How to secure your Wi Fi at home and in your business

WiFi Security Types for Wireless Network Security

I get a few questions about WiFi security types so I thought that I would take the opportunity to explain some fundamentals. The truth is, wireless communication isn’t very complicated. But wireless security is –and it relies heavily on encryption to help keep the bad guys out. Encryption is not the only method of wireless security. But it is the most important. Without it, your network is exposed to anyone within range of it.

Some people stack their security methods in a way that makes hacking a real chore for the attacker. For example, in addition to using strong WiFi security, you might also setup a MAC filter to prevent unauthorized devices from connecting to your network in the first place. Even that is not bulletproof. It’s simply another hoop that the hacker will have to navigate. But in the long run, strong WiFi security will do the most good.

What are the various WiFi security types?

WiFi security works by encoding wireless communication so that only authorized devices can communicate with the broadcasting device. This encoding process requires three primary things: (1) a way to encode the transmission, (2) a way to decode it and, (3) devices capable of handling the transmission.

The encoding process uses a special algorithm to scramble the data. This is known as ciphertext. An encryption key determines how the ciphertext is encoded.

Different WiFi security types use different security encryption protocols.

WiFi Security Encryption

The length of the key is made up of bits, such as 64-Bit, 128-Bit, 256-Bit. A bit is a single numeric value, either ‘1’ or ‘0’, that encodes a single unit of information. More bits mean more ciphertext and greater complexity.

Is 256 bit encryption better than 128 bit?

The short answer is, yes. It is more difficult to crack (more like impossible to crack). Historically, the higher the encryption, the more resources are needed to decrypt the message. So this begs the answer to an obvious question; Is 256 bit necessary and is 128 bit sufficient?

Well, if it takes 600 years to break the ciphertext of a 128 bit encrypted key, and it takes 100,000 years to break the ciphertext of a 256 bit key, is 256 bit really necessary? Not really. 128-Bit is sufficient. However, given today’s computing power, 256-Bit takes only slightly more resources.

How is the encryption decoded?

In order to decode encryption, the wireless device must know the encryption key, the security type and type of encryption used.

WiFi Security Types

  • WEP – Wireless Equivalent Privacy
  • WPA – Wi-Fi Protected Access
  • WPA2 Personal- Wi-Fi Protected Access II
  • WPA2 Enterprise

WEP was the first wireless network security method used. WEP is no longer safe as it can be easily cracked with minimal effort.

Currently, WPA2 Personal is generally the best network security type for home networks. It uses a 256 bit key and is virtually impossible to crack. One challenge is that older wireless devices do not support WPA2. This may require you to revert back to WPA for maximum compatibility. Basically, if your wireless router is broadcasting with WPA2 security, your wireless client must also use WPA2. It must also use the same method of encryption.

WPA2 Enterprise is more suited for businesses with experienced IT personnel. Here’s why: Unlike WPA2 Personal which uses one passphrase for everyone, with Enterprise mode, each person has his/her own account. In order to facilitate account management, Enterprise mode typically requires a separate server (known as a RADIUS Server). The RADIUS server handles WiFi authentication for each individual person. This makes it much easier to add and revoke WiFi privileges without having to change the password on every wireless device in the company.

What types of encryption is used for wireless network security?

TKIP (Temporal Key Integrity Protocol) utilizes a 64-Bit Message Integrity Code (MIC) to provide protection against hackers. AES stands for Advanced Encryption System, which utilizes a symmetric 128-Bit block data encryption.

AES offers better encryption and provides more security. TKIP provides good encryption and supports the broadest number of devices with better support for older machines.

WiFi Security Settings

Log into your router, then navigate to: Basic > Network

WiFi security types for wireless network security.

WiFi Security Options

Under ‘Wireless’, Choose the wireless security type, encryption type and enter a shared key.

What else should I know about wireless security?

Not everything is black and white. Some things require trial and error, even for experienced technicians. For example:

If you experience connectivity issues, try removing special characters from your wireless password. Try using only upper case letters, lower case letters, and numbers. For example:

Some encryption methods may not play nicely with other devices. This is particularly true with wireless bridges. For example, a WDS bridge can only work with WPA security. If you’re having difficulty setting up a wireless bridge, try temporarily removing all wireless security to determine whether nor not the problem is related to the actual bridge link, or the security type that you are trying to use.

