Every generation of computer technology spawns both new promise and new problems. When the first universities allowed users to connect to powerful mainframes, unruly students found ways of accessing other student’s information to play pranks on each other, requiring the creation of password protection and access rights.
Today, computers and wireless networks occupy every aspect of life, from schools, hospitals, businesses, libraries — even coffee shops and buses offer WiFi access. But with all this access, there is the need for WiFi security. A person connecting via their laptop could be transmitting the passwords to their bank account over the air for a hacker to pick up.
The biggest problem with allowing access to a local WiFi network isn’t just WiFi encryption, but how to register devices onto the WiFi network. If there’s a shared password, then anyone who shares that with another person or writes it down runs the risk of unauthorized users getting access to the network.
For those old enough, remember that scene from the movie “Wargames” where Matthew Broderick’s character would purposely get detention so he could find the network’s password written down in a secretary’s desk? Hackers use the same technique when someone writes down the WiFi password on a Post-It on their desk to get access into the network and start capturing packets.
WPA3 security is designed to help prevent that. Rather than relying on shared passwords, WPA3 signs up new devices through processes that don’t require the use of a shared password.
This new system, called Wi-Fi Device Provisioning Protocol (DPP), works by transmitting how to gain access to the system without transmitting a password into the air. With DPP, users use QR codes or NFC tags to let devices onto the network. By snapping a picture or receiving a radio signal from the router, a device can be authenticated to the network without sacrificing security.
WPA3 encryption is geared to be better than previous iterations of WiFi technology. First, like the move of browsers Google Chrome and Firefox to warn or outright block users from connecting to insecure web servers, WPA3 security discards older encryption mechanisms in favor of ones that have not been broken.
Granted, nothing lasts forever in the world of security, but WPA3 Encryption is covered by 256-bit Galois/Counter Mode Protocol (GCMP-256) so that makes breaking through the encryption harder.
How big is a number like 256-bit? Previous encryption algorithms worked with 128-bit encryption. In Math terms, that’s 3.048 x 10^38 - that’s 3 followed by 38 zeros after it - that’s how many calculations a computer would have to make to even guess at what the encryption key is. 256-bit encryption? That’s 1.15 x 10^77 — 1 with 77 zeroes following after it.
There is a fewer number of atoms in the known universe compared to that number. There are fewer episodes of Judge Judy than that number. Fewer times that someone has asked, “Explain the plot of the movie Inception.”
It’s a big number.
When transferring encryption keys between the router and devices, WPA3 WiFi Security uses 384-bit Hashed Message Authentication Mode so both the device and the router confirm that they can connect, but in a way where even if someone picks up the communication between them they can’t figure out what they original encryption key is.
It’s like the Navajo code talkers back in World War II who used codes while speaking a language no one else in the world understood. Even if a third party could pick up the radio signals, it wouldn’t make any sense to them. Even if they also happened to speak Navajo, they’d have to know the additional code structure underneath that to understand what the message actually meant.
This is how WPA3 keeps communications safe — with better encryption, better ways of setting up that encryption, and methods that keep people connecting to the network from knowing the passwords that have them on the network.
Already on WPA2 and want to know what the difference is between WPA2 and WPA3? First of all, we can get WPA2 compliant routers right now. Which means if we’re looking for a WPA3 router, we’re not going to find one because they don’t exist yet. That’s a plus in the WPA2 versus WPA3 debate: WPA2 at least exists in the real world. WPA3 is an announced standard but is not yet a delivered standard.
As mentioned above, WPA3 handles WiFi security differently. Most people connect via a WPA2 network either by sharing passwords (bad) or via WPS. WPS is convenient. Tap a button on the router at the same time as the device to connect to the device to the router, and we’re on.
The problem is WPS sends a 23-bit pin as part of the signup process. 23 bits is nothing compared to the 384-bit hashes that WPA3 uses to connect devices to routers. A clever hacker can sit there and within 9 million tries — a mere minute in computer terms — gain access to the router. Just sit, wait for the WPS signal to go out and the hacker could be in.
Then there’s the level of encryption for open networks. Going into a coffee shop or connecting a phone into the mall lets that device onto an open network. It makes sense. The inconvenience in connecting to a WiFi network with even a shared password is usually too much for a store’s customers to stand for.
The problem is that on an open wifi network, a clever hacker can listen in between the devices and try to decrypt the communications between bank websites or cashier machines. Then we’re back to unauthorized people listening in to bank passwords and credit card numbers.
WPA3 security looks to triumph over WPA2 systems when it comes to open networks with an enhanced protection system. WPA3 routers will use Wi‑Fi CERTIFIED Enhanced Open — this means that even when the devices connect to the WiFi router on an open network, there is strong encryption between the device and the router.
So even if a hacker is listening in, first they have to break through the WiFi encryption, then break a totally different set between the web browser and the bank, or the specific teller machine and the financial systems they’re talking to. Nothing is absolutely secure, but making unauthorized users work twice as hard to get the information they shouldn’t have, it makes people safer all around.
Don’t be in a rush. WPA3 was just announced, and if the past is the predictor of the future, it means every company that makes WiFi routers will start touting “WPA3 compliant!” routers, even if it’s their version of WPA3 wireless that other devices don’t support.
We saw it with the move was made from a/b WiFi networks to g and n. We’ll likely see it again with WPA3 systems where someone will call it WPA3Plus or someone else calling it WPA3Max. The best thing to do is wait a few years unless there is a pressing need for additional security right now.
First, make sure that the existing WiFi network is operating at full capacity. There’s no purpose upgrading to WPA3 wireless when the network is oversaturated or people can’t reach it with their device. A good WiFi network scanner like NetSpot can help map out the existing WiFi coverage so we know where to put systems.
Second, just because something says WPA3 compliant, there’s going to be a delay between when the WPA3 router has a WPA3 compliant device to connect with. Even Apple rolling out a new iPhone every year isn’t likely to be ready for this new WiFi security standard.
WPA3 is going to be great — the operative word there is going to be. It will offer more security to a world where network breaches are becoming more and more common. So be prepared, keep informed, and be ready for the next wave of WiFi routers, devices, and security.