Which wifi authentication is better. Wi-Fi security key

Password and MAC address filtering should protect you from hacking. In fact, safety largely depends on your caution. Inappropriate security methods, uncomplicated passwords, and a careless attitude toward strangers on your home network provide attackers with additional attack opportunities. In this article, you will learn how to crack a WEP password, why you should abandon filters, and how to secure your wireless network from all sides.

Protection from uninvited guests

Your network is not secure, therefore, sooner or later, an outsider will connect to your wireless network - perhaps not even on purpose, since smartphones and tablets can automatically connect to unsecured networks. If he just opens several sites, then, most likely, nothing bad will happen except for the consumption of traffic. The situation will become more complicated if a guest starts downloading illegal content through your Internet connection.

If you have not yet taken any security measures, then go to the router interface through a browser and change your network access data. The router address usually looks like: http://192.168.1.1. If this is not the case, then you can find out the IP address of your network device through the command line. In the Windows 7 operating system, click on the “Start” button and enter the “cmd” command in the search bar. Call up the network settings with the “ipconfig” command and find the “Default gateway” line. The specified IP is the address of your router, which must be entered in the address bar of the browser. The location of your router's security settings varies by manufacturer. As a rule, they are located in a section with the title “WLAN | Safety".

If your wireless network uses an unsecured connection, you should be especially careful with content that is located in shared folders, since if it is not protected, it will be available to other users. At the same time, in the Windows XP Home operating system, the situation with shared access is simply catastrophic: by default, passwords cannot be set here at all - this function is present only in the professional version. Instead, all network requests are made through an unsecured guest account. You can secure your network in Windows XP using a small manipulation: launch the command line, enter “net user guest YourNewPassword” and confirm the operation by pressing the “Enter” key. After restarting Windows, you will be able to access network resources only if you have a password; however, finer tuning in this version of the OS, unfortunately, is not possible. Managing sharing settings is much more convenient in Windows 7. Here, to limit the number of users, just go to the “Network and Sharing Center” in the Control Panel and create a password-protected home group.

The lack of proper protection in a wireless network is a source of other dangers, since hackers can use special programs (sniffers) to identify all unprotected connections. This way, it will be easy for hackers to intercept your identification data from various services.

Hackers

As before, the two most popular security methods today are MAC address filtering and hiding the SSID (network name): these security measures will not keep you safe. In order to identify the network name, an attacker only needs a WLAN adapter, which switches to monitoring mode using a modified driver, and a sniffer - for example, Kismet. The attacker monitors the network until a user (client) connects to it. It then manipulates the data packets and thereby kicks the client off the network. When the user reconnects, the attacker sees the network name. It seems complicated, but in fact the whole process only takes a few minutes. Bypassing the MAC filter is also easy: the attacker determines the MAC address and assigns it to his device. Thus, the connection of an outsider remains unnoticed by the network owner.

If your device only supports WEP encryption, take immediate action - such a password can be cracked even by non-professionals in a few minutes.

Particularly popular among cyber fraudsters is the Aircrack-ng software package, which, in addition to the sniffer, includes an application for downloading and modifying WLAN adapter drivers, and also allows you to recover the WEP key. Well-known hacking methods are PTW and FMS/KoreK attacks, in which traffic is intercepted and a WEP key is calculated based on its analysis. In this situation, you have only two options: first, you should look for the latest firmware for your device, which will support the latest encryption methods. If the manufacturer does not provide updates, it is better to refuse to use such a device, because in doing so you are jeopardizing the security of your home network.

The popular advice to reduce Wi-Fi range only gives the appearance of protection. Neighbors will still be able to connect to your network, but attackers often use Wi-Fi adapters with a longer range.

Public hotspots

Places with free Wi-Fi attract cyber fraudsters because huge amounts of information pass through them, and anyone can use hacking tools. Public hotspots can be found in cafes, hotels and other public places. But other users of the same networks can intercept your data and, for example, take control of your accounts on various web services.

Cookie Protection. Some attack methods are truly so simple that anyone can use them. The Firesheep extension for the Firefox browser automatically reads and lists the accounts of other users, including Amazon, Google, Facebook and Twitter. If a hacker clicks on one of the entries in the list, he will immediately have full access to the account and will be able to change the user's data at his discretion. Firesheep does not crack passwords, but only copies active, unencrypted cookies. To protect yourself from such interceptions, you should use the special HTTPS Everywhere add-on for Firefox. This extension forces online services to always use an encrypted connection via HTTPS if supported by the service provider's server.

Android protection. In the recent past, widespread attention has been drawn to a flaw in the Android operating system, due to which scammers could gain access to your accounts in services such as Picasa and Google Calendar, as well as read your contacts. Google fixed this vulnerability in Android 2.3.4, but most devices previously purchased by users have older versions of the system installed. To protect them, you can use the SyncGuard application.

WPA 2

The best protection is provided by WPA2 technology, which has been used by computer equipment manufacturers since 2004. Most devices support this type of encryption. But, like other technologies, WPA2 also has its weak point: using a dictionary attack or the bruteforce method, hackers can crack passwords - however, only if they are unreliable. Dictionaries simply go through the keys stored in their databases - as a rule, all possible combinations of numbers and names. Passwords like “1234” or “Ivanov” are guessed so quickly that the hacker’s computer doesn’t even have time to warm up.

The bruteforce method does not involve using a ready-made database, but, on the contrary, selecting a password by listing all possible combinations of characters. In this way, an attacker can calculate any key - the only question is how long it will take him. NASA, in its security guidelines, recommends a password of at least eight characters, and preferably sixteen. First of all, it is important that it consists of lowercase and uppercase letters, numbers and special characters. It would take a hacker decades to crack such a password.

Your network is not yet fully protected, since all users within it have access to your router and can make changes to its settings. Some devices provide additional security features that you should also take advantage of.

First of all, disable the ability to manipulate the router via Wi-Fi. Unfortunately, this feature is only available on certain devices, such as Linksys routers. All modern router models also have the ability to set a password for the management interface, which allows you to restrict access to settings.

