The best wireless security mode

What is the best wireless security mode? There are only four choices, and only one worth using, WPA2. But there are some other settings you have to use in order to make WPA2 secure.

Your choices of security mode are wide open, WEP, WPA, and WPA2. Both WEP and the original WPA are obsolete today. They have weaknesses that make them easy to crack. Besides that, if you want anything faster than 54-megabit wireless, you have to use WPA2. So you want WPA2 for speed, not just security.

Unfortunately, you usually have to do more than just choose WPA2 and call it a day. WPA2 has two encryption algorithms: TKIP and AES. TKIP is the algorithm the original WPA used. It’s no longer secure by 21st century standards. It’s there for backward compatibility, but the hardware that needed it is all obsolete today. The second option, AES, is secure. At least it’s safe to say it’s the most secure option your router has available. There are rumors floating around about AES, but they’re all rumors. I’ve yet to see a noted cryptologist come out against AES.

Most routers also allow you to choose TKIP+AES. That makes it sound like double encryption, which sounds great. The problem is, that’s not what the option means. The option of TKIP+AES allows either of them, not the combination. So don’t choose that option. Choose AES.

The final thing you need is a decent password for your wireless shared key. Don’t use things like your house number. But you can get by with four or five random words, and throw in a number for safe measure. That’s how the GCHQ, the British NSA, recommends choosing passwords these days. I tell people to grab a book, flip to a random page, point at a word, and then repeat four or five times.

OK, there is one more thing. You need to disable WPS. WPS makes it much more convenient to set up wifi because you don’t have to type passwords, but WPS isn’t hard to crack. WPA2 with WPS enabled is only marginally more secure, at best, than WPA.

So remember: The best wireless security mode is WPA2 with AES (no TKIP), no WPS, and a reasonable password.

If you want more information and happen to be running DD-WRT, I’ve written a pretty comprehensive guide to securing DD-WRT.

Leave a Reply

%d bloggers like this: