The author is worried about WiFi passwords? If you trust that your WiFi is secure in general, you're in trouble. WPS is horribly insecure, for example, and that's what most home users use. Most user-chosen passwords are incredibly easy to guess for another. The better thing to do is to assume that your network traffic is always under surveillance (since the NSA is tapping Tier1 network providers), and to encrypt everything, or use network protocols which encrypt everything.
The only thing WiFi passwords are good for is to prevent your neighbors from using your network and using up all of your bandwidth (which would slow down your network access) and preventing drive-by spammers/hackers from doing things which you might then get blamed for.
Wifi encryption is not going to help you much if anyone is able to connect to the network by just asking for the password, it won't protect you inside the network. If you want to be safe use a VPN or SSH tunnel onto a server you trust.
Why does not having a WiFi password mean that the information must travel unencrypted?
And why is a password enough to encrypt that information, even if said password is written in large letters on a wall for everybody to see?
I'm sure that there are a good technical reasons, but at the same time it seems like there should be a better way to have convenient and safe WiFi networks in public spaces.
Are wireless network passwords really that important? What is the threat model here? I’m trying to figure out the downside risk. Someone finds out your wireless password, figures out your address via an AGPS lookup and then … drives to your house and what? Steals your internet? Projects something on your smart tv? Turns your insecure smart lights on and off?
I can imagine that being effective as part of a complex spear phishing attack against a celebrity or something. But if someone dumpster dives and ends up finding my wifi password, why should I care?
Aren't two issues being conflated here? (1) Securing access to your wi-fi with a password so that your neighbor can't free-ride on your ISP and (2) Encrypting your wi-fi traffic so that your neighbor (or Google) can't spy on you.
No way. “password” protects me from the neighbor torrenting movies or Googling bomb recipes or whatever, which is the bulk of the threat model for residential Wi-Fi.
Wifi passwords aren’t supposed to be secure. Really they’re only to keep people off the network that you want to keep, well, off the network. The current method of connecting someone to wifi is usually just telling them the password. If the guest has a computer on the network (or a mac signed into the same apple ID as an apple device on the network), it’s trivial to figure out a network password that was entered for you.
If you’re wanting a _really_ secure network, WPA2 isn’t the way to go. You’d want to credential every user using 802.1X or WPA2 Enterprise.
As far as security is concerned, I'm much more worried about ISPs providing WiFi routers that uses WEP encryption AS A DEFAULT.
For those who don't know, WEP can be hacked in a matter of minutes with no technical knowledge required. There's plenty on scripts on the internet that automates the whole process for you.
My WiFi network is no different than a hotspot at a coffee shop, anything important lives in another VLAN and has tight access controls. Someone could get access to my network, and they’d have zero ability to do anything useful other than access the public Internet. This also protects against sketchy apps like TikTok and proprietary devices (like voice assistants).
If your wifi is to an internal network firewalled from the internet, then yes of course you'd want to secure it.
But most home wifi (which is what we're talking about here) is routed more or less directly to the inherently untrusted internet. If you're sending unencrypted data you care about to that then you already have a problem. (Yes, it's true that people are sending unencrypted data they care about across the internet and it's true that they already have a problem.)
That's a good attitude. All the essential stuff should be end to end encrypted at this point. For example, if you use the web. All your connections are over SSL. Depending on how that is set up, your connections might leak some information about domains you are talking to. But beyond that it's just unreadable garbage for any man in the middle. So, how much does it matter if you use a public wifi in a hotel, airport, or some mobile phone network, etc. Answer: it mostly doesn't matter. Unless you are a network security expert; you should treat your home network with the same level of distrust as you would treat any other public network. You can't assume it to be 100% secure. No matter how many acronyms your router supports.
If you feel strongly about it use a vpn. Wireguard is nice for this indeed. And indeed some IOT has pretty shit network security so you might want to care about securing that in your home or office network. But beyond that, your exposure should be pretty minimal even if you don't use a VPN.
And reality check: most people aren't network security experts. I'm certainly not one even though I've been active as a developer for a few decades and kind of know what I'm doing.
So, IMHO WPA3 is a waste of time. I don't care about it. It might be more secure by some unknowable degree. But since it is unknowable (for me), I can't be bothered to care. I'd on principle treat it as just as insecure as WPA 1 & 2. Or no network security at all. Which is good enough for me to run my SSL connections over them. And even if it is super duper secure, I don't necessarily trust the Chinese manufacturers supplying the router chips and firmware to do the right thing. In my experience, the vast majority of routers run years out of date firmware supplied via a very shady chain of suppliers for chips and software that I definitely don't trust.
So, WPA 3 is a security blanket. A false sense of security. If you have reasons to be paranoid, go for it. It probably helps. Just like tin foil hats, Faraday cages, and all the rest. I don't use those either. But for the rest of us who aren't network security experts with operator supplied routers at home and working in office environments as well as on the go with random third parties maybe taking care about network security a little bit in the networks we connect to, I treat all networks equally: 100% untrusted. I don't care about what acronym soup applies to the network or how shit-hot the graybeard that manages it is. I just blindly assume network security is mediocre at best and connect anyway. For me network security is about being able to use my laptop safely in a completely untrusted network. Because that's where I use it all of the time.
How does that solve anything? Your WiFi should already be password protected anyway. It's other people's routers with open networks you need to worry about.
Even my least tech savvy friends understand that their wifi password is like a traditional front door key: anyone with a copy can unlock the door. I'd call that very unsurprising to most people.
The idea that more sophisticated authentication is possible to prevent password sharing would be a surprise to most laypeople I know.
Also home internet is increasingly coming with smart routers that will alert you to new devices on the network. Tech savvy people are the only ones who BYOD.
Is your threat model really so severe that it includes someone driving to your house and connecting to your wifi network? Of all passwords, a wifi password is one you should _never_ reuse.
You could also inspect the source, it’s open source, or network requests.
The only thing WiFi passwords are good for is to prevent your neighbors from using your network and using up all of your bandwidth (which would slow down your network access) and preventing drive-by spammers/hackers from doing things which you might then get blamed for.
reply