Like any program, the router firmware is imperfect - small flaws or critical holes in the security system are not excluded. Usually information about this instantly spreads across the Internet. Check regularly for new firmware for your router (some models even have an automatic update feature). Another advantage of flashing firmware is that it can add new functions to the device.

Periodic analysis of network traffic helps to recognize the presence of uninvited guests. In the router management interface you can find information about which devices connected to your network and when. It is more difficult to find out how much data a particular user has downloaded.

Guest access - a means of protecting your home network

If you protect your router with a strong password using WPA2 encryption, you will no longer be in any danger. But only until you share your password with other users. Friends and acquaintances who, with their smartphones, tablets or laptops, want to access the Internet through your connection are a risk factor. For example, the possibility that their devices are infected with malware cannot be ruled out. However, you won't have to refuse your friends because of this, since top-end router models, such as the Belkin N or Netgear WNDR3700, provide guest access specifically for such cases. The advantage of this mode is that the router creates a separate network with its own password, and the home one is not used.

Security Key Reliability

WEP (WIRED EQUIVALENT PRIVACY). Uses a pseudo-random number generator (RC4 algorithm) to obtain the key, as well as initialization vectors. Since the latter component is not encrypted, it is possible for third parties to intervene and recreate the WEP key.

WPA (WI-FI PROTECTED ACCESS) Based on the WEP mechanism, but offers a dynamic key for extended security. Keys generated using the TKIP algorithm can be cracked using the Bek-Tevs or Ohigashi-Moriya attack. To do this, individual packets are decrypted, manipulated, and sent back to the network.

WPA2 (WI-FI PROTECTED ACCESS 2) Uses the reliable AES (Advanced Encryption Standard) algorithm for encryption. Along with TKIP, the CCMP protocol (Counter-Mode/CBC-MAC Protocol) has been added, which is also based on the AES algorithm. Until now, a network protected by this technology could not be hacked. The only option for hackers is a dictionary attack or “brute force method”, where the key is guessed by guessing, but with a complex password it is impossible to guess it.

This article is devoted to the issue of security when using wireless WiFi networks.

Introduction - WiFi Vulnerabilities

The main reason why user data is vulnerable when this data is transmitted over WiFi networks is that the exchange occurs over radio waves. And this makes it possible to intercept messages at any point where a WiFi signal is physically available. Simply put, if the signal of an access point can be detected at a distance of 50 meters, then interception of all network traffic of this WiFi network is possible within a radius of 50 meters from the access point. In the next room, on another floor of the building, on the street.

Imagine this picture. In the office, the local network is built via WiFi. The signal from this office's access point is picked up outside the building, for example in a parking lot. An attacker outside the building can gain access to the office network, that is, unnoticed by the owners of this network. WiFi networks can be accessed easily and discreetly. Technically much easier than wired networks.

Yes. To date, means of protecting WiFi networks have been developed and implemented. This protection is based on encrypting all traffic between the access point and the end device that is connected to it. That is, an attacker can intercept a radio signal, but for him it will be just digital “garbage”.

How does WiFi protection work?

The access point includes in its WiFi network only the device that sends the correct password (specified in the access point settings).

But how does the access point know whether the password is correct or not? What if she also receives a hash, but cannot decrypt it? It's simple - in the access point settings the password is specified in its pure form. The authorization program takes a blank password, creates a hash from it, and then compares this hash with the one received from the client. If the hashes match, then the client’s password is correct. The second feature of hashes is used here - they are unique. The same hash cannot be obtained from two different sets of data (passwords). If two hashes match, then they were both created from the same set of data.

By the way. Thanks to this feature, hashes are used to control data integrity. If two hashes (created over a period of time) match, then the original data (during that period of time) has not been changed.

However, despite the fact that the most modern method of securing a WiFi network (WPA2) is reliable, this network can be hacked. How?

There are two methods for accessing a network protected by WPA2:

Selection of a password using a password database (so-called dictionary search).
Exploitation of a vulnerability in the WPS function.

In the first case, the attacker intercepts the password hash for the access point. The hashes are then compared against a database of thousands or millions of words. A word is taken from the dictionary, a hash is generated for this word and then this hash is compared with the hash that was intercepted. If a primitive password is used on an access point, then cracking the password of this access point is a matter of time. For example, an 8-digit password (8 characters long is the minimum password length for WPA2) is one million combinations. On a modern computer, you can sort through one million values in a few days or even hours.

In the second case, a vulnerability in the first versions of the WPS function is exploited. This feature allows you to connect a device that does not have a password, such as a printer, to the access point. When using this feature, the device and access point exchange a digital code and if the device sends the correct code, the access point authorizes the client. There was a vulnerability in this function - the code had 8 digits, but only four of them were checked for uniqueness! That is, to hack WPS you need to search through all the values that give 4 digits. As a result, hacking an access point via WPS can be done in just a few hours, on any weakest device.

Setting up WiFi network security

The security of the WiFi network is determined by the settings of the access point. Several of these settings directly affect network security.

WiFi network access mode

The access point can operate in one of two modes - open or protected. In case of open access, any device can connect to the access point. In the case of protected access, only the device that transmits the correct access password is connected.

There are three types (standards) of WiFi network protection:

WEP (Wired Equivalent Privacy). The very first standard of protection. Today it actually does not provide protection, since it can be hacked very easily due to the weakness of the protection mechanisms.
WPA (Wi-Fi Protected Access). Chronologically the second standard of protection. At the time of creation and commissioning, it provided effective protection for WiFi networks. But at the end of the 2000s, opportunities were found to hack WPA protection through vulnerabilities in the security mechanisms.
WPA2 (Wi-Fi Protected Access). The latest protection standard. Provides reliable protection when certain rules are followed. To date, there are only two known ways to break WPA2 security.

Dictionary password brute force and a workaround using the WPS service.

Thus, to ensure the security of your WiFi network, you must select the WPA2 security type.

However, not all client devices can support it. For example, Windows XP SP2 only supports WPA.