Whenever possible, try to use AES encryption over TKIP. However, there may be instances such as when attempting to create a bridge using “repeater mode” that may not work well with AES. In such cases, you may have to try using TKIP on both devices.

What else can I do to secure my wireless network?

Once you’ve established some wireless network security, your next best approach to is to reduce the number of WiFi connections allowed. For example, use Wireless MAC address filters, and smaller DHCP address pools (instead of

254, you might use

109). Technically, these strategies are not true “security features” but they do enable the typical home network administrator to control the number of devices that connect without the overhead of running a RADIUS server and managing individual clients.

Other Posts in Home Network Security

Best VPN Routers

Looking for the most secure router for VPN service options? Look no further.


Wi-Fi Security Types


In this article, you’ll learn some of the basics of WiFi security. We’ll also share our recommendation on which type you should choose – eliminating the guesswork and helping you keep your network as secure as possible.

Wireless Security Types

There are several types of wireless security that you’ll come across– here’s a quick rundown on the details.

Wired Equivalent Privacy, aka WEP, is the grandfather of wireless security types, dating back to 1999 (an eternity in the world of technology!). When a client (like a laptop or iPad) connects to a WEP-protected network, the WEP key is added to some data to create an “initialization vector”, or “IV” for short. For example, a 128-bit hexadecimal key is comprised of 26 characters from the keyboard (totaling 104 bits) combined with a 24-bit IV. When a client connects to an AP, it sends a request to authenticate, which is met with a challenge reply from the AP. The client encrypts the challenge with the key, the AP decrypts it, and if the challenge it receives matches the original one it sent, the AP will authenticate the client.

This may sound secure, but there was room in this scheme for an exploit to be discovered. The risk presents itself when a client sends its request to the access point– the portion containing the IV is transmitted wirelessly in clear-text (not encrypted). In addition, the IV is simple compared to the key, and when there are several clients using the same WEP key on a network, IVs have an increased probability of repeating. In a busy environment, a malicious user wishing to gain access to a network utilizing WEP security can passively eavesdrop and quickly collect IVs. When enough IVs have been collected, the key becomes trivial to decrypt.

Clearly, WEP is not the correct choice for securing your network, and in light of this, other types of wireless security were created.

WiFI Protected Access (WPA) was ratified by the WiFi Alliance in 2003 as a response to the insecurities that were discovered in WEP. This new security standard, the Temporal Key Integrity Protocol (TKIP), included several enhancements over WEP, including a new message integrity check nicknamed “Michael.”

Читайте также:  How do I connect to WIFI on Windows 10 without cable

While Michael offered a great deal of improvement over the old way of securing networks, there was still some worry about some security issues with using a similar (though much stronger) implementation.

The concerns about Michael led to WPA2’s introduction in 2004. At the center of WPA2 is its use of a security protocol based on Advanced Encryption Standard (AES), the U.S. Government’s preferred choice of encryption. As it stands now, the only people who should still be using TKIP on a wireless network are those who are dealing with hardware that is rated for 802.11g only.

In 2007, a new security method – WiFi Protected Setup (WPS) – began to show up on wireless access points. With this type of security, a user is able to add new devices to their network by simply pushing a button (within administration software or physically on the router) and then typing in an 8-digit PIN number on the client device. The PIN feature acts as a sort of shortcut for entering in a longer WPA (WiFi Protected Access) key. The basic idea behind WPS is that having physical access to the AP to hit a button and reading a sticker would provide a more secure implementation of WiFi authentication. Everything was well and good in the WPS world, until last winter, when a security researcher discovered the Achilles Heel in the implementation. Here’s how it works:

The eighth and final digit of the PIN number is a checksum, which is used to make sure the 7 digits that matter don’t get corrupted. From these 7 digits, we can see that there are 10,000,000 possibilities (since each of the 7 digits can be 0-9, with repeats allowed). This is still a pretty huge amount of possibilities, and alone could arguably still be considered quite safe — but there’s a flaw in the checking process. When a PIN is being examined by the AP, the first 4 digits (10,000 possibilities) are checked separately from the last 3 digits (1,000 possibilities). This translates into a malicious user only needing to make at most 11,000 guesses, which a computer can handle in a matter of hours!

