What is WPA2?

Better known as “the thing that secures your home Wi-Fi”, WPA2 (Wi-Fi Protected Access II) is a security standard that uses a shared password to allow devices to connect to a wireless network.

WPA2 was launched in 2004 to replace the older WPA standard, itself a replacement for the highly insecure WEP standard. It encrypts the data sent between your device and your router, so that it can’t be intercepted by someone near you.

The wireless access point (often built into consumer routers) advertises its wireless network’s name, known as its SSID (Service Set Identifier). This allows other networked devices to see and connect to it. If the access point uses WPA2, the client device will be prompted for security credentials: it’ll have to provide a password that that the router’s administrator has previously given to its user.

A modern WPA2 deployment will use the CCMP security protocol with AES encryption. Your Wi-Fi password itself is not the AES encryption key, but is used at the beginning of the authentication process that allows the hardware devices to exchange keys.

There are many acronyms and initialisms that go with WPA2, most of which you can safely ignore, as long as you make sure your select the WPA2 security option marked either AES or CCMP.

WPA2-PSK, in which the PSK bit stands for Pre-Shared Key. Also know as WPA2-Personal, this is the version of the standard that doesn’t have a separate server to authenticate devices. Home and small business wireless routers and access points use this.

AES stands for Advanced Encryption Standard. AES is used by WPA2’s standard CCMP (which is eventually short for Counter Mode Cipher Block Chaining Message Authentication Code Protocol). AES is a form of strong symmetric encryption used is everything from the HTTPS standard that encrypts web traffic to your password manager. This is the one you want to be using on your home WPA2 router.

TKIP is the depreciated Temporal Key Integrity Protocol. This now-outdated standard allowed wireless access points and their connected clients to generate new encryption keys for every packet sent, making it much harder for network traffic to be decrypted by someone sniffing it from outside. The WPA-TKIP standard was backwards compatible with WEP, but much stronger than WEP’s unchanging key authentication system. It has subsequently fallen to attacks and should no longer be used. Many modern devices don’t support it at all.

WPA’s successor, WPA3, was introduced in 2018 and can be found on some recent Wi-Fi devices, such as the Netgear Orbi RBKE963 Wi-Fi 6E Mesh System. WPA3 replaces the pre-shared key exchange with a stronger password-based key agreement system called Simultaneous Authentication of Equals (SEQ).

All WPA3 routers are backwards-compatible with WPA2 devices, so you won’t need to worry about unsupported kit under unless you’re a particularly unusual edge case. Upgrade to WPA3 when you can, but know that it’s very rare to find on mainstream consumer networking hardware. Until then, here are some tips to help you keep your WPA2 setup secure.

WPA2 security tips

Make sure your router supports at least WPA2-AES. If you’re still using incredibly old hardware that uses the WPA2-TKIP standard, switch over to AES immediately and upgrade your networking hardware to do so if you have to.

Use a Wi-Fi password. Please don’t leave your main network open and unprotected for anyone to wander onto. It’s a both a security risk and a legal one, as you’re potentially liable for what anyone else does using your local network.

Make your Wi-Fi password a good one. No one wants to enter a 32-character string of random letters and numbers on tiny touchscreens or dial controls, but you don’t want your password to be trivially easy to guess. A three- or four-word Diceware password would be a good choice here.

Change your password when you need to. If everyone in your neighbourhood has your Wi-Fi password, it’s time to change it, but don’t forget to update all the devices you need to keep connected to your Wi-Fi at home.

Create a Guest Wi-Fi network if your router supports it. This is a separate Wi-Fi network for visitors. They generally won’t have access to the local network, so your shared files and devices stay private, but will be able to get online. Give it a decent password, but because it doesn’t have access to the local network, you don’t need to worry about it quite so much.

Make sure your wireless router and access points’ admin interfaces have strong passwords. If someone unauthorised gets onto your network, whether via Wi-Fi or by plugging in, you definitely don’t want them reconfiguring your firewall because you left the default password as “admin”.

Wi-Fi is convenient, but if everything in your home uses it, you’ll never want to change the password, even when you need to. Use wired Ethernet when you can – it’s faster than Wi-Fi, too. Buy a little network switch if you need extra ports. I use a Netgear ProSafe GS108 to make sure my sitting room has all the Gigabit Ethernet ports it needs.