• ARTICLES
SEARCH

How-To Geek

Don’t Have a False Sense of Security: 5 Insecure Ways to Secure Your Wi-Fi

rusty-broken-lock

You’ve got WEP encryption enabled, your network’s SSID is hidden, and you’ve enabled MAC address filtering so no one else can connect. Your Wi-Fi network is secure, right? Not really.

Good Wi-Fi security is simple: Enable WPA (ideally WPA2) and set a strong password. Other common tricks for increasing a Wi-Fi network’s security can easily be bypassed. They may deter more casual users, but a strong WPA2 password will deter everyone.

Image Credit: Nick Carter on Flickr

WEP Encryption

There are several different types of wireless network encryption, including WEP, WPA, and WPA2. Routers being sold today still ship with option to use WEP encryption – this may be necessary if you have very old devices that can’t use WPA.

WEP can be cracked very easily. WEP prevents people from directly connecting to the network, so it’s superior to using an open Wi-Fi network. However, anyone that wants access to your network can easily crack the WEP encryption and determine your network’s password.

Instead of using WEP, ensure you’re using WPA2. If you have old devices that only work with WEP and not WPA – such as the original Xbox or Nintendo DS – they’re probably due for an upgrade.

Hidden SSID

Many routers allow you to hide your wireless network’s SSID. However, wireless network names were never designed to be hidden. If you hide your SSID and connect to it manually, your computer will constantly be broadcasting the network’s name and looking for it. Even when you’re on the other side of your country, your laptop will have no idea if your network is nearby and it will continue trying to find it. These broadcasts will allow people nearby to determine your network’s SSID.

Tools for monitoring the wireless traffic in the air can easily detect “hidden” SSID names. SSID names aren’t passwords; they just tell your computers and other devices when they’re in range of your wireless network. Rely on a strong encryption instead of a hidden SSID.

We’ve busted this myth in the past. For more, read: Debunking Myths: Is Hiding Your Wireless SSID Really More Secure?

MAC Address Filtering

Every network interface has a unique ID known as a “Media Access Control address,” or MAC address. Your laptop, smartphone, tablet, game console – everything that supports Wi-Fi has its own MAC address. Your router probably displays a list of the MAC addresses connected and allows you to restrict access to your network by MAC address. You could connect all your devices to the network, enable MAC address filtering, and only allow the connected MAC addresses access.

However, this solution isn’t a silver bullet. People within range of your network can sniff your Wi-Fi traffic and view the MAC addresses of the computers connecting. They can then easily change their computer’s MAC address to an allowed MAC address and connect to your network – assuming they know its password.

MAC address filtering can provide some security benefits by making it more of a hassle to connect, but you shouldn’t rely on this alone. It also increases the hassles you’ll experience if you have guests over who want to use your wireless network. Strong WPA2 encryption is still your best bet.

image

Static IP Addressing

Another questionable security tip making the rounds is using static IP addresses. By default, routers provide an integrated DHCP server. When you connect a computer or any other device to your wireless network, the device asks the router for an IP address and the router’s DHCP server gives them one.

You could also disable the router’s DHCP server. Any device connecting to your wireless network wouldn’t automatically receive an IP address. You’d have to enter an IP address by hand on each device to use the network.

image

There’s no point in doing this. If someone can connect to the wireless network, it’s trivial for them to set a static IP address on their computer. In addition to being extremely ineffective, this will make connecting devices to the network more of a hassle.

Weak Passwords

Weak passwords are always a problem when it comes to computer security. If you’re using WPA2 encryption for your Wi-Fi network, you may think you’re safe – but you may not be.

If you’re using a weak password for your WPA2 encryption, it can easily be cracked. Passwords like “password”, “letmein” or “abc123” are just as bad as using WEP encryption – if not worse.

Don’t use the minimum password length of 8 characters. Something between 15 to 20 characters should probably be good, but you can go all the way up to 63 characters if you like. You can also create a longer password by using a “passphrase,” or password phrase – a sequence of words, like a sentence.


Assuming you’re using WPA2 with a strong password, you’re all set. You don’t have to put up with the hassle of hidden SSIDs, MAC address filtering, and static IP addresses to secure your network.

For more a more in-depth guide to securing your wireless network, read: How To Secure Your Wi-Fi Network Against Intrusion

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 01/2/13

Comments (27)

  1. Okay Dokay

    I already use a 25-character pass phrase for my WiFi and it’s total nonsense at that (no dictionary words). So you’d think my network is secure. But I also use the MAC address filter technique too. That way, if someone actually does crack my network’s password (pass phrase) then there’s still that other hurdle to get past.

