What is the best home wireless network encryption algorithm to use?

  • What is the best home wireless network encryption algorithm to use? I realize the best answer will probably change over time, and hopefully people can provide updated answers as new standards come out. So far, my knowledge, as of early 2015 is:

    • WEP - Horrible / outdated, but still a bit better than nothing (or may even be worse than nothing because it provides a false sense of security as pointed out below).
    • WPA - Provides some security, but probably better to go with WPA2.
    • WPA2 - Pretty good (especially with AES encryption), but still not perfect. It is the best I know though for a home network.

    Are there any better encryption standards to use than WPA2 for a home wireless network, or is that the best there is? If it is the best there is, is it easy to hack?

    If it is true as others indicate that WPA-2 is not adequate, and nothing better exists, it seems like it would be a good idea, perhaps even a good money making opportunity for someone to develop something better!

    Edit (July 1, 2019): WPA3 is now a better option than WPA2.

    WPA2-Personal sucks, even for home networks.

    @CodesInChaos Is there anything better than WPA2-Personal to use for home networks (other than possibly WPA2-Enterprise which would probably be too difficult to set up for the average user?)

    @Jonathan There is nothing better that is built-in to your router. If you want more security, use openvpn for authentication into your "actual" network.

    Not an answer, but an alternative perspective: your wifi security should be nothing more than a deterrent to keep people from abusing your bandwidth. If you're relying on wifi encryption for authentication purposes (e.g. treating wlan hosts as trusted) or privacy of data, you've already failed. You should be using proper encrypted protocols (https, ssh, etc.) over your wifi (or wired) network just like you would over the public internet. You should not be using cleartext protocols like ftp, telnet, nfs, etc. at all.

    Apparently WPA2 is partially compromised now (e.g. KRACK)...

  • catsquid

    catsquid Correct answer

    6 years ago

    From a security perspective, I think you are asking the wrong question. WPA2 is the basic answer. But it's entirely incomplete! A more complete answer will view WPA2 as one component of your wireless network defence. Of course there's strong encryption methods using certificates/vpn etc but these are too difficult for most people to set up and are usually reserved for businesses. So let's assume WPA-2 is the 'best' answer to the basic question. However... as you'll see, there's many weaker points that attackers go for, that ultimately reveal your WPA2 password, so I've included them in the points below.

    I'm assuming many people will land on this page and see answers saying 'yeah just use a good password and WPA2 encryption', which is bad advice. Your WPA2 network is still completely vulnerable, as you will see:

    1. the main thing you can do, is be the hardest person to hack around you. That's the biggest deterrent. If I'm going to hack you, but you're taking too long or are too expensive to crack, I'll try the next person. This will require some playing around in your router settings.

    2. I'll assume you would never use WEP. 10 minutes on youtube and your mom can crack it.

    3. Switch off WPS. this is EXTREMELY vulnerable to brute force attacks and can be hacked in seconds, even if you are using WPA2 with a ridiculously complex password. Tools like reaver and revdk3 or bully make light work of these. You're only a little bit more protected if your router supports rate-limiting, which slows down, but doesn't prevent brute force attacks against your routers pin. Better to be safe and just switch WPS off and be 100% safe against these attacks.

    4. turn off remote access, DMZ, UPNP, unecessary port forwarding

    5. turn on, any inbuilt intrusion detection systems, MAC address filtering (tedious to set up if visitors to your house want access to your wifi (you will have to add your friends device to the router's MAC white-list to enable access) This can be hacked by faking a MAC address easily, and getting your MAC is also easy with an airodump-ng scan, but nevertheless, this will slow down attackers, requires them to be near a client device (mobile phone, or laptop in the whitelist) It will be pretty effective against some remote attacks.

    6. have a very long, non-human, complex password. If you have ever tried to decrypt a password you'll know that it gets exponentially harder to crack a password the more complex, less predictable and longer it is. If your password even remotely resembles a word, or something that could probably be a set of words (see: markov chains) you are done. Also don't bother adding numbers to the end of passwords, then a symbol... these are easily hacked with a dictionary attack with rules that modify the dictionary to flesh it out to cover more passwords. This will take each word or words in the dictionary, and add popular syntax and structures, such as passwords that look like this 'capital letter, lowercase letters, some numbers then a symbol. Cat111$, Cat222# or whatever the cracker wants. These dictionaries are huge, some can be investigated on crackstation or just have a look at Moxie Marlinspikes' cloudcrackr.com. The goal here is to be 'computationally expensive'. If you cost too much to crack using ultra high speed cloud based cracking computers then you're safe against almost anyone. So ideally you want to use the maximum 64 characters for your password, and have it look like the most messed up annoying symbol infused piece of incoherent upper-lower-case dribble you've ever seen. You'll probably be safe after 14 characters though, there's quite a bit of entropy here, but it's far easier to add characters than it is to decrypt.