As you can see, if you are currently using WPS on an access point, you should disable the feature as soon as possible.

WiFi Security Best-Practices

  • Don’t use WEP, which is easy to crack
  • Don’t use WPA, unless legacy devices on your network require it
  • Don’t use WPS, which can easily be brute-forced
  • Do use WPA2 with a strong passphrase

If WPA2 with WPS disabled ever becomes vulnerable, we’ll be sure and keep you updated on the adjustments you should make to remain secure.


How to secure your Wi-Fi at home and in your business

NCSAM was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004 to make sure that our online lives — at work and at home — are kept safe and secure. That’s what National Cybersecurity Awareness Month (NCSAM) – observed in October – is all about!

Most households and companies go to great lengths to keep unauthorised users off their networks, but Wi-Fi access points and routers can provide hackers with a convenient way in.

That’s because Wi-Fi signals are often broadcast beyond the walls of buildings and homes and out into the streets — an enticing invitation for hackers. No wonder that wardriving or drive by hacking is a favourite past time amongst cybercriminals.

Since many companies allow or even actively encourage employees to connect to the network using their own mobile devices — tablets and smartphones as well as laptops — it’s not practical for most companies to switch off Wi-Fi access.

The same applies to home broadband users who might have guests coming over frequently. Instead, here are a few tips to make your wireless network more secure.

1. Use stronger encryption

Some Wi-Fi access points still offer the older WEP (Wired Equivalent Privacy) standard of protection, but it is fundamentally broken. That means that hackers can break in to a WEP-protected network using a hacking suite like Aircrack-ng in a matter of minutes.

So to keep out intruders, it’s essential to use some variant of WPA (Wi-Fi Protected Access) protection, either WPA or the newer WPA2 standard (or WPA3 when it lands).

For smaller companies and households, it may be practical to use WPA with a pre-shared key. That means that all employees or family members use the same password to connect, and network security depends on them not sharing the password with outsiders.

It also means that the password should be changed every time an employee leaves the company.

Some Wi-Fi routers offer a feature called Wireless Protect Setup (WPS) which provided an easy way to connect devices to a WPA protected wireless network. However, this can be exploited by hackers to retrieve your WPA password, so it is important to disable WPS in the router’s settings.

In larger organisations, it makes more sense to use WPA in enterprise mode, which allows each user to have their own username and password to connect to the Wi-Fi network.

This makes it much easier to manage when employees are leaving regularly, as you can simply disable ex-employees’ accounts; but to use WPA in enterprise mode you have to run a server (known as a RADIUS server) which stores the login information for each employee.

  • Check out our list of the best VPN providers in the market.

2. Use a secure WPA password

Make sure that any password (or passphrase) that protects your Wi-Fi network is long and random so it can’t be cracked by a determined hacker.

It is all too easy to set up any equipment with its default settings, especially as the default admin name and password are often printed on the router itself to allow quick access and setup. This means that hackers will try these to access your network. Changing both access name and password will make it more difficult for a criminal to gain access.

You can test the security of your WPA protected network (without revealing your password or passphrase) by using the CloudCracker service. You’ll be asked to provide some data (the same data that a hacker could capture or «sniff» out of the air with a laptop from anywhere in range of your network) and the service will attempt to extract your password.

If the service is unsuccessful then a hacker is unlikely to be successful either. But if the service finds your password then you know that you need to choose a longer, more secure one.

Bear in mind that even WPA2 security standard is unlikely to resist a well organised and stubborn hacker or hacking group thanks to the KRACK Wi-Fi flaw that was discovered in October 2017.

3. Check for rogue Wi-Fi access points

Rogue access points present a huge security risk. These aren’t your company’s «official» Wi-Fi access points, but ones that have been brought in by employees (perhaps because they can’t get a good Wi-Fi signal in their office) or conceivably by hackers who have entered your building and surreptitiously connected one to an Ethernet point and hidden it.

In either case, rogue access points present a risk because you have no control over them or how they are configured: for example, one could be set up to broadcast your SSID (the 32 character identifier for a wireless network) and allow anyone to connect without providing a password.