In addition to choosing the WPA2 standard, additional conditions are required:

Use AES encryption method. The password to access the WiFi network must be composed as follows:
Use letters and numbers in the password. A random set of letters and numbers. Or a very rare word or phrase that is meaningful only to you. Not use simple passwords like name + date of birth, or some word + a few numbers, for example lena1991.
or

dom12345 If you need to use only a digital password, then its length must be at least 10 characters. Because an eight-character digital password is selected using a brute force method in real time (from several hours to several days, depending on the power of the computer). If you use complex passwords in accordance with these rules, then your WiFi network cannot be hacked by guessing a password using a dictionary. For example, for a password like 218340105584896 combinations.

Today it is almost impossible to select. Even if a computer were to compare 1,000,000 (million) words per second, it would take almost 7 years to iterate over all the values.

WPS (Wi-Fi Protected Setup)

If the access point has the WPS (Wi-Fi Protected Setup) function, you need to disable it. If this feature is required, you must ensure that its version is updated to the following capabilities:
Using all 8 PIN code characters instead of 4, as was the case in the beginning.

Enable a delay after several attempts to send an incorrect PIN code from the client.

An additional option to improve WPS security is to use an alphanumeric PIN code.

Public WiFi Security

Today it is fashionable to use the Internet via WiFi networks in public places - in cafes, restaurants, shopping centers, etc. It is important to understand that using such networks may lead to theft of your personal data. If you access the Internet through such a network and then log in to a website, your data (username and password) may be intercepted by another person who is connected to the same WiFi network. After all, on any device that has passed authorization and is connected to the access point, you can intercept network traffic from all other devices on this network. And the peculiarity of public WiFi networks is that anyone can connect to it, including an attacker, and not only to an open network, but also to a protected one.

What can you do to protect your data when connecting to the Internet via a public WiFi network? There is only one option - to use the HTTPS protocol. This protocol establishes an encrypted connection between the client (browser) and the site. But not all sites support the HTTPS protocol. Addresses on a site that supports the HTTPS protocol begin with the https:// prefix. If the addresses on a site have the http:// prefix, this means that the site does not support HTTPS or does not use it.

Some sites do not use HTTPS by default, but have this protocol and can be used if you explicitly (manually) specify the https:// prefix.

As for other cases of using the Internet - chats, Skype, etc., you can use free or paid VPN servers to protect this data. That is, first connect to the VPN server, and only then use the chat or open website.

In the second and third parts of this article, I wrote that when using the WPA2 security standard, one of the ways to hack a WiFi network is to guess the password using a dictionary. But there is another opportunity for an attacker to obtain the password to your WiFi network. If you store your password on a sticky note glued to the monitor, this makes it possible for a stranger to see this password.

And your password can be stolen from a computer connected to your WiFi network. This can be done by an outsider if your computers are not protected from access by outsiders. This can be done using malware. In addition, the password can be stolen from a device that is taken outside the office (house, apartment) - from a smartphone, tablet.

Thus, if you need reliable protection for your WiFi network, you need to take steps to securely store your password. Protect it from access by unauthorized persons. If you found this article useful or simply liked it, then do not hesitate to financially support the author. This is easy to do by throwing money at Yandex Wallet No. 410011416229354 +7 918-16-26-331 .

. Or on the phone

Even a small amount can help write new articles :)

With the spread of wireless networks, the WPA and WPA2 encryption protocols have become known to almost all owners of devices connecting to Wi-Fi. They are indicated in the connection properties, and attract minimal attention from most users who are not system administrators. It is quite enough to know that WPA2 is an evolution of WPA, and therefore WPA2 is newer and more suitable for modern networks.

Definition WPA

is an encryption protocol designed to protect wireless networks of the IEEE 802.11 standard, developed by the Wi-Fi Alliance in 2003 as a replacement for the outdated and insecure WEP protocol. WPA2

- an encryption protocol that is an improved development of WPA, introduced in 2004 by the Wi-Fi Alliance.

Finding the difference between WPA and WPA2 is not relevant for most users, since all wireless network protection comes down to choosing a more or less complex access password. Today the situation is such that all devices operating in Wi-Fi networks are required to support WPA2, so the choice of WPA can only be determined by non-standard situations. For example, operating systems older than Windows XP SP3 do not support WPA2 without applying patches, so machines and devices managed by such systems require the attention of a network administrator. Even some modern smartphones may not support the new encryption protocol; this mainly applies to off-brand Asian gadgets. On the other hand, some versions of Windows older than XP do not support working with WPA2 at the GPO level, so in this case they require more fine-tuned network connections.

The technical difference between WPA and WPA2 is the encryption technology, in particular, the protocols used. WPA uses the TKIP protocol, WPA2 uses the AES protocol. In practice, this means that the more modern WPA2 provides a higher degree of network security. For example, the TKIP protocol allows you to create an authentication key up to 128 bits in size, AES - up to 256 bits.

Conclusions website

WPA2 is an improvement over WPA.
WPA2 uses the AES protocol, WPA uses the TKIP protocol.
WPA2 is supported by all modern wireless devices.
WPA2 may not be supported by older operating systems.
WPA2 has a higher security level than WPA.

Today cannot be called something out of the ordinary. However, many users (especially owners of mobile devices) are faced with the problem of which security system to use: WEP, WPA or WPA2-PSK. We’ll see what kind of technologies these are now. However, the greatest attention will be paid to WPA2-PSK, since it is this protection that is most in demand today.

WPA2-PSK: what is it?

Let's say right away: this is a system for protecting any local connection to a wireless network based on WI-Fi. This has nothing to do with wired systems based on network cards that use a direct connection using Ethernet.

With the use of technology, WPA2-PSK is the most “advanced” today. Even somewhat outdated methods that require a username and password, and also involve encryption of confidential data during transmission and reception, look, to put it mildly, like baby talk. And that's why.

Types of protection

So, let's start with the fact that until recently the WEP structure was considered the most secure connection security technology. It used key integrity verification when connecting any device wirelessly and was an IEEE 802.11i standard.

WPA2-PSK WiFi network protection works, in principle, almost the same, but it checks the access key at the 802.1X level. In other words, the system checks all possible options.