    But really. The best defense is to just turn off the WiFi if you don’t really need/use it. If you can wire all your devices to an Ethernet port then your only invasion point will be from the Internet itself. And that’s plenty good reason to keep those firewalls up and system/AV updates always coming in. Because quite frankly, WiFi is the least of your problems if you don’t keep up with the regular maintenance!

  2. thegeekkid

    Good tips. One thing to remember is that some routers give an option for encryption algorithm along with the WPA2. (It would be AES or TKIP.) Always be sure to use AES and not TKIP or AKS and TKIP, because TKIP is basically just WPA encryption.

    Also, there is another good way to help secure your WiFi: subnet masks.

    The key is not to have more addresses available than you actually need. Lets say you only own two devices… set your subnet mask to 255.255.255.252. This way your network is only big enough for two devices. This is when you turn off your DHCP server… when your network is different than what the cracker (not hacker… there is a big difference… I am a hacker… not a cracker) tries to connect A. if there are two devices connected, he/she needs to force one of them off in order to use the network, and B. they will have to try and figure out your network settings. You can also use an obscure subnet such as 192.168.5.X 172.16.12.X (don’t use the whole 255.255.0.0 subnet mask… mix it up a little), 10.25.19.X, (again, the smaller the subnet mask, the better). The smaller the subnet mask you use, the harder it is for someone to figure it out. Also, change your default gateway from the default to something in the middle of your subnet. Could someone get past these if they wanted to using wireshark and a decent NIC? Absolutely! Is it a whole lot harder than figuring out MAC addressing filters? Without a doubt.

    (Also, if you have a RADIUS server sitting in your basement like I do, turn on WPA2 Enterprise… that will really mess with your next door script kiddie… ask me how I know!) ;)

  3. thegeekkid is a nerd.

    ^ wow, you sound like a tool.

    I’M A HACKER, NOT A CRACKER!!11111 Shh. All you are is an embarrassment.

  4. Jingles

    I hardly ever comment on these even though I read them virtually every day.

    I must point out that WPA2 has a large security flaw that can easily be abused no matter how good the password. There are already well known exploits for this.

    I am not a hacker ethical or otherwise. I do work as a LVL 3 Server engineer and any statements that I make are of my own and do not reflect that of the company I work for.

    I am however concerned about security and stay current with the available news on this from multiple different sources.

    Now for top security just don’t use wireless connection as none of them are secure. If you choose to use it turn it off when you are done. If turning off the wireless network does not work for you active monitoring is the only other option that you have as at least you can see when people are attacking your network and can choose to unplug or turn off the wireless network at that point.

    Also know that most people don’t know how or care to know how to access your network. For those that do, even a script kiddie can bypass your security.

    And for the love of all things wrong in IT change the username and password on the router if you do any thing more than leaving the network completely open…

  5. Elizabeth Woodhall

    Hi, thank you for the information. I have a wired router and a wireless router. I would love to use the wired router for work, (I work from home), and my personal computers and just use the wireless router occasionally when I use my laptop, tablet or ereader. I don’t know much about networking so at the moment I am just using the wireless access, could you give me information on how to hook the wireless router to the wired router? Both routers are D-Link. I have looked at several books but they all just deal with one or the other type of router.
    Thank you
    Elizabeth

  6. Peter

    Jingles, which security flaw are you referring to? I often see people mention how WPA2 is flawed and broken, but few people actually mention what security flaw they are referring to. The only flaw I can think of WPA2 currently is the WPS problem. If WPS is disabled on the router it doesn’t present a risk though.

  7. Jingles

    Peter that is a known flaw no matter the security setting you use. As I do not know in depth the information How To Geek would like to mention on here I will avoid an in depth explanation and say.

    A quick search for “WPA2 Reaver” will show a well known exploit that is so simple my grandmother could operate.

  8. Jingles

    Elizabeth,

    I dont think this is the best place to get an answer and would preffer to give you my email to resolve that issue as quickly and easily as I could. As that is an egregious thing to do i wont.

    I would recommend taking this question to the forums or contacting your ISP (internet service provider). As both of those have befits and risks I can not really recommend one over another.

    What I can say is that most routers are fairly alike and you should be able to run a cat5/ cat6 (Looks like a large phone cord) from the router to your computer. This will add no more security but as this fulfills your question it will work.

    Further you said you work from home, as I do not know if you are a small organization or are part of a large company securing your traffic over the internet should be a much larger concern. And my advice for you if you can is consult the IT department at your company on how to do this.

