E into a 3 or the letter O into the number zero, don't fool anyone.
Another approach is to use passwords other people have used before. The many data breaches over the years have yielded a huge trove of live passwords. It won't take guessing software all that long to test these previously seen passwords, even if there are millions of them.
The third approach is brute force guessing - trying every possible combination of letters, numbers and even special characters.
The initial version of this article in 2009 referred to brute force guessing software making thousands of guesses a second. Now, it is likely to be billions of guesses per second, if not higher. A billion guesses per second multiplies out to 86,400 billion guesses a day. At that rate, it won't take long to unmask a password like "kiY4*iwz".
The problem with this password is that it's too short, only 8 characters. Defending against brute force guessing requires a much longer password. I generally find that 14 or 15 characters is recommended by experts as long enough. Wi-Fi passwords can be up to 63 characters long.
But even with a long password, I suggest including a number, a special character and a capital letter for good luck. So while "ihateschoolonmondays" is 20 characters long, the shorter "I.love.ICE.cream!" is probably more resistant to brute force guessing.
Both these examples illustrate an important point about password security. A short password that looks like a cat ran across they keyboard is not as secure as a long password, even if the long one is a string of words. Multiple words are also easier to remember and easier to type. And putting a special character between each word makes the password even more secure.
Guest network security
The first two versions of this article focused on a single Wi-Fi network, but pretty much all routers can create more than one network. Often these additional networks are called Guest networks, implying that they were intended for granting Internet access to visitors.
A Guest network has a different name (technically an SSID) and password from the main Wi-Fi network. The term "Guest" pre-dates the rise of Internet of Things (IoT) devices such as the Amazon Echo, yet using a Guest network for a Wi-Fi enabled thermostat or doorbell increases your security.
A big benefit of Guest networks is that they are typically isolated. That is, devices on the Guest network, as a rule, can't see or interact with other devices connected to the router. The poor security of IoT devices is infamous, so isolating them on a Guest network may prevent a hacked device from affecting any of your other devices.
That said, some homework is needed. To begin with, there are two types of isolation: guest devices from non-guest devices, and guest devices from each other. Sadly, there are no standards here, so you will have to check how your router handles each type of isolation.
That the terminology used differs among routers just makes this harder.
Public Wi-Fi security
Often a guest user or IoT device needs access to the Internet but not to anything or anyone else using the same router. This is the case in public networks such as a hotel, coffee shop or on an airplane. I frequently check public networks to see if they isolate users from each other, and they never do.
Public Wi-Fi networks that require a password are often referred to as secure, but if the network does not isolate users from each other, it is not secure. A bad guy sitting near you at a coffee shop can attack your computer from within the coffee shop network, no Internet needed at all.
Guest network passwords
Another benefit of Guest networks is that they can (read "should") use a different password. So while the password for the main network may be long and complicated, the one for guests might as simple as two words or even a single word and some special characters (i.e. "television++" or "$$$buildings").
The required strength of the Guest network password varies. If the network is only activated on an as-needed basis, then the password can be relatively simple. The AmpliFi mesh router system lends itself to this, as the Guest network can be set to expire in a few hours. However, if the Guest network is a permanent thing, or if it's being used by IoT devices, then its password should be just as secure as the main network password.
In addition to a second password, Guest networks also allow for different encryption. If you need to use an old device that only supports WEP or WPA encryption, then you can configure a Guest network for that device while keeping the main network secure with WPA2.
The number of Guest networks that routers provide varies drastically. The latest mesh router systems are all limited to a single Guest network. Many routers offer two Guest networks, one on each frequency band (2.4GHz and 5GHz). My favorite router, the Pepwave Surf SOHO, can create three networks, but does not designate any of them specifically as guests. Some Asus routers offer six Guest networks.
Closing router backdoors
Finally, there are two backdoors in most routers that need to be closed for the best security.
Providing the password is not the only way to get onto a wireless network. Most routers support an alternative known as WPS (Wi-Fi Protected Setup). An 8-digit WPS pin code is printed on the label of routers that support it. With this pin code, rather than the password, wireless devices can get on the network. Anyone who can touch your router can turn it over, take a picture of the label and get on your network forever, even if you change the Wi-Fi passwords. Plus the pin code itself was poorly designed so that, on average, it only takes 5,500 guesses, something computers can easily do.
If your router supports WPS, turn it off.
Among the latest crop of mesh routers, those that still support WPS include the Linksys Velop, the Netgear Orbi, the Ubiquiti AmpliFi and the D-Link Covr. On the other hand, those that have dropped it include Eero, Google Wifi, Luma and Plume.
Our final security issue is UPnP, a protocol that lets devices connected to a router poke a hole in the router firewall. The upside to UPnP is that it simplifies the setup of assorted IoT devices. The downside is that it leaves these very same devices exposed to the Internet and vulnerable to hackers.
Every router has UPnP enabled by default. This decreases the cost of technical support both for the router manufacturer and your ISP. But if you care about security, disable UPnP. Owners of Apple routers will instead want to disable NAT-PMP, a similar protocol developed by Apple.
These are the biggest issues, but there is always more than can be done to protect a router. The home page of my RouterSecurity.org site has both a short and a long list of security tweaks.
Editor's Note: This is our second revision to this article, written by Michael Horowitz in September 2009 and revised by Pam Baker in April 2011. In addition to bringing things up to date, this revision adds a discussion of router security and Guest networks.