However, there is a newer technology called WPA2 Enterprise. Unlike WPA, it requires not only a personal access key, but also the presence of a Radius server providing access. Moreover, such an authentication algorithm can operate simultaneously in several modes (for example, Enterprise and PSK, using AES CCMP level encryption).

Basic protection and security protocols

Just like those of the past, modern security methods use the same protocol. This is TKIP (WEP security system based on software update and RC4 algorithm). All this requires entering a temporary key to access the network.

As practical use has shown, such an algorithm alone did not provide particularly secure connections to a wireless network. That's why new technologies were developed: first WPA and then WPA2, complemented by PSK (personal key access) and TKIP (temporary key). In addition, it also included transmit-receive data, today known as the AES standard.

Outdated technologies

The WPA2-PSK security type is relatively new. Before this, as mentioned above, the WEP system was used in combination with TKIP. TKIP protection is nothing more than a means of increasing the bit depth of the access key. At the moment, it is believed that the basic mode allows you to increase the key from 40 to 128 bits. With all this, you can also change a single WEP key to several different ones, generated and sent automatically by the server itself, which authenticates the user upon login.

In addition, the system itself involves the use of a strict hierarchy of key distribution, as well as a technique that allows you to get rid of the so-called predictability problem. In other words, when, say, for a wireless network using WPA2-PSK security, the password is set in the form of a sequence like “123456789”, it is not difficult to guess that the same key and password generator programs, usually called KeyGen or something like that, When you enter the first four characters, the next four characters can be automatically generated. Here, as they say, you don’t need to be a unique person to guess the type of sequence used. But this, as is probably already understood, is the simplest example.

As for the user's date of birth in the password, this is not discussed at all. You can easily be identified using the same registration data on social networks. Digital passwords of this type themselves are absolutely unreliable. It’s better to use numbers, letters, as well as symbols (you can even use non-printable ones, provided you specify a combination of “hot” keys) and space. However, even with this approach, WPA2-PSK can be cracked. Here it is necessary to explain the operating methodology of the system itself.

Typical access algorithm

Now a few more words about the WPA2-PSK system. What is this in terms of practical application? This is a combination of several algorithms, so to speak, in operating mode. Let's explain the situation with an example.

Ideally, the sequence of execution of the procedure for protecting the connection and encrypting transmitted or received information comes down to the following:

WPA2-PSK (WPA-PSK) + TKIP + AES.

In this case, the main role is played by the public key (PSK) with a length of 8 to 63 characters. In what exact sequence the algorithms will be used (whether encryption occurs first, or after transmission, or in the process using random intermediate keys, etc.) is not important.

But even with protection and an encryption system at the AES 256 level (meaning the bit depth of the encryption key), hacking WPA2-PSK for hackers knowledgeable in this matter will be a difficult task, but possible.

Vulnerability

Back in 2008, at the PacSec conference, a technique was presented that allows you to hack a wireless connection and read the transmitted data from the router to the client terminal. All this took about 12-15 minutes. However, it was not possible to hack the reverse transmission (client-router).

The fact is that when the QoS router mode is turned on, you can not only read the transmitted information, but also replace it with fake information. In 2009, Japanese experts presented a technology that could reduce hacking time to one minute. And in 2010, information appeared on the Internet that the easiest way to hack the Hole 196 module present in WPA2 is to use your own private key.

There is no talk of any interference with the generated keys. First, a so-called dictionary attack is used in combination with brute force, and then the wireless connection space is scanned in order to intercept transmitted packets and subsequently record them. It is enough for the user to make a connection, and he is immediately deauthorized and the transmission of initial packets is intercepted (handshake). After this, you don't even need to be near the main access point. You can easily work offline. However, to perform all these actions you will need special software.

How to hack WPA2-PSK?

For obvious reasons, the complete algorithm for hacking a connection will not be given here, since this can be used as some kind of instruction for action. Let us dwell only on the main points, and then only in general terms.

As a rule, when directly accessing the router, it can be switched to the so-called Airmon-NG mode to monitor traffic (airmon-ng start wlan0 - renaming the wireless adapter). After this, traffic is captured and recorded using the airdump-ng mon0 command (tracking channel data, beacon speed, encryption speed and method, amount of data transferred, etc.).

Next, the command to fix the selected channel is used, after which the Aireplay-NG Deauth command is entered with accompanying values (they are not given for reasons of legality of using such methods).

After this (when the user has already been authorized when connecting), the user can simply be disconnected from the network. In this case, when you log in again from the hacking side, the system will repeat the login authorization, after which it will be possible to intercept all access passwords. Next, a window with a “handshake” will appear. Then you can launch a special file called WPACrack, which will allow you to crack any password. Naturally, no one will tell anyone exactly how it is launched. Let us only note that if you have certain knowledge, the entire process takes from several minutes to several days. For example, an Intel-level processor operating at a standard clock frequency of 2.8 GHz is capable of processing no more than 500 passwords per second, or 1.8 million per hour. In general, as is already clear, you should not delude yourself.

Instead of an afterword

That's it for WPA2-PSK. What it is, perhaps, will not be clear from the first reading. Nevertheless, I think any user will understand the basics of data protection and the encryption systems used. Moreover, today almost all owners of mobile gadgets face this. Have you ever noticed that when creating a new connection on the same smartphone, the system suggests using a certain type of security (WPA2-PSK)? Many simply do not pay attention to this, but in vain. In advanced settings, you can use a fairly large number of additional parameters to improve the security system.

Today, many people have a Wi-Fi router at home. After all, wirelessly it is much easier to connect to the Internet a laptop, a tablet, and a smartphone, of which there are more than people in every family. And it (the router) is essentially the gateway to the information universe. Read the front door. And it depends on this door whether an uninvited guest will come to you without your permission. Therefore, it is very important to pay attention to the correct configuration of the router so that your wireless network is not vulnerable.

I don’t think I need to remind you that hiding the access point’s SSID does not protect you. Restricting access by MAC address is not effective. Therefore, only modern encryption methods and a complex password.