To detect rogue access points you need to scan your offices and the area around it on a regular basis using a laptop of mobile device equipped with suitable software such as Vistumbler (a wireless network scanner) or airodump-ng. These programs allow the laptop to «sniff» the airwaves to detect any wireless traffic travelling to or from a rogue access point, and help you identify where they are located.

4. Provide a separate network for guests

If you want to allows visitors to use your Wi-Fi, it’s sensible to offer a guest network. This means that they can connect to the internet without getting access to your company’s or family’s internal network. This is important both for security reasons, and also to prevent them inadvertently infecting your network with viruses or other malware.

Читайте также:  Что такое Li Fi и сможет ли он заменить Wi Fi

One way to do this is by using a separate internet connection with its own wireless access point. In fact this is rarely necessary as most business grade (and a lot of newer consumer) wireless routers have the capability of running two Wi-Fi networks at once — your main network, and another for guests (often with the SSID «Guest».)

It makes sense to turn on WPA protection on your guest network — rather than leave it open — for two important reasons. The first is to provide some level of control over who uses it: you can provide the password to guests on request, and as long as you change it frequently you can prevent the number of people who know the password growing too large.

But more importantly, this protects your guests from other people on the guest network who may try to snoop on their traffic. That’s because even though they are using the same WPA password to access the network, each user’s data is encrypted with a different «session key,» which keeps it safe from other guests.

5. Hide your network name

Wi-Fi access points are usually configured by default to broadcast the name of your wireless network — known as the service set identifier, or SSID — to make it easy to find and connect to. But the SSID can be also be set to «hidden» so that you have to know the name of the network before you can connect to it.

Given that employees should know the name of your company Wi-Fi network (and the same goes for family members and friends in a households), it makes no sense to broadcast it so that anyone else who happens to be passing by can easily find it too.

It’s important to note that hiding your SSID should never be the only measure you take to secure your Wi-Fi network, because hackers using Wi-Fi scanning tools like airodump-ng can still detect your network and its SSID even when it is set to «hidden.»

But security is all about providing multiple layers of protection, and by hiding your SSID you may avoid attracting the attention of opportunistic hackers, so it is a simple measure that is worth taking.

6. Use a firewall

Hardware firewalls provide the first line of defence against attacks coming from outside of the network, and most routers have firewalls built into them, which check data coming into and going out and block any suspicious activity. The devices are usually set with reasonable defaults that ensure they do a decent job.

Most firewalls use packet filtering, which looks at the header of a packet to figure out its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that govern whether the packet is legitimate or not, and thus whether it’s to be allowed in or discarded.

Software firewalls usually run on the endpoint desktop or laptop, with the advantage of providing a better idea what network traffic is passing through the device. More than just which ports are being used and where data is going, it will know which applications are being used and can allow or block that program’s ability to send and receive data.

If the software firewall isn’t sure about a particular program it can ask the user what it should do before it blocks or allows traffic.

7. Enable MAC authentication for your users

You can limit who accesses your wireless network even further by only allowing certain devices to connect to it and barring the rest. Each wireless device will have a unique serial number known as a MAC address, and MAC authentication only allows access to the network from a set of addresses defined by the administrator.

This prevents unauthorised devices from accessing network resources and acts as an additional obstacle for hackers who might want to penetrate your network.

8. Use a VPN

A VPN or virtual private network will help you stay safe and secure online while above all keeping your private stuff private. They keep your data hidden from prying eyes one end to the other by encrypting it. In theory, hackers could penetrate your network and they’d still not be able to do any harm to your system assuming that a VPN is running permanently.

To celebrate National Cyber Security Awareness Month, IPVanish is giving a 69% discount on two year plans throughout October 2018, making its top-tier protection effectively $3.74/month.


What Is Home Network Security and How Do I Secure My WiFi Router?

Home Network Security is much more than setting a password for your home WiFi. Your family members watch their favorite shows on your smart TV, purchase various goods online, enjoy games via the game console, and/or work from home. All kinds of vital data — identities, passwords, addresses, private photos, etc., are constantly connected to the internet through your home network.

While you may have heard of concepts like “Phishing” and “Malware” that hackers and viruses use to disguise themselves to access your home network in order to steal private information—or ruin your data—do you really know what it is and how to stop it? Home network security is the fundamental basis for protecting your family from dangers posed by those with malicious intentions. Here, we hope to provide a basic understanding of home network security and how to improve it.

