Quick Answer
- WPA3 if every device supports it — best security, no real downsides
- WPA2/WPA3 mixed (transition) mode if you have a mix of old and new devices
- WPA2-AES (CCMP) if your router doesn't support WPA3 — still secure in practice
- Never use WEP, WPA (original), WPA2-TKIP, or "Open" networks at home
A Short History
| Protocol | Year | Status |
|---|---|---|
| WEP | 1997 | Broken — crackable in minutes |
| WPA (original) | 2003 | Broken — dictionary attacks |
| WPA2-TKIP | 2004 | Deprecated — weak cipher |
| WPA2-AES | 2004 | Still secure for practical purposes |
| WPA3 | 2018 | Current, recommended |
What WPA3 Actually Fixes
1. Offline Password Cracking (KRACK-adjacent attacks)
In WPA2, an attacker within range can capture the 4-way handshake when a device connects and then crack the password offline by trying millions of guesses per second on a GPU. Short or dictionary-based passwords fall in hours.
WPA3 replaces this with SAE (Simultaneous Authentication of Equals). Each password guess requires a separate handshake with the router, rate-limited by the router. Brute-forcing becomes impractical even against short passwords.
2. Forward Secrecy
If someone records your encrypted Wi-Fi traffic today and later learns your password, WPA2 lets them decrypt the old traffic. WPA3 provides forward secrecy — each session uses a unique key that can't be recovered from the password alone.
3. Protected Management Frames (Mandatory)
WPA2 management frames (disconnect notifications, association requests) are not authenticated. An attacker can forge "disconnect" frames to knock clients off the network or force them to reconnect to a rogue AP. WPA3 requires Protected Management Frames (PMF/802.11w), blocking these attacks.
4. Easier Public Wi-Fi (Enhanced Open / OWE)
Related spec: Opportunistic Wireless Encryption. Open networks (no password) have always been unencrypted — anyone on the same network can read your traffic. OWE encrypts open networks without requiring a password. Coffee shops, airports, and hotels should move to this; many haven't.
When WPA2 Is Still Fine
WPA2-AES (CCMP) has no known feasible attack against a strong password. A 16+ character random password on WPA2 is secure in practice against anyone without nation-state resources. The gap between WPA2-AES with a strong password and WPA3 with a weak password is narrow.
Situations where WPA2-AES is a reasonable choice:
- Router doesn't support WPA3 and replacement isn't urgent
- All your devices predate 2019 and don't support WPA3 clients
- Network carries low-value traffic (guest Wi-Fi for known visitors)
Mixed Mode (WPA2/WPA3 Transition)
Every modern router offers WPA2/WPA3 "Personal mixed" or "transition mode." New devices connect via WPA3; old devices fall back to WPA2. It's the right choice for most homes because you rarely have 100% modern devices.
Caveats:
- Transition mode is slightly less secure than WPA3-only because attackers can try to force old-device downgrade
- Some old devices (pre-2012) can't associate with transition-mode networks — a known firmware quirk
- Newer mesh systems sometimes reset to transition mode after firmware updates; verify settings
Device Support for WPA3
| Device | WPA3 Support |
|---|---|
| iPhone 7 and newer (iOS 13+) | Yes |
| Android 10+ on modern hardware | Yes |
| Windows 11 | Yes |
| Windows 10 (2020+ builds) | Yes with compatible Wi-Fi card |
| macOS Big Sur (11) and newer | Yes |
| Linux with modern drivers | Yes |
| Smart bulbs, plugs, older cameras | Often WPA2-only |
| Older smart TVs (pre-2020) | Usually WPA2-only |
| Printers, network storage | Varies — check specs |
How to Change the Mode on Common Routers
ASUS
Wireless → General → Authentication Method → WPA3-Personal or WPA2/WPA3-Personal.
TP-Link
Advanced → Wireless → Wireless Settings → Security → WPA3-Personal or WPA2/WPA3-Personal.
Netgear
Wireless → Security Options → WPA3 Personal or WPA2/WPA3 Personal.
Eero and similar mesh systems
In the Eero app → Settings → Advanced → Security → pick WPA3. Most mesh systems default to mixed/transition mode already.
Xfinity/Comcast, AT&T, Spectrum modems
ISP-provided gateways often lock this setting or offer only WPA2. If you care about WPA3 and your ISP blocks it, you'll need your own router behind the ISP gateway in bridge mode.
What About "Enterprise" Variants (WPA2-Enterprise, WPA3-Enterprise)?
Enterprise variants use a RADIUS server and per-user credentials, common in offices and universities. Not relevant for home networks. If you see "Enterprise" as an option, stick with "Personal."
Frequently Asked Questions
Is WPA3 really more secure than WPA2?
Yes — WPA3 fixes real attacks including offline password cracking and forced-disconnect attacks, and adds forward secrecy. With a strong password, WPA2-AES is still secure in practice, but WPA3 is meaningfully better. Use it when every device supports it.
Should I use WPA2/WPA3 mixed mode?
For most homes, yes — it lets modern devices use WPA3 while older devices still connect via WPA2. It's slightly less secure than WPA3-only because of potential downgrade attacks, but the practical risk is low and the compatibility wins are large.
What's the difference between WPA2-TKIP and WPA2-AES?
WPA2-TKIP uses an older, weaker cipher that's been deprecated. WPA2-AES (also shown as CCMP) uses AES encryption and is secure. Always pick AES/CCMP if your router offers the choice — never TKIP or mixed TKIP/AES.