Why encrypt? Who needs me? I have nothing to hide

It’s not so scary if they steal the PIN code from your credit card and withdraw all the money from it. Moreover, if someone surfs the Internet at your expense, knowing the Wi-Fi password. And it’s not so scary if they publish your photos from corporate parties where you look unsightly. It’s much more offensive when attackers get into your computer and delete photos of how you picked up your son from the maternity hospital, how he took his first steps and went to first grade. Backups are a separate topic, of course they need to be done... But over time, your reputation can be restored, you can earn money, but the photographs that are dear to you are no longer there. I think everyone has something that they don't want to lose.
Your router is a border device between private and public, so make sure it is fully protected. Moreover, it is not so difficult.

Encryption technologies and algorithms

I'm leaving out the theory. It doesn’t matter how it works, the main thing is to know how to use it.
Wireless security technologies developed in the following chronological order: WEP, WPA, WPA2. Encryption methods RC4, TKIP, AES have also evolved.
The best in terms of security today is the WPA2-AES combination. This is exactly how you should try to configure Wi-Fi. It should look something like this:

WPA2 has been mandatory since March 16, 2006. But sometimes you can still find equipment that does not support it. In particular, if you have Windows XP installed on your computer without the 3rd service pack, then WPA2 will not work. Therefore, for reasons of compatibility, on routers you can find configuration options WPA2-PSK -> AES+TKIP and another menagerie.
But if your fleet of devices is modern, then it is better to use WPA2 (WPA2-PSK) -> AES, as the most secure option today.

What is the difference between WPA(WPA2) and WPA-PSK(WPA2-PSK)

The WPA standard provides the Extensible Authentication Protocol (EAP) as the basis for the user authentication mechanism. An indispensable condition for authentication is the user's presentation of a certificate (otherwise called a credential) confirming his right to access the network. To obtain this right, the user is verified against a special database of registered users. Without authentication, the user will be prohibited from using the network. The registered user base and verification system in large networks are usually located on a special server (most often RADIUS).
Simplified Pre-Shared Key mode (WPA-PSK, WPA2-PSK) allows you to use one password, which is stored directly in the router. On the one hand, everything is simplified, there is no need to create and maintain a user base, on the other hand, everyone logs in with the same password.
At home, it is more advisable to use WPA2-PSK, that is, the simplified mode of the WPA standard. Wi-Fi security does not suffer from this simplification.

Wi-Fi access (encryption) password

Everything is simple here. The password for your wireless access point (router) must be more than 8 characters and contain letters in different case, numbers, and punctuation marks. And he should not be associated with you in any way. This means that dates of birth, your names, car numbers, phone numbers, etc. cannot be used as a password.
Since it is practically impossible to break WPA2-AES head-on (there were only a couple of cases simulated in laboratory conditions), the main methods of cracking WPA2 are a dictionary attack and brute force (sequential search of all password options). Therefore, the more complex the password, the less chance attackers have.

... in the USSR, automatic storage lockers became widespread at railway stations. The lock code was one letter and three numbers. However, few people know that the first version of storage lockers used 4 digits as a code combination. What difference would it seem? After all, the number of code combinations is the same - 10,000 (ten thousand). But as practice has shown (especially the Moscow Criminal Investigation Department), when a person was asked to use a combination of 4 digits as a password to a storage locker cell, a lot of people used their year of birth (so as not to forget). What the attackers used quite successfully. After all, the first two digits in the date of birth of the absolute majority of the country's population were known - 19. All that remains is to determine by eye the approximate age of the person checking in luggage, and any of us can do this with an accuracy of +/- 3 years, and in the remainder we get (more precisely, the attackers) less 10 combinations for selecting an access code to an automatic storage locker...

Security rules when creating a password

To each his own. That is, the router password should not match any other password you have. From mail, for example. Make it a rule that all accounts have their own passwords and they are all different.
Use strong passwords that cannot be guessed. For example: 2Rk7-kw8Q11vlOp0

The Wi-Fi password has one huge advantage. You don't need to remember it. You can write it on a piece of paper and stick it to the bottom of the router.

Guest Wi-Fi zone

If your router allows you to organize a guest area. Then be sure to do it. Naturally protecting it with WPA2 and a strong password. And now, when friends come to your home and ask for Internet access, you don’t have to tell them your main password. Moreover, the guest zone in routers is isolated from the main network. And any problems with your guests' devices will not affect your home network.

What could be more important in our time than protecting your home Wi-Fi network :) This is a very popular topic, on which more than one article has been written on this site alone. I decided to collect all the necessary information on this topic on one page. Now we will look in detail at the issue of protecting a Wi-Fi network. I’ll tell you and show you how to protect Wi-Fi with a password, how to do it correctly on routers from different manufacturers, which encryption method to choose, how to choose a password, and what you need to know if you are planning to change your wireless network password.

In this article we will talk exactly about protecting your home wireless network. And about password protection only. If we consider the security of some large networks in offices, then it is better to approach security there a little differently (at least a different authentication mode). If you think that one password is not enough to protect your Wi-Fi network, then I would advise you not to bother. Set a good, complex password using these instructions and don't worry. It is unlikely that anyone will spend time and effort to hack your network. Yes, you can, for example, hide the network name (SSID) and set filtering by MAC addresses, but these are unnecessary hassles that in reality will only cause inconvenience when connecting and using a wireless network.

If you are thinking about protecting your Wi-Fi, or leaving the network open, then there can only be one solution - protect it. Yes, the Internet is unlimited, and almost everyone at home has their own router, but eventually someone will connect to your network. Why do we need this, because extra clients are an extra load on the router. And if it’s not expensive, then it simply won’t withstand this load. Also, if someone connects to your network, they will be able to access your files (if local network is configured), and access to your router settings.

Be sure to protect your Wi-Fi network with a good password with the correct (modern) encryption method. I recommend installing protection immediately when setting up the router. Also, it would be a good idea to change your password from time to time.

If you are worried that someone will hack your network, or has already done so, then simply change your password and live in peace. By the way, since you will still be logging into the control panel of your router, I would also recommend which one is used to enter the router settings.

Proper protection of your home Wi-Fi network: which encryption method to choose?

