Wireless Security Protocols: WEP, WPA, WPA2, and WPA3

Even though it is kind of logical to secure your WiFi network, it is sometimes a bit puzzling to understand which encryption protocol to implement with all the abbreviations. We'll try to review and explain the differences among the encryption standards like WEP, WPA, WPA2, and WPA3 so you can see which will work best for your environment.

The difference between WEP, WPA and WPA2

WiFi security algorithms have been through many changes and upgrades since the 1990s to become more secure and effective. Different types of wireless security protocols were developed for home wireless networks protection. The wireless security protocols are WEP, WPA, and WPA2, serving the same purpose but being different at the same time. Not only do the protocols prevent unwanted parties from connecting to your wireless network, but also wireless security protocols encrypt your private data sent over the airwaves.

No matter how protected and encrypted, wireless networks cannot keep up in safety with wired networks. The latter, at their most basic level, transmit data between two points, A and B, connected by a network cable. To send data from A to B, wireless networks broadcast it within their range in every direction to every connected device that happens to be listening.

Let's have a closer look at WEP, WPA, and WPA2 wireless security protocols.

Wired Equivalent Privacy (WEP)

WEP was developed for wireless networks and approved as a Wi-Fi security standard in September, 1999. WEP was aimed to offer the same security level as wired networks, however there are a bunch of well-known security issues in WEP, which is also easy to break and hard to configure.

Wired Equivalent Privacy (WEP)

Despite all the work that has been done to improve the WEP system it still is a highly vulnerable solution. Systems that rely on this protocol should be either upgraded or replaced in case security upgrade is not possible. WEP was officially abandoned by the Wi-Fi Alliance in 2004.

Wi-Fi Protected Access (WPA)

For the time the 802.11i wireless security standard was in development, WPA was used as a temporary security enhancement for WEP. One year before WEP was officially abandoned, WPA was formally adopted. Most modern WPA applications use a preshared key (PSK), most often referred to as WPA Personal, and the Temporal Key Integrity Protocol or TKIP (/tiːˈkɪp/) for encryption. WPA Enterprise uses an authentication server for keys and certificates generation.

Wi-Fi Protected Access (WPA)

WPA was a significant enhancement over WEP, but as the core components were made so they could be rolled out through firmware upgrades on WEP-enabled devices, they still relied onto exploited elements.

WPA, just like WEP, after being put through proof-of-concept and applied public demonstrations turned out to be pretty vulnerable to intrusion. The attacks that posed the most threat to the protocol were however not the direct ones, but those that were made on Wi-Fi Protected Setup (WPS) - auxilliary system developed to simplify the linking of devices to modern access points.

Wi-Fi Protected Access version 2 (WPA2)

The 802.11i wireless security standard based protocol was introduced in 2004. The most important improvement of WPA2 over WPA was the usage of the Advanced Encryption Standard (AES) for encryption. AES is approved by the U.S. government for encrypting the information classified as top secret, so it must be good enough to protect home networks.

At this time the main vulnerability to a WPA2 system is when the attacker already has access to a secured WiFi network and can gain access to certain keys to perform an attack on other devices on the network. This being said, the security suggestions for the known WPA2 vulnerabilities are mostly significant to the networks of enterprise levels, and not really relevant for small home networks.

Unfortunately, the possibility of attacks via the Wi-Fi Protected Setup (WPS), is still high in the current WPA2-capable access points, which is the issue with WPA too. And even though breaking into a WPA/WPA2 secured network through this hole will take anywhere around 2 to 14 hours it is still a real security issue and WPS should be disabled and it would be good if the access point firmware could be reset to a distribution not supporting WPS to entirely exclude this attack vector.

Which security method will work for your network

Here is the basic rating from best to worst of the modern WiFi security methods available on modern (after 2006) routers:

  1. WPA2 + AES
  2. WPA + AES
  3. WPA + TKIP/AES (TKIP is there as a fallback method)
  4. WPA + TKIP
  5. WEP
  6. Open Network (no security at all)

The best way to go is deactivate Wi-Fi Protected Setup (WPS) and set the router to WPA2 +AES. And as you go down the list, the less secure your network is going to get.


