While I still see some open WiFi access points from time to time in the wild, most people are using WPA2 authentication to connect securely to their own WiFi router, or public ones instead of WEP that has been found to be insecure many years ago.
WPA2 is not quite secure as it once was, as last year WPA2-PSK was cracked. It’s not that bad, as it may still take several days with a strong password requiring a large password file for the hack to work. Still a new revision was needed, and the WiFi alliance has just introduced Wi-Fi WPA3 security.
WPA2-Personal Pre-shared Key (PSK) is replaced with Simultaneous Authentication of Equals (SAE), which is said to be resistant to offline dictionary attacks where an adversary tries possible passwords without further network interaction. WPA3-Personal/SAE enables:
- Natural password selection – Allows users to choose passwords that are easier to remember
- Ease of use – Delivers enhanced protections with no change to the way users connect to a network
- Forward secrecy – Protects data traffic even if a password is compromised after the data was transmitted
I’m not sure whether that means “password” and “12345678” will now be suitable WiFi passwords with WPA3, but at least the typical weaker password will be suitable since SAE then relies on strong passwords. You can find more details in Private SAE patent.
WPA3-Enterprise offers 192-bit minimum-strength security protocols and cryptographic tools. Some of the key features include
- Authenticated encryption – 256-bit Galois/Counter Mode Protocol (GCMP-256)
- Key derivation and confirmation – 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)
- Key establishment and authentication – Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve
- Robust management frame protection – 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)
WPA2 is just not dead yet, as it continues to be mandatory for all Wi-Fi CERTIFIED devices, and it’s only later on, as WPA3 market adoption grows, that Wi-Fi CERTIFIED WPA3 will become mandatory. WPA3 is also backward compatible with WPA2 devices through a transitional mode of operation. All that means it may take several years before WPA3 becomes common place.
The Wi-Fi Alliance also introduced Wi-Fi Easy Connect that aims to simplify on-boarding of Wi-Fi devices with limited or no display interface such as IoT or automation devices. Right now, in most cases, such devices start in access point mode in order to let you configure your WiFi router credentials (ESSID and password) in a web interface / or mobile app, before switching to client mode. WiFi Easy Connect instead relies on a device with a display such as a smartphone using a quick response (QR) code for faster and simpler configuration.
Further information, including WPA3 Technology Overview and WPA3 Specification v1.0, can be found on WiFi Alliance’s security page.