During the password setting process, you will need to select a Wi-Fi network encryption method (authentication method). I recommend installing only WPA2 - Personal, with encryption algorithm AES. For a home network, this is the best solution, at the moment the newest and most reliable. This is exactly the kind of protection that router manufacturers recommend installing.

Only under one condition that you do not have old devices that you want to connect to Wi-Fi. If, after setting up, some of your old devices refuse to connect to the wireless network, you can install a protocol Definition (with TKIP encryption algorithm). I do not recommend installing the WEP protocol, as it is already outdated, not secure and can be easily hacked. Yes, and there may be problems connecting new devices.

Protocol combination WPA2 - Personal with AES encryption, this is the best option for a home network. The key itself (password) must be at least 8 characters. The password must consist of English letters, numbers and symbols. The password is case sensitive. That is, “111AA111” and “111aa111” are different passwords.

I don’t know what router you have, so I’ll prepare short instructions for the most popular manufacturers.

If after changing or setting a password you have problems connecting devices to the wireless network, then see the recommendations at the end of this article.

I advise you to immediately write down the password that you will set. If you forget it, you will have to install a new one, or.

Protecting Wi-Fi with a password on Tp-Link routers

Connecting to the router (via cable or Wi-Fi), launch any browser and open the address 192.168.1.1, or 192.168.0.1 (the address for your router, as well as the standard username and password are indicated on the sticker at the bottom of the device itself). Provide your username and password. By default, these are admin and admin. B, I described entering the settings in more detail.

In settings go to the tab Wireless(Wireless mode) - Wireless Security(Wireless Security). Check the box next to the protection method WPA/WPA2 - Personal(Recommended). In the drop down menu Version(version) select WPA2-PSK. On the menu Encryption(encryption) install AES. In field Wireless Password(PSK Password) Enter a password to protect your network.

Setting a password on Asus routers

In the settings we need to open the tab Wireless network, and make the following settings:

In the "Authentication Method" drop-down menu, select WPA2 - Personal.
"WPA encryption" - install AES.
In the "WPA Pre-Shared Key" field, write down the password for our network.

To save the settings, click the button Apply.

Connect your devices to the network with a new password.

Protecting your D-Link router's wireless network

Go to the settings of your D-Link router at 192.168.0.1. You can see detailed instructions. In settings, open the tab WiFi - Security Settings. Set the security type and password as in the screenshot below.

Setting a password on other routers

We also have it for ZyXEL and Tenda routers. See the links:

If you haven’t found instructions for your router, then you can set up Wi-Fi network protection in the control panel of your router, in the settings section called: security settings, wireless network, Wi-Fi, Wireless, etc. I think I can find it it won't be difficult. And I think you already know what settings to set: WPA2 - Personal and AES encryption. Well, that's the key.

If you can't figure it out, ask in the comments.

What to do if devices do not connect after installation or password change?

Very often, after installation, and especially after changing the password, devices that were previously connected to your network do not want to connect to it. On computers, these are usually errors “The network settings saved on this computer do not meet the requirements of this network” and “Windows could not connect to...”. On tablets and smartphones (Android, iOS), errors such as “Could not connect to the network”, “Connected, protected”, etc. may also appear.

These problems can be solved by simply deleting the wireless network and reconnecting with a new password. I wrote how to delete a network in Windows 7. If you have Windows 10, then you need to “forget the network”. On mobile devices, press and hold your network and select "Delete".

If connection problems occur on older devices, then set the WPA security protocol and TKIP encryption in the router settings.

Protection from uninvited guests

If you have not yet taken any security measures, then go to the router interface through a browser and change your network access data. The router address usually looks like: http://192.168.1.1. If this is not the case, then you will be able to find out the IP address of your network device through the command line. In the Windows 7 operating system, click on the “Start” button and enter the “cmd” command in the search bar. Call up the network settings with the “ipconfig” command and find the “Default gateway” line. The specified IP is the address of your router, which must be entered in the address bar of the browser. The location of your router's security settings varies by manufacturer. As a rule, they are located in a section with the title “WLAN | Safety".

Hackers

If your device only supports WEP encryption, take immediate action - such a password can be cracked even by non-professionals in a few minutes.

The popular advice to reduce Wi-Fi range only gives the appearance of protection. Neighbors will still be able to connect to your network, but attackers often use Wi-Fi adapters with a longer range.

Public hotspots

WPA 2

Guest access - a means of protecting your home network

Security Key Reliability

Let's briefly explain what WEP, WPA and WPA2 are and what the difference is between them.

WEP

Explanation: Wired Equivalent Privacy. Translated as Security equivalent to a wired connection. Apparently, the inventors overestimated the reliability of this type of protection when they gave it its name.

WEP is a legacy wireless security mode. Provides a low level of protection. In Windows security mode, WEP is often called Open, i.e. open type.

WPA

Explanation: Wi-Fi Protected Access (protected Wi-Fi access)

Divided into 2 subspecies:

WPA-Personal (-Personal Key or -PSK)
WPA-Enterprise.

WPA-PSK

This option is suitable for home use. To authorize on the network, you only need a security key.

WPA-Enterprise

This is a more advanced and advanced option for corporate networks to provide a higher level of security. A Radius server is required for authorization.

WPA2

WPA2 is a more modern and improved version of WPA security. Likewise, it can work in both modes: PSK and Enterprise. It differs in that it supports the AES CCMP encryption type.

What's better? WEP, WPA or WPA2?

On modern equipment, in most cases the best option would be to use the WPA2-PSK with encryption type AES:

What should I do if I don't know what type of security the wifi network uses?

If you don't know what encryption is used on your access point (router), disconnect from the network and. Then connect again. You only have to enter the security key. In this case, the security mode will be selected automatically.

WPA2 (Wireless Protected Access ver. 2.0) is the second version of a set of algorithms and protocols that provide data protection in Wi-Fi wireless networks. As expected, WPA2 should significantly improve the security of Wi-Fi wireless networks compared to previous technologies. The new standard provides, in particular, for the mandatory use of the more powerful AES (Advanced Encryption Standard) encryption algorithm and 802.1X authentication.