If you leave your router with no security then anyone can steal the bandwidth, perform illegal actions out of your connection and name, monitor your web activity, and easily install malicious apps in your network. Both WPA and WPA2 are supposed to secure wireless internet networks from unauthorized access.

WPA vs. WPA2

WiFi routers support a variety of security protocols to secure wireless networks: WEP, WPA and WPA2. However WPA2 is recommended over its predecessor WPA (Wi-Fi Protected Access).

Probably the only downside of WPA2 is how much processing power it needs to protect your network. This means more powerful hardware is needed in order not to experience lower network performance. This issue concerns older access points that were implemented before WPA2 and only support WPA2 via a firmware upgrade. Most of the current access points have been supplied with more capable hardware.

Definitely use WPA2 if you can and only use WPA if there is no way your access point will support WPA2. Using WPA is also a possibility when your access point regularly experiences high loads and the network speed suffers from the WPA2 usage. When security is the top priority then rolling back is not an option, instead one should seriously consider getting better access points. WEP has to be used if there is no possibility to use any of the WPA standards .

Encryption Speed

Depending on what security protocols you use the data speed can be affected. WPA2 is the fastest of the encryption protocols, while WEP is the slowest.

Protect Your WiFi Network

While WPA2 is much more secure than WPA and therefore much more secure than WEP, the security of your router heavily depends on the password you set. WPA and WPA2 let you use passwords of up to 63 characters.

Use as many various characters in your WiFi network password as possible. Hackers are interested in easier targets, if they can't break your password in several minutes, they will most likely move on to look for more vulnerable networks. Summary:

  1. WPA2 is the enhanced version of WPA;
  2. WPA only supports TKIP encryption while WPA2 supports AES;
  3. Theoretically, WPA2 is not hackable while WPA is;
  4. WPA2 needs more processing power than WPA;
  5. Use NetSpot to check your encryption!

UPD: WPA3 is the next generation of WiFi security

Protecting Wi-Fi from hackers is one of the most important tasks in cybersecurity. Which is why the arrival of next-generation wireless security protocol WPA3 deserves your attention: Not only is it going to keep Wi-Fi connections safer, but also it will help save you from your own security shortcomings.

Here is what it offers:

  • Password Protection

Start with how WPA3 will protect you at home. Specifically, it’ll mitigate the damage that might stem from your lazy passwords.

A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary—and beyond—in relatively short order.

WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it’s what was behind the notorious KRACK vulnerability that impacted basically ever connected device. WPA3 will ditch that in favor of the more secure — and widely vetted — Simultaneous Authentication of Equals handshake.

The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.

  • Safer Connections

When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today — Wi-Fi Protected Setup — has had known vulnerabilities since 2011. WPA3 provides a fix.

Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you're set — they're securely connected. With the QR code method, you’re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.

That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You've probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That's because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much. When you log onto a coffee shop’s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.

As with the password protections, WPA3's expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too secure.

WPA3: When Can I Get It On My Wi-Fi?

Even with the added technical details, talking about WPA3 feels almost still premature. While major manufacturers like Qualcomm already have committed to its implementation as early as this summer, to take full advantage of WPA3’s many upgrades, the entire ecosystem needs to embrace it. That’ll happen in time, just as it did with WPA2.

The Wi-Fi Alliance doesn’t expect broad implementation until late 2019 at the earliest.

Once all your devices support WPA3, you could disable WPA2 connectivity on your router to improve security, the same way you might disable WPA and WEP connectivity and only allow WPA2 connections on your router today.

While it will take a while for WPA3 to fully roll out, the important thing is that the transition process is beginning in 2018. This means safer, more secure Wi-Fi networks in the future.

NetSpot for Android

Coming soon! Be the first to know about NetSpot WiFi analyzer for Android.

Have more questions? Submit a request.

Windows version is here!

NetSpot WiFi planning tool helps in analysis, configuration and deployment of a WiFi network easily.
Get the free WiFi manager app

Next in WiFi Planning

Other Articles

Start now with NetSpot
Runs on a MacBook (macOS 10.10+) or any laptop (Windows 7/8/10)
with a standard 802.11a/b/g/n/ac wireless network adapter.