How Do I Secure My Home Network?

How to Secure Your Router

Typically, the home network starts from a router and several connected devices. The router governs the data transmission between the home network and the internet. Your wireless router might be an obscure gadget compared to your beloved game console, smart TV, phone, or tablet, but it’s the most vital defender against malicious external attacks. There are several changes you could make if you want your router to be harder to breach for hackers or malware:

Set a unique password for both your WiFi and router admin account.

Do not leave your router running with the default WiFi and administrator passwords. Hackers constantly try to break into devices using these publicly known credentials. It’s also a good habit to change the password on a regular basis.

Keep the Firmware up to date.

Serving as the essential control code embedded into a network device, the firmware in a router sets the basic security standard for your home network, determining what devices can and cannot connect. Security patches and bug fixes will be inserted into the latest firmware to repair the recently exposed network vulnerabilities. A router with automatic updates is the best option, but you’ll need to make sure you’ve enabled them.

Create a Guest Network.

Pretty much anyone will occasionally have visitors, and it’s weird to reject if they ask for WiFi access, but who knows who or what might get into your network with them? The best solution for this problem is to set up a guest network, presuming your WiFi router supports the function. A guest network is fairly isolated from the home LAN network, visitors get internet access without the potential to get into your private data. You may even want to take things a step further by hiding your home WiFi’s SSID, only connecting trusted devices to your home network, and periodically checking for new connected devices to ward off invaders.

Disable WPS and UPnP functions.

Some WiFi routers have the pair button or WPS button to make connecting easier as you won’t have to enter the password to add new devices to your network. However, while it’s convenient, it can also be exploited to get access to your home network.

Similarly, UPnP (Universal Plug and Play) is designed to make it easier for devices like routers and smart TVs to connect without complex configuration. But some malware programs target UPnP to get access to your home network.

If network security is a major concern for you, it’s safer to turn off these shortcuts.

How to Pick a Secure Router

Choose a router with WPA3.

There is already plenty of work done to improve your home network security. Currently, nearly all home routers use WiFi Protected Access technologies (WPA-PSK/WPA2-PSK) for WiFi encryption to keep your passwords safe when you use them on the internet. WPA3 is the latest WiFi security protocol introduced by WiFi Alliance, and it provides more secure password encryption and enhanced protection against brute force attacks. If your home router doesn’t support WPA3, the previous WPA2-AES standard is still reasonably robust. However, you really should consider replacing your router if it only supports the outdated WEP (Wired Equivalent Privacy) protocol.

Читайте также:  4g lte wifi router with sim card slot

Pick a router with security controls and antivirus.

It's a relief that today's manufacturers take security seriously and many models feature built-in security services and antivirus functions. These services help prevent network intrusions, enhance your data security and privacy, and remedy the vulnerabilities in your home network. You could save yourself the hassle of remembering and implementing the previous tips by just picking a secure router. There are also plenty of add-on safe box products to choose from if you don’t want to replace your router.

Use a router with app management.

Router manufacturers are developing more sophisticated apps for home network management instead and moving away from troublesome web browser interfaces in the past few years. A dedicated router app with security functions continuously monitors your network security and keeps you aware of things to pay attention to by sending notifications to your phone or tablet any time there is an incident. This makes it easy to keep tabs on who’s accessing your devices and lets you manage network access via your phone.

How to Keep the Internet Safe for Your Family

It's worthwhile to help your family develop good digital habits to help them avoid potential networking threats. There are numerous parental control functions to create individual profiles for your family members that allow you to limit what they can and can’t do on their devices as well as manage how much time they spend online. It’s an easy way to keep them away from dubious sites and a practical way to help them develop disciplined internet use according to their age.

Set Online Duration for Your Kids.

Children are spending more and more time online with every aspect of their lives becoming connected and tied to a screen. This leads them to be less active which in turn increases the risk of obesity and internet addiction. It’s a good idea to help them develop healthy habits by managing their daily time online and creating schedules or curfews for when your kids are on their devices.

Block Unhealthy Content for Your Family.

A fully equipped home router with parental controls can block unhealthy and malicious content according to the manufacturer’s professional filter library. You are also empowered to restrict your children’s access to URLs with certain keywords or apps with age ratings.