Today, to ensure a reliable security mechanism in a corporate wireless network, it is necessary (and mandatory) to use devices and software that support WPA2. Previous generations of protocols - WEP and WPA - contain elements with insufficiently strong security and encryption algorithms. Moreover, programs and techniques have already been developed to hack WEP-based networks that can be easily downloaded from the Internet and successfully used even by untrained novice hackers.

WPA2 protocols operate in two authentication modes: personal (Personal) and corporate (Enterprise). In WPA2-Personal mode, a 256-bit PSK (PreShared Key) is generated from the plaintext passphrase entered. The PSK key together with the SSID (Service Set Identifier) are used to generate PTK (Pairwise Transient Key) temporary session keys for the interaction of wireless devices. Like the static WEP protocol, the WPA2-Personal protocol has certain problems associated with the need to distribute and maintain keys on wireless devices on the network, which makes it more suitable for use in small networks of a dozen devices, while WPA2 is optimal for corporate networks -Enterprise.

WPA2-Enterprise mode addresses the challenges of static key distribution and management, and its integration with most enterprise authentication services provides account-based access control. This mode requires credentials such as a user name and password, a security certificate, or a one-time password, and authentication is performed between the workstation and a central authentication server. The access point or wireless controller monitors connections and forwards authentication requests to the appropriate authentication server (typically a RADIUS server such as Cisco ACS). WPA2-Enterprise mode is based on the 802.1X standard, which supports user and device authentication, suitable for both wired switches and wireless access points.

Unlike WPA, the stronger AES encryption algorithm is used. Similar to WPA, WPA2 is also divided into two types: WPA2-PSK and WPA2-802.1x.

Provides new, more reliable mechanisms for ensuring data integrity and confidentiality:

CCMP (Counter-Mode-CBC-MAC Protocol), based on the Counter Cipher-Block Chaining Mode (CCM) of the Advanced Encryption Standard (AES) encryption algorithm. CCM combines two mechanisms: Counter (CTR) for confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC) for authentication.

WRAP (Wireless Robust Authentication Protocol), based on the Offset Codebook (OCB) mode of the AES encryption algorithm.

TKIP protocol for backward compatibility with legacy equipment. Mutual authentication and key delivery based on IEEE 802.1x/EAP protocols. Secure Independent Basic Service Set (IBSS) to enhance security in Ad-Hoc networks. Roaming support.

Contribution to the security of wireless networks is the CCMP mechanism and the IEEE 802.11i standard. The latter introduces the concept of a secure network (Robust Security Network, RSN) and a secure network connection (Robust Security Network Association, RSNA), after which it divides all algorithms into:

RSNA algorithms (for creating and using RSNA);

Pre-RSNA algorithms.

Pre-RSNA algorithms include:

existing IEEE 802.11 authentication (referring to the authentication defined in the 1999 edition of the standard).

That is, these types of algorithms include Open System authentication with or without WEP encryption (more precisely, no authentication) and Shared Key.

RSNA algorithms include:

TKIP; CCMP; RSNA establishment and termination procedure (including the use of IEEE 802.1x authentication); key exchange procedure.

At the same time, the CCMP algorithm is mandatory, and TKIP is optional and is intended to ensure compatibility with older devices.

The standard provides two functional models: with authentication via IEEE 802.1x, i.e. using the EAP protocol, and using a predefined key registered on the authenticator and client (this mode is called Preshared Key, PSK). In this case, the PSK key acts as a PMK key, and the further procedure for their authentication and generation is no different.

Since encryption algorithms using the TKIP procedure are already called WPA, and the CCMP procedure is WPA2, we can say that encryption methods that satisfy RSNA are: WPA-EAP (WPA-Enterprise), WPA-PSK (WPA-Preshared Key , WPA-Personal), WPA2-EAP (WPA2-Enterprise), WPA2-PSK (WPA2-Preshared Key, WPA2-Personal).

The connection establishment and key exchange procedure for the TKIP and CCMP algorithms is the same. CCMP itself (Counter mode (CTR) with CBC-MAC (Cipher-Block Chaining (CBC) with Message Authentication Code (MAC) Protocol), like TKIP, is designed to provide confidentiality, authentication, integrity and protection against replay attacks. This The algorithm is based on the CCM method of the AES encryption algorithm, which is defined in the FIPS PUB 197 specification. All AES processes used in CCMP use AES with a 128-bit key and a 128-bit block size.

The latest innovation of the standard is support for fast roaming technology between access points using PMK key caching and pre-authentication.

The PMK caching procedure is that if a client has once passed full authentication when connecting to some access point, then it stores the PMK key received from it, and the next time it connects to this point, the client will send an earlier received PMK key. This will end the authentication, i.e. the 4-Way Handshake will not be performed.

The pre-authentication procedure is that after the client has connected and passed authentication on the access point, he can simultaneously (in advance) pass authentication on other access points (which he “hears”) with the same SSID, i.e. receive in advance their key is PMK. And if in the future the access point to which it is connected fails or its signal turns out to be weaker than some other point with the same network name, then the client will reconnect using a quick scheme with a cached PMK key.

The WEP2 specification, which appeared in 2001, which increased the key length to 104 bits, did not solve the problem, since the length of the initialization vector and the method for checking data integrity remained the same. Most types of attacks were implemented as simply as before.

Conclusion

In conclusion, I would like to summarize all the information and give recommendations for protecting wireless networks.

There are three mechanisms for securing a wireless network: configure the client and AP to use the same (non-default) SSID, allow the AP to communicate only with clients whose MAC addresses are known to the AP, and configure clients to authenticate to the AP and encrypt traffic. Most APs are configured to operate with a default SSID, no list of allowed client MAC addresses, and a known shared key for authentication and encryption (or no authentication or encryption at all). Typically, these settings are documented in the online help on the manufacturer's Web site. These options make it easy for an inexperienced user to set up and start using a wireless network, but at the same time, they make it easier for hackers to break into the network. The situation is aggravated by the fact that most access nodes are configured to broadcast the SSID. Therefore, an attacker can find vulnerable networks using standard SSIDs.

