Your Home WiFi is a gateway to your most private information, take a moment to secure it.

You’ve opened the box for your brand new shiny home wireless router, plug it in and sign in to your new home WiFi. Navigating to the setup page, your presented with lots of perhaps unfamiliar options. For new users, all of the terms used, it can get confusing and lead to a network that is a prime target for local hackers to test their chops.You may say to yourself, “Why would anyone want to hack my WiFi?”. The answer may surprise you: because they can. If you provide yourself as the easiest target in the area, than anyone who can read a set of instructions on google (or even here on Shadowless) can begin to attack your network.

So lets get to the common configuration options as it comes to WiFi and then what you need to do for maintenance of your network. This wont be a guide on the very basics of wireless, as it really doesn’t matter if you understand the physics behind the system to make sure its configured right.

WiFi Settings in Netgear RouterWhoa, why are there two networks to set up?

Most modern WiFi Routers contain settings for two separate wireless networks. These are generally labelled as 2.4GHz, and 5GHz. This refers to the portions of the radio frequency spectrum that are unlicensed and that are used by WiFi and other consumer products. Some things to note:

  • 2.4GHz is based on older technology, and because of the amount of available spectrum around the world; is considered to be the more ‘legacy’ band.
  • 2.4GHz has been open longer, and therefore it shares spectrum with other common technologies such as Bluetooth and Cordless phones. Lots of consumer electronics operate in the 2.4GHz band, and can cause interference with your WiFi.
  • Microwaves also emit radiation in the 2.4GHz spectrum. Operating a Microwave in the same vicinity as your WiFi can cause your devices to