Guard Your IoT Devices.

Smart home cameras can provide more peace of mind when you’re away from home, but you don’t want strangers accessing your devices and spying on your family. Generally, IoT devices will reveal multiple vulnerabilities when confronted with external intrusions. Therefore, it’s important to provide your IoT devices with extra protection. A high-end router with IoT device protection service may not be low-cost, but it’s a worthwhile investment if you’re after the convenience of a smart life without compromising your home network security.

Take Control of Your Home Network with Ease

We’ve given you a few tips on how to ensure your home network security—most of them involving routers with advanced features. It would be remiss of us to not give some recommendations so you know where to start looking. With that in mind, we would encourage you to consider our Deco line mesh WiFi products.

TP-Link Deco products offer an excellent solution for easily taking control of your home network security. Not only will a mesh WiFi solution provide corner-to-corner whole home WiFi coverage with a single SSID, but it is also equipped with the advanced security features we mentioned previously.

TP-Link has developed the HomeCare™ service to give Decos the most comprehensive security of any whole home WiFi system currently available, so every device on your network is automatically protected from security threats.

HomeCare™ also includes powerful parental controls that are easy to use right from the Deco app, making it remarkably easy to schedule online time for your family as well as build a healthy internet environment through its advanced content filter.

The Deco series* supports the latest WPA3 protocol and provides hands-off WiFi that automatically updates to the latest security features and functionality.

Setup takes mere minutes with the Deco app, and you’ll be notified immediately of any security concerns.

* Please visit WPA3 Compatibility to check for the compatible models.

Common Questions

Q: How do I find out what security protocol my router uses?

A: You can check your router’s security protocol through the router’s web administrator interface or management app and find the wireless security options in the network security section. It’s also wise to check the wireless security specifications on the manufacturer’s website before you purchase a new router.

Q: Does all Deco products support HomeCare™?

A: At present, the following models support HomeCare™:
Deco X60, Deco X20, Deco M9 Plus, Deco P9, and Deco M5. As all Deco series works together to create a whole home mesh WiFi, you can buy one of these models as the main router to provide whole home network protection.

Q: How does Deco protect my IoT/smart home devices?

A: TP-Link HomeCare™ identifies intrusions, blocks potential threats, and fixes vulnerabilities in your network. Infected devices are automatically quarantined, keeping your personal information safe and preventing the spread of viruses to other devices.

Q: How do I update firmware for Deco?

A: You can choose the automatic update option in the Deco app or visit TP-Link Support to download the latest firmware and update your Deco manually.


Most Popular Types of WiFi Cyberattacks

This strategy is a cryptographic attack, based on listening on and modifying information between two parties without their knowledge. The attacker becomes a middleman, pretending to be both the user and the application at the same time in order to steal confidential information. During all that time the user believes he’s interacting with the app.

Denial of Service (DoS)

WiFi networks use radio waves, so they are susceptible to a DoS attack. During the procedure, the attacker sends a transmission which distorts the effectiveness of the network or completely prevents it from functioning. Unfortunately it’s not possible to completely shield this technology from this sort of assault, however the 802.11 standard made the situation better thanks to implementing protection in form of signal selection, which prevents the same communicates from being recorded.

An interesting solution is to utilize special wall and window paints that are able to prevent WiFi signal from leaving the building. Even more successful are IDS/IPS systems for wireless networks, that allow to either slow down or even completely prevent DoS attacks.

Distributed Denial of Service (DDoS)

This is a version of the DoS attack, which relies on disabling the service or system by using up all available resources. Such an attack is conducted by multiple devices simultaneously. Some of them might act as «zombies», being connected to the internet, but containing a remotely operated software without the owner’s knowledge.

scheme showing a distributed denial of service attack

Session Hijacking

Internet portals differentiate between users based on so-called «session IDs», that are placed into cookies and sent to the user in each request after login. So in order to impersonate John Smith on one of the portals we don’t need to know his password — it’s enough that we have his session ID. How to gather such a cookie? We need to get between John and the service, so for example Facebook. If he’s using an open WiFi network, we can use a tool called a sniffer in order to look through his packets and find the information we need.


Опубликовано в рубрике WiFi