WPA security explained: what is Wi-Fi Protected Access?

June 29, 2020 | Kim Crawley

This blog was written by an independent guest blogger.

An overview on Wi-Fi security standards

WiFi signals can be put into two different categories, unencrypted and encrypted.

Unencrypted WiFi, sometimes known as open WiFi, can be connected to without a password. Anyone with a phone, tablet, PC, video game system, or Internet of Things device within range of the open WiFi signal can use it as long as there aren’t more devices connected to the wireless access point than it can handle. But the data being sent to and from your device through the open WiFi signal is unencrypted. That means a cyber attacker can intercept your internet traffic and put your data and device at risk! Maybe you’re not doing your online banking or shopping, but an attacker could still connect to your device and do considerable harm. The risk can be mitigated if you use a VPN, which provides its own encryption. I would strongly recommend using a VPN when you use open WiFi, no matter what you’re doing.

Then there’s encrypted WiFi. Encrypted WiFi turns all the data you upload and download into scrambled code that’s useless to a cyber attacker unless they crack the code or have a decryption key. As of 2020, there have been four technology standards for encrypted WiFi used so far-- WEP, WPA, WPA2, and WPA3. You will need a password in order to use an encrypted WiFi signal no matter which standard you use. But the newer a standard is, the better it is for your security. Let’s quickly run through the older standards until I get to the latest standard, WPA3.

Reviewing WEP and older standards

WEP stands for Wired Equivalent Privacy. It’s the oldest wireless encryption standard, and it debuted in 1997-1999, becoming commonly used by the early 2000s. Maybe WEP gave you “wired equivalent privacy” back in the day. But password cracking applications have improved a lot since then, as has the computer processing speed in devices that can be used to crack WEP. There are also easy exploits that can be used to acquire WEP keys without having to crack the encryption directly. Actually, I could run an app on my phone that could probably crack any WEP encryption within minutes. Don’t use WEP, it hasn’t been secure for over a decade now!

A couple of years after WEP debuted, there were already concerns about how weak the standard was. So the WiFi Protected Access standard was developed, or WPA for short. The main weakness of WPA was that it was designed to use some of the same vulnerable technologies that WEP used. But that’s because WPA was designed so that devices that were made to use WEP could use the more secure WPA with a software update. WPA was a compromise that was made to improve upon WEP without people needing to buy new routers and computer components, to encourage adoptation. So it was still worth implementing.

WPA2 was launched in 2004. People and businesses with WEP devices would need to buy new WPA2-capable devices in order to use the improved encryption standard. Finally there was wireless encryption that lacked all of WEP’s major weaknesses. But WPS (WiFi Protected Setup) is a part of WPA2 technology that was made to make using WiFi easier with certain devices. Without getting into too much technical jargon, cyber attackers found a way to bypass WPA2 encryption through WPS. If WPA2 is the most recent standard your devices can use, you should definitely choose it. WPA2 is much more secure than unencrypted WiFi or WEP. 

What is WPA3 and what are the benefits for enterprises?

So it took fourteen years after the debut of WPA2 for its successor to arrive. But by 2018, WPA3 was announced. There were exploits against WPA2 like KRACK that won’t work against WPA3. In general, WPA3 has both stronger encryption and stronger implementation. If you bought a brand new router, phone, or other such WiFi device, there’s a chance that WPA3 is something you can use. Remember though that both the access point (router) and the device you’re using on the internet need to be able to support WPA3 in order for it to work. As of 2020, most of the internet devices we’re using don’t support WPA3 yet. My advice for enterprises is to use WPA3 if possible. For home users, WPA2 is preferable to WEP.

Eventually cyber attackers will find ways to crack or bypass WPA3 encryption. It’s inevitable. All encryption standards become insecure at some point in time. Another concern is that quantum computers and quantum computer network technology will be a real thing that enterprises and governments will be using in only a few years. Quantum computers will be able to crack all of the encryption we use right now very quickly and easily, including wireless encryption. Tech companies and government agencies are already developing “quantum-safe” encryption technology that’ll be ready for the quantum computing world we’ll have very soon. But you should know that WPA3 isn’t “quantum-safe.” Hopefully WPA3 will be followed with a “quantum-safe” wireless encryption standard very soon. We can’t afford to have fourteen years between wireless encryption standards anymore, like there was between WPA2 and WPA3!

Kim Crawley

About the Author: Kim Crawley, Guest Blogger

Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.

Read more posts from Kim Crawley ›


Watch a demo ›
Get price Free trial