  9. thegeekkid

    @Jingles:
    The Reaver exploit is specifically geared towards WPS… if WPS is turned off, then Reaver will not work. You could try rainbow tables, word lists, etc. even brute force, but the best security you can have is to use a strong password.

    @Elizabeth:
    It’s actually pretty easy. There should be a single port labeled WAN or Internet on both routers, and a few ports grouped together (normally with a number above them). Those few ports are switching ports. I would set up your wired router connected to your modem, and your wireless to your wired. Plug the modem into the WAN or Internet port on the wired router, and then run a cat5 between the switching ports on the wired router, and switching ports on your wireless router. Then configure the wireless router so that the DHCP server (or automatic addressing as some call it) is turned off. These articles might help you:
    http://www.instructables.com/id/How-your-home-network-works/
    http://www.instructables.com/id/How-to-troubleshoot-your-home-network/

    @whoever thinks I’m a nerd:
    I stand by what I wrote 100%, although I did forget to mention to turn off the WPS, however Peter has already mentioned that. Please read RFC 1983 in terms of hacker and cracker before you make yourself look like a fool, because right now all you look like is a troll and a complete idiot.

  10. andycidau

    Just so you guys know, this article mostly contradicts the article you linked to at the bottom here ‘for a more in-depth guide to securing your network’… would be very confusing for someone who wants this information but doesn’t quite fully understand wifi security

  11. Jingles

    Agreed, andycidau, but that is to say there is a flaw in the original article.

    The article offers valid points and is easy to fallow. That is why I commonly use it as a knowledge base for those around me.

    That said saying that WPA2 is any more secure is a gross overstatement of terms.

  12. thegeekkid

    For some reason when I post this full comment, it isn’t appearing, so I will post it in sections:

    @Jingles:
    The last time I checked, the reaver exploit was for WPS… if that is turned off, then the reaver exploit wouldn’t work. There is always an exploit for everything, most of them are pretty easy if you can find them. And let’s face it, once they break down the front door, do any of us think that the “No Trespassing” sign is going to stop them? All you can really do is have a good strong password, use the latest encryption algorithms, install updates, and change your password all the time. There are things you can do to slow them down, but there will always be someone someplace that can get past it.

  13. thegeekkid

    Evidently the rest of my comment is awaiting moderation… sorry about all the extra posts.

  14. Peter

    @Jingles, I believe that thegeekkid is correct about WPS. If WPS is turned off on the router, then it can’t be exploited at all. Also, there are several different ways to implement WPS and only a few of them are insecure. Unfortunately, they are also the easiest ways to implement WPS so most router manufacturers were unfortunately vulnerable.

    With WPS disabled, the only (publicly) known way to break into a WPA2 network is by brute forcing the key. With a sufficiently long/complex enough key it’s not going to be brute forced easily even using some of the cloud computing cracking techniques that have been in the news the last few months.

  15. Jingles

    I am not trying to go into this to deeply but i can if need be. Though I feel there are better places for it and would love to engage the topic there. And I was referencing Reaver a jump off point for those who choose to learn more can

    That said strong passwords for both the wireless connection and on the router and a bit of monitoring the activity on your network are best for a large amount of readers.

  16. thegeekkid

    +1@Jingles’ last comment. I was a little confused about why you were posting about Reaver… thanks for clearing that up. My last job involved quite a bit of “ethical” hacking. Granted, I haven’t done much in the last year with it, but you can’t tell me it’s changed that much in the last year. ;)

  17. Out_Cold

    I have pen-tested numerous routers with WPS and have found that passphrases typically appear within 30 seconds to 24 hours tops. Most ISP provided wifi/router combos come with pre-defined generic WPS pins putting them in the #1 category of garbage to own.

    Something not mentioned in the article is third party firmware. Typically you cannot shut off WPS on a lot of routers but 3rd party firmware can make this easier.

    Disabling wifi is a great solution but very crippling. The bottom line is one should plan out their security. If a script kiddie bypasses the WPS in 1hr and then there is no further security in place, they would be a lot more inclined to continue their attack. Now if you had disabled WPS, filtered MACs, limited subnets, obscure IP ranges, Intusion Detection, proxies and so on, the only ones that will be interested in continuing the attacks are the ones who are determined and gifted.

    I wouldn’t sweat your network security that much, if there is a will, there is a way. Short of going offline, there is not much you can do to stop the determined. There are more security steps to take on individual computers that are out of the scope of this topic.

  18. Out_Cold

    Forgot to mention, that with those extra security steps, you could easily increase an attack length from 30 seconds to 3 months or possibly longer. Mind you, with a few good CUDA GPUs, you would be back down to a matter of days, even with a 25 character passphrase.

