WPA2 vs WPA3 — Wi-Fi Security Explained

When you set up a Wi-Fi router, you pick a security mode. Pick the wrong one and your network is wide open. The history of Wi-Fi security is also the history of broken protocols replaced by better ones — knowing which is which protects you.

The lineup (oldest to newest)

None / Open

No encryption. Anyone within range can read your traffic. Used at coffee shops where convenience matters more than security. NEVER use for your home or office.

WEP (1997) — completely broken

Wired Equivalent Privacy. Cracked in minutes since the early 2000s. Tools like aircrack-ng can recover the key from captured traffic in seconds. If your router only offers WEP, replace the router.

WPA (2003) — interim fix

Wi-Fi Protected Access. Designed as a stopgap to be deployed via firmware updates on existing WEP hardware. Used TKIP encryption. Better than WEP but also has known weaknesses. Don’t use today.

WPA2 (2004) — the standard for 15 years

Used AES-CCMP encryption — actually strong. Required certification on all Wi-Fi devices since 2006. Still considered acceptable in 2024 but losing ground to WPA3.

Two flavors:

• WPA2-Personal (PSK) — pre-shared key (the password). For homes and small offices.
• WPA2-Enterprise — uses 802.1X authentication via a RADIUS server. Each user has unique credentials. Used in corporate environments.

WPA2 weaknesses

• KRACK (2017) — protocol-level vulnerability in the 4-way handshake. Mostly patched at OS level.
• Offline dictionary attacks — capture the handshake, brute-force the password offline. Weak passwords (under 12 chars, common words) are crackable in hours.
• WPS — Wi-Fi Protected Setup PIN can be brute-forced in hours. Disable WPS on your router.

WPA3 (2018) — what’s actually new

Mandatory on Wi-Fi 6 certified devices. Major improvements:

• SAE (Simultaneous Authentication of Equals) replaces WPA2’s PSK handshake. Resistant to offline dictionary attacks — even with a captured handshake, attackers can’t crack passwords offline.
• Forward secrecy — capturing today’s traffic doesn’t help decrypt yesterday’s traffic, even if the password leaks later.
• Enhanced Open (Opportunistic Wireless Encryption) — encryption on “open” networks. Coffee shop traffic gets encrypted between you and the AP without needing a password.
• 192-bit security suite — for enterprise/government environments.

WPA3 transition mode

“WPA2/WPA3 mixed mode” lets older WPA2-only devices connect alongside WPA3 devices. Necessary during transition but reduces some WPA3 benefits. Move to WPA3-only when feasible.

Picking a strong Wi-Fi password

Even WPA3 doesn’t help if your password is “password”. For WPA2 (still the most common):

• 16+ characters
• Mix of words, numbers, symbols
• Not based on your address, name, or anything publicly knowable
• Use a passphrase: correct horse battery staple works and is memorable

WPA3 password requirements (less critical)

Because SAE prevents offline brute force, even shorter passwords are reasonably safe with WPA3. Still, longer is always better.

Other Wi-Fi security practices

• Disable WPS — known broken
• Disable UPnP unless needed — opens ports automatically
• Update router firmware — many vulnerabilities are patched here
• Change default admin password on the router itself
• Hide SSID? No. — provides false sense of security, breaks some clients
• MAC filtering? No. — easily bypassed by spoofing, painful to maintain
• Guest network — separate VLAN for visitors so they can’t reach your devices
• VLAN your IoT — keep smart bulbs/cameras isolated from your laptop

Check your current security mode

# Linux
iw dev wlan0 link
nmcli dev wifi list

# macOS
networksetup -getairportnetwork en0
# Hold Option, click Wi-Fi icon for full details

# Windows
netsh wlan show interfaces

What to learn next

Channels, frequencies, and roaming — the radio physics of Wi-Fi performance. Up next.