Enable WPA3 on Your Router
Run a Speed TestWPA3 eliminates the dictionary attack vulnerability that has made WPA2 networks crackable for over a decade. Enabling it takes two minutes in your router's wireless settings — and the right mode keeps every device on your network working.
What WPA3 Fixes
WPA2's weakness is its four-way handshake. An attacker who captures the handshake during a device's connection can run an offline brute-force or dictionary attack against it indefinitely, with no interaction with your network. Weak passwords fall quickly; even stronger ones fall given sufficient compute time.
WPA3 replaces the handshake with Simultaneous Authentication of Equals (SAE), a protocol based on a Diffie-Hellman key exchange. SAE does not produce a handshake that can be captured and attacked offline. An attacker must interact with the network for each password guess — effectively making brute-force impractical. WPA3 also provides forward secrecy: each session uses a unique encryption key, so capturing traffic today cannot be decrypted later even if the password is eventually compromised.
How to Enable WPA3
The setting is in your router's wireless security section. The exact path varies by brand:
- ASUS: Wireless → General → Authentication Method → WPA2/WPA3-Personal
- TP-Link: Wireless → Wireless Security → Security → WPA3-Personal or WPA2/WPA3 mixed
- Netgear: Advanced → Wireless Settings → Security Options → WPA3-Personal or WPA2/WPA3 Mixed
- Eero: App → Network Settings → Advanced → WPA3 toggle
- Ubiquiti: Settings → WiFi → edit network → Security → WPA3 or WPA2/WPA3 Mixed
Select WPA2/WPA3 mixed mode (also called Transition Mode or WPA2/WPA3-Personal). Do not select WPA3-only unless you have verified every device on your network supports WPA3.
Why Mixed Mode, Not WPA3-Only
Several common household devices only support WPA2 and will fail to connect if WPA3-only is selected:
- Amazon Echo (1st and 2nd generation), Echo Dot (pre-4th gen)
- Nintendo Switch (original and Lite models)
- Some older Chromecast devices
- Android phones running Android 9 or earlier
- Many budget IoT sensors, cameras, and smart home devices
In WPA2/WPA3 mixed mode, WPA3-capable devices automatically negotiate WPA3 during the connection handshake. WPA2-only devices connect using WPA2. Both types share the same SSID and password — no separate network is needed.
WPA3-Personal vs WPA3-Enterprise
Home networks use WPA3-Personal (also called WPA3-SAE), which secures the network with a pre-shared password. WPA3-Enterprise uses 802.1X authentication with certificates and a RADIUS server — a corporate feature that requires significant infrastructure and is not relevant to home use.
After Enabling WPA3
Devices that were previously connected may prompt to re-enter the Wi-Fi password after the security mode changes. This is normal. The password itself does not change — only the authentication protocol. Connect each device normally using the same password.
If any device fails to connect after switching to WPA2/WPA3 mixed, check whether the device firmware is up to date. Some older devices gained WPA3 support via firmware updates. If a device cannot be updated and does not support WPA3, the mixed mode handles it automatically — it should still connect via WPA2.
| Security Mode | Attack Resistance | Forward Secrecy | Device Compatibility | Recommended For |
|---|---|---|---|---|
| WPA2-PSK (AES) | Offline dictionary possible | No | Universal | Legacy-only devices, older routers |
| WPA2/WPA3 Mixed | WPA3 for capable devices | Yes (WPA3 devices) | Universal | Most homes — recommended |
| WPA3-SAE only | Offline attack not possible | Yes | WPA3 devices only | All-new device households |
| WPA3-Enterprise | Certificate-based | Yes | Corporate clients | Business networks only |