    7. change your routers default password and SSID. nobody does this, but everyone should. It's literally the dumbest thing. Also, don't get lazy. and don't keep the router's model number in the SSID, that's just asking for trouble.

    8. update your router's firmware. Also, if your router is old. throw it out and buy a newer one, because it's likely your router is on some website like routerpwn.com/ and you've already lost the battle. Old routers are full of bugs, can be easily denial-of-serviced, don't usually have firewalls or intrusion detection systems and don't usually have brute-force WPS rate limiting among other things. just get a new one.

    9. learn about evil-twin hacks. The easiest way to protect against this is to stop your device from auto-connecting. However, this might still snag you. Become familiar with software like wiphishing and airbase-ng, these apps clone your router, then Denial of service your router making your device connect to the attackers cloned router, allowing them to intercept your traffic. They'll usually try to phish the WPA2 password from you here. You're safer from these attacks if you actually know what your router's web console looks like, because the default phishing pages that come with these types of apps are usually pretty old looking, however a sophisticated attacker can create a good landing page. Put simply, if your 'router' ever wants you to type in a password don't type it! You'll only ever be asked when you are creating the password, when you specifically log in to the or user interface, then you are being phished and it's game over. To prevent this attack you could also artificially reduce the range of your router. pull out the antenna's and create a little faraday cage around it, leaving a small area that points to your most ideal wifi position. Alternatively, just use a cable to your laptop or computer until the attacker gives up.

    10. handshake attacks are pretty popular, this is where the attacker sends a deauthorisation packet to anyone connected to your router using your password, then when that device (say an iPhone) tries to reconnect, it captures the '4 way handshake' which let's the device and router authenticate using your WPA2 password. This is what hackers use to crack offline using the password attacks in point 6. However if you have used a strong password (as described in point 6) then you've mitigated this attack already.

    11. So i've focussed on router based defence, but there's actually even easier ways to be attacked. If the attacker knows who you are, you're screwed. With a tiny bit of social engineering, they can find your facebook your email or some other way to contact you and insert some malicious snippet of code that's invisible and hijack your entire computer, which therefore lets them simply check the wifi settings in your computer and obtain the ultra strong password you've spent so long making. One popular method is to send you an email that's junk, and keep sending it until you click unsubscribe, as you usually would for junk mail, except this link is exactly the worst thing to do. You've broken the cardinal law of email. Don't click links in emails. If you have to click one, at least check where it goes first.

    12. If someone has access to any of your devices, or plugs/gets your to plug a device into your laptop, you're gone. things like usb sticks 'usb rubber ducky' can compromise your computer and reveal your WPA2 password to a relatively novice hacker.

    13. if you use a wireless keyboard, and you live near an attacking neighbour, they can use things like keysweeper to compromise your wifi, and a lot more. This could be creatively used with an evil twin attack to increase the likelihood you type your password (it listens to wireless keyboard signals). The way to prevent this attack is to not use a wireless microsoft keyboard.

    There's plenty of other ways, and you'll never prevent them all,

    but usually if your router is locked down, has a nice password, has WPS off, WPA2 on, a strong (new) router with a password, no remote-web access, unnecessary ports are closed, MAC filtering is used and intrusion detection in the router is switched on you will usually prevent even pretty dedicated attackers. They'll have to try harder methods and will probably just give up.

    `insert some malicious snippet of code that's invisible and hijack your entire computer` this is FUD and in context is incorrect: Social Engineering is where you maliciously convince your target to bypass security controls (e.g. click "Run"). What you describe resembles a worm.

    Actually, we he describes is using social engineering to deliver a worm. He did not say "the definition of social engineering is X." Rather he said "with social engineering, X can be something that occurs."

    It's worth noting that some routers have a "Disable WPS" option in their configuration interfaces, but even if you disable it WPS pin entry works just fine.

    " ... If your password even remotely resembles a word, or something that could probably be a set of words..." That could be read as a disqualification of passphrases like _SplashSentryBarflySweatPerchDiscus_. Is that intended?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM