Last Updated on February 9, 2018 by Dave Farquhar
What is the best wireless security mode? There are only four choices, and only one worth using, WPA2. But there are some other settings you have to use in order to make WPA2 secure.
The best wireless security mode is about more than security
Your choices of security mode are wide open: WEP, WPA, and WPA2. Both WEP and the original WPA are obsolete today. They have weaknesses that make them easy to crack. Besides that, if you want anything faster than 54-megabit wireless, you have to use WPA2. So you want WPA2 for speed, not just security.
There’s no point in buying an expensive high-speed router and then leaving the extra speed on the table because you picked the wrong mode.
Hidden pitfalls in the best wireless security mode
Unfortunately, you usually have to do more than just choose WPA2 and call it a day. WPA2 has two encryption algorithms: TKIP and AES. TKIP is the algorithm the original WPA used. It’s no longer secure by 21st century standards. It’s there for backward compatibility, but the hardware that needed it is all obsolete today.
The second option, AES, is secure. At least it’s safe to say it’s the most secure option your router has available. There are rumors floating around about AES, but they’re all rumors. I’ve yet to see a noted cryptologist come out against AES.
Most routers also allow you to choose TKIP+AES. That makes it sound like double encryption, which sounds great. Who wouldn’t want extra encryption? The problem is, that’s not what the option means. The option of TKIP+AES allows either of them, not the combination. So don’t choose that option. Choose AES.
Your wireless password matters too
The final thing you need is a decent password for your wireless shared key. Don’t use things like your house number. But you can get by with four or five random words, and throw in a number for safe measure. That’s how the GCHQ, the British NSA, recommends choosing passwords these days. I tell people to grab a book, flip to a random page, point at a word, and then repeat four or five times.
It’s OK to write this password down and tape it to your router if you want. It’s the person who’s not in your house and never will be in your house you want to keep off your wifi.
My wireless password story
I create 63-character wireless passwords for myself. That’s the longest it allows. The problem with those passwords is remembering and typing them. When I set up a router for my mother in law, I put a long password on it too. Then one time I came over to visit and I couldn’t get on her wifi.
I investigated, and found my now-former brother-in-law had reset the router to the factory defaults, including the default password. So I recommend making sure the password is something that’s not too hard to type, especially on a mobile device. When I told my mentor this story, he lectured me about how it’s possible to have too much security. He’s right. Security is like a law. If people won’t follow it, you end up worse off. A speed limit of 25 miles per hour on the interstate is, in effect, no speed limit at all. And no security is much worse than weak security.
One more thing: Disable WPS
OK, there is one more thing. You need to disable WPS. WPS makes it much more convenient to set up wifi because you don’t have to type passwords, but WPS isn’t hard to crack. WPA2 with WPS enabled is only marginally more secure, at best, than WPA.
So remember: The best wireless security mode is WPA2 with AES (no TKIP), no WPS, and a reasonable password.
If you want more information and happen to be running DD-WRT, I’ve written a pretty comprehensive guide to securing DD-WRT.