  19. thegeekkid

    +1@Out_Cold!!!! I couldn’t have said it better myself!!! :)

    One other thing too that I just thought about with the third party firmware (such as DD-WRT; which is what I use), you can limit the power that you AP emits. If you limit the power so it only works in your house and not anywhere outside of your house, you severely limit the script kiddies and some war drivers. (There are ways even around this… I have a wireless NIC that can pick up networks from a pretty decent distance… but at that point you are limiting them by what hardware they have… not their skills.)

  20. Snap

    I agree with many of you above, 1) if a determined hacker want to hack you, you can not stop him, unless you unplug your host, and bury it in a led container somewhere. 2) all you can do is slow the determined ones down, and monitor your network. 3) you can prevent your network being an easy target, and most people will leave you alone, unless you are wide open. 4) turning off wifi is not practical for people with phones, tabs etc, but what you can do is to segregate the wireless network. we have a separate isp that we use for wifi, and another for LAN.. separate firewalls, separate networks.

  21. ak6989

    I never in my life could understand the need for hackers, or the need of hacking, after all every one of those makes a very good programmer in his/her own right and is capable of producing excellent programs for sale or to give away, programs that would/will enrich the humanity and make the living a little bit more bearable for all. Than why hack??? and make other peoples life miserable???

  22. jake

    Just adding my $0.02 (US) to the mix..

    Expanding on something thegeekkid said: A friend of mine was unable to use his wwi-fi in his own apartment because the sheetrock in the walls embedded with wire mesh, a bit finer than chicken fence. This gives rise to an idea for keeping your signals mostly in-house: If you are building or remodeling, put some wire-mesh embedded sheetrock on all walls that enclose the house but not on internal walls. You have wire screens on the windows anyway, right?

    Just curious: Would that keep the signal in-house as I suggested?

    A cartoon in Omni magazine from the ’80s pictures a white van parked opposite a house. The caption is something like: “Hello, Marco’s? When you deliver those 4 pies to 555 Elm Street, could you also bring an anchovie pie to white van across the street?”

  23. Regular user

    I wish some people stopped being pompous talking about some mysterious flaw in wpa2 protocol.As far as i am concerned Reaver is is useless for breaking WPS-you can easily turn it off or even if it’s on i believe most of the manufactures have implemented additional security feature which stops you from trying more than 5 pins an hour!Prove me wrong but the only way of cracking a WPA2 password I am aware of is brute-force.Can someone estimate how much time would be needed to crack 8 symbol alpha-numeric passwords that come pre-set with the routers supplied by the ISPs in my area even with a CUDA-enabled GPU?(6 months , more?)I believe that will deter 99.99% of average hackers or crackers or “your next door script kiddie” who do that just for fun.By the way ISP provided routers used to come with pre-set hexadecimal WPA2 passwords which can could be easily cracked within 10 hours using GPU acceleration-that’s a different story.So in my opinion with WPA2 everything boils down to using a decent password.Try using upper-case,lower-case letters,numbers and even throw in some special characters and you will be OK.

  24. Ian

    Sounds like a Nightmare on Elm Street !
    :)

  25. thegeekkid

    @ak6989, a few reasons. 1. The ones that are actually programmers (and not script kiddies) are sometimes looking for a challenge that programming doesn’t give them. 2. They got ticked off by somebody or a program or something like that, and they are looking to get back. (Look out Mac… not too many geeks like you, and it is becoming more and more profitable to hack you!!!) 3. The script kiddies know very little about programming, and can make more money by making a slight change to someone else’s script to fool people into doing something, or a DDOS attack, or something to the sort. In one way or another, except in the instance of someone looking for a challenge (and even sometimes then), it links back to “How can they make more money?”.

    @Regular user:
    It’s not a mysterious flaw in the WPA2 encryption, rather in WPS. If you turn off WPS, then you take out that threat. WPA2 can however, be used with a brute force attack, rainbow table attack, etc.

  26. Regular user

    @thegeekkid

    Yes mate,you can use brute-force against WPA2 but cracking a decent password(that is not only numbers or a dictionary word)would take forever even if you use GPU acceleration.I also believe that rainbow table attack is useless against WPA2 since the SSID of the router is used as salt during the hashing process.Believe me I’ve done a good research on the matter and I’ve found that it is very difficult and sometimes impracticable(you might need years to brute-force a strong password!)to crack WPA2.That’s why a get annoyed when people start talking how vulnerable WPA2 is!

  27. thegeekkid is a nerd.

    You’re still a nerd.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!