The first step to a secure wireless network is to change the default AP SSID. Additionally, this setting must be changed on the client to enable communication with the AP. It is convenient to assign an SSID that makes sense to the administrator and users of the enterprise, but does not clearly identify this wireless network among other SSIDs that are intercepted by unauthorized persons.

The next step is to block the access node from broadcasting the SSID if possible. As a result, it becomes more difficult (although still possible) for an attacker to detect the presence of a wireless network and SSID. In some APs, you cannot cancel the SSID broadcast. In such cases, you should increase the broadcast interval as much as possible. In addition, some clients can communicate only if the SSID is broadcast by the access node. Therefore, you may need to experiment with this setting to determine which mode is appropriate for your specific situation.

You can then allow access nodes to be accessed only from wireless clients with known MAC addresses. This may not be appropriate for a large organization, but for a small business with a small number of wireless clients, it is a reliable additional line of defense. Attackers will need to figure out the MAC addresses that are allowed to connect to the enterprise AP and replace the MAC address of their own wireless adapter with an authorized one (on some adapter models, the MAC address can be changed).

Selecting authentication and encryption options can be the most difficult part of securing a wireless network. Before you assign settings, you should inventory the access nodes and wireless adapters to determine the security protocols they support, especially if your wireless network is already configured with a variety of equipment from different vendors. Some devices, especially older APs and wireless adapters, may not be compatible with WPA, WPA2, or extended length WEP keys.

Another situation to be aware of is that some older devices require users to enter a hexadecimal number representing the key, while other older APs and wireless adapters require users to enter a passphrase that converts to a key. As a result, it is difficult to ensure that one key is used by all equipment. Owners of such equipment can use resources such as WEP Key Generator to generate random WEP keys and convert passphrases to hexadecimal numbers.

In general, WEP should only be used when absolutely necessary. If using WEP is mandatory, you should choose keys of the maximum length and configure the network to Open mode instead of Shared. In Open mode on the network, no client authentication is performed, and anyone can establish a connection with access nodes. These preparation connections partially load the wireless communication channel, but attackers who established a connection to the AP will not be able to continue exchanging data because they do not know the WEP encryption key. You can even block pre-connections by configuring the AP to only accept connections from known MAC addresses. Unlike Open, in Shared mode the access node uses the WEP key to authenticate wireless clients in a challenge-response procedure, and an attacker can decrypt the sequence and determine the WEP encryption key.

If you can use WPA, you must choose between WPA, WPA2 and WPA-PSK. The main factor when choosing WPA or WPA2 on the one hand, and WPA-PSK on the other, is the ability to deploy the infrastructure necessary for WPA and WPA2 to authenticate users. WPA and WPA2 require the deployment of RADIUS servers and possibly Public Key Infrastructure (PKI). WPA-PSK, like WEP, works with a shared key known to the wireless client and the AP. WPA-PSK You can safely use the WPA-PSK shared key for authentication and encryption, since it does not have the disadvantage of WEP.

Bibliography

1. Goralski V. xDSL Technologies. M.: Lori, 2006, 296 p.

2. www.vesna.ug.com;

3. www.young.shop.narod.com;

7. www.opennet.ru

8. www.pulscen.ru

9. www.cisco.com

10. Baranovskaya T.P., Loiko V.I. Architecture of computer systems and networks. M.: Finance and Statistics, 2003, 256 p.

11. Mann S., Krell M. Linux. Administration of TCP/IP networks. M.: Binom-Press, 2004, 656 p.

12. Smith R. Linux network tools. M.: Williams, 2003, 672 p.

13. Kulgin M. Computer networks. Construction practice. St. Petersburg: Peter, 2003, 464 p.

14. Tanenbaum E. Computer networks. St. Petersburg: Peter, 2005, 992 pp.

15. Olifer V.G., Olifer N.A. Basics of Data Networks. Lecture course. M.: Internet University of Information Technologies, 2003, 248 p.

16. Vishnevsky V.M. Theoretical foundations of computer network design. M.: Tekhnosphere, 2003, 512 p.

Which wifi authentication is better. Wi-Fi security key

Protection from uninvited guests

Hackers

Public hotspots

WPA 2

Guest access - a means of protecting your home network

Security Key Reliability

Introduction - WiFi Vulnerabilities

How does WiFi protection work?

Setting up WiFi network security

WiFi network access mode

However, not all client devices can support it. For example, Windows XP SP2 only supports WPA.

In addition to choosing the WPA2 standard, additional conditions are required:

Today it is almost impossible to select. Even if a computer were to compare 1,000,000 (million) words per second, it would take almost 7 years to iterate over all the values.

An additional option to improve WPS security is to use an alphanumeric PIN code.

As for other cases of using the Internet - chats, Skype, etc., you can use free or paid VPN servers to protect this data. That is, first connect to the VPN server, and only then use the chat or open website.

- an encryption protocol that is an improved development of WPA, introduced in 2004 by the Wi-Fi Alliance.

Conclusions website

WPA2-PSK: what is it?

Types of protection

Basic protection and security protocols

Outdated technologies

Typical access algorithm

Vulnerability

How to hack WPA2-PSK?

Instead of an afterword

Why encrypt? Who needs me? I have nothing to hide

Encryption technologies and algorithms

What is the difference between WPA(WPA2) and WPA-PSK(WPA2-PSK)

Wi-Fi access (encryption) password

Most popular password

Security rules when creating a password

Guest Wi-Fi zone

Proper protection of your home Wi-Fi network: which encryption method to choose?

Protecting Wi-Fi with a password on Tp-Link routers

Setting a password on Asus routers

Protecting your D-Link router's wireless network

Setting a password on other routers

What to do if devices do not connect after installation or password change?

Protection from uninvited guests

Hackers

Public hotspots

WPA 2

Guest access - a means of protecting your home network

Security Key Reliability

WEP

WPA

WPA-PSK

WPA-Enterprise

WPA2

What's better? WEP, WPA or WPA2?

What should I do if I don't know what type of security the wifi network uses?