Protocol Timeline
| Protocol | Status | What to know |
|---|---|---|
| WEP | Broken | Do not use; crackable in minutes |
| WPA (TKIP) | Obsolete | Temporary bridge from WEP; still weak |
| WPA2-Personal (CCMP/AES) | Still common | Good with a strong passphrase and firmware updates |
| WPA2-Enterprise (802.1X) | Business standard | Per-user credentials via RADIUS |
| WPA3-Personal (SAE) | Best modern option | Resistant to offline dictionary attacks |
| WPA3-Enterprise (192-bit) | High-security environments | Suite-B cryptography for government/finance |
| OWE (Enhanced Open) | Replacing open networks | Opportunistic encryption without passwords |
| WPS | Disable | Convenience feature with exploitable weaknesses |
WEP: Why It Is Completely Broken
Wired Equivalent Privacy was the original Wi-Fi security standard and is now thoroughly defeated. WEP uses RC4 stream cipher with a 24-bit initialization vector (IV). That IV is prepended to the key and reused — on a busy network, the same IV can appear roughly every 5,000 packets. By collecting enough IV collisions, an attacker can recover the key in under a minute using freely available tools. WEP also lacks message integrity beyond a weak CRC-32 checksum, allowing bit-flipping attacks on frames. No configuration of WEP makes it acceptable. If a device requires WEP, it needs to be replaced.
WPA and TKIP: The Bridge Protocol
Wi-Fi Protected Access (WPA) was introduced as an emergency firmware-upgradable fix while 802.11i (WPA2) was being finalized. It uses the Temporal Key Integrity Protocol (TKIP), which wraps RC4 with per-packet key mixing and a message integrity code called Michael to patch WEP's worst flaws without requiring new hardware. TKIP is not considered secure by modern standards — it is limited to 54 Mbps, the Michael MIC is relatively weak, and TKIP has known theoretical attacks. It should be treated as a legacy compatibility mode only.
WPA2-Personal: CCMP/AES and the 4-Way Handshake
WPA2 (802.11i) replaced TKIP with CCMP, which uses AES-128 in counter mode with CBC-MAC for both encryption and integrity. This is substantially stronger. The authentication flow uses a 4-way handshake: both the client and access point prove they hold the Pre-Shared Key by deriving and exchanging a Pairwise Transient Key (PTK) without sending the PSK over the air. The PSK is derived from the passphrase using PBKDF2-SHA1 with 4096 iterations.
The KRACK attack (Key Reinstallation Attacks, 2017) demonstrated that the 4-way handshake could be manipulated to force nonce reuse in CCMP, potentially allowing traffic decryption. Patches were released for all major operating systems. Keeping firmware and OS updated remains important for WPA2 networks.
WPA2-Enterprise: 802.1X and RADIUS
WPA2-Enterprise replaces the shared password with individual credentials authenticated through 802.1X and a RADIUS server. Each user or device authenticates separately — using a certificate, username/password, or smart card via an EAP method such as EAP-TLS, PEAP, or EAP-TTLS. The RADIUS server approves or denies each authentication attempt. This gives administrators per-user visibility, the ability to revoke one person's access without changing everyone's password, and support for certificate-based authentication that eliminates the password attack surface entirely. It is the standard for corporate, university, and regulated environments.
WPA3-Personal: SAE and the Dragonfly Handshake
WPA3-Personal replaces the PSK handshake with Simultaneous Authentication of Equals (SAE), also called the Dragonfly handshake. SAE is a zero-knowledge proof: both sides prove knowledge of the password without either side transmitting anything that an observer could use to run an offline dictionary attack. Even if an attacker captures the entire handshake, they cannot try passwords offline without interacting with the live network for each guess. This is a fundamental improvement over WPA2-PSK, where a captured handshake can be brute-forced at the attacker's leisure with GPU cracking tools. WPA3-Personal also provides forward secrecy — session keys are ephemeral, so capturing past traffic cannot be retroactively decrypted if the password is later discovered.
WPA3-Enterprise and OWE
WPA3-Enterprise in 192-bit mode uses Suite-B cryptography including GCMP-256 encryption and BIP-GMAC-256 for management frame protection, targeting government and financial environments with strict cryptographic requirements. OWE (Opportunistic Wireless Encryption, also called Enhanced Open) addresses the long-standing problem of open hotspots. OWE networks require no password but perform a Diffie-Hellman exchange so each client session has unique encryption. This protects against passive eavesdropping on public Wi-Fi, even though it does not prevent a malicious access point from impersonating a legitimate one.
Management Frame Protection (802.11w)
Management frames — deauthentication, disassociation, beacon, and probe responses — were historically unauthenticated and could be forged by anyone. This enabled deauth attacks that disconnected clients. 802.11w (Protected Management Frames) cryptographically authenticates management frames between trusted stations. WPA3 mandates 802.11w. WPA2 networks can enable it optionally. Enabling 802.11w on WPA2 networks where all clients support it closes a real attack vector that otherwise lets anyone near your network forcibly disconnect devices.
How to Check Your Router's Security Mode
Log into your router admin page — typically at 192.168.1.1 or 192.168.0.1. Look for Wireless Settings or Wi-Fi Security. The security mode will list WEP, WPA, WPA2, or WPA3. On Windows, click the Wi-Fi network in the taskbar, select Properties, and look at Security type. On macOS, hold Option and click the Wi-Fi menu bar icon to see security information. On Android and iOS, tap the connected network in Wi-Fi settings for security details. If you see WEP or WPA-TKIP, update the router setting immediately.
Personal vs Enterprise Wi-Fi Security
Most homes use Personal mode — everyone shares the same passphrase. Businesses with staff turnover, compliance requirements, or many managed devices should consider Enterprise mode, where each user or device authenticates individually. Enterprise mode gives better accountability and lets admins revoke one user's access without changing the password for everyone else.
Security Checklist
- Use WPA3-Personal where possible, or WPA2-AES if compatibility requires it.
- Enable 802.11w (Protected Management Frames) if your router supports it.
- Use a long unique passphrase that is not reused anywhere else.
- Disable WPS after setup — particularly PIN-based WPS.
- Use a guest network for visitors and a separate network for IoT devices.
- Keep router firmware updated so security fixes reach the Wi-Fi stack.
- Replace devices that require WEP, WPA, or TKIP.
Frequently Asked Questions
Which Wi-Fi security mode should I use?
Use WPA3-Personal if all devices support it. Otherwise use WPA2-Personal with AES. Avoid WEP, WPA with TKIP, and open networks for normal private Wi-Fi.
Should WPS be disabled?
Yes. WPS is convenient but has a history of security weaknesses, especially PIN-based setup. Disable it unless you absolutely need it temporarily.
Is WPA2 still safe?
WPA2 with AES and a strong passphrase is still widely used and generally safe for home networks. WPA3 improves password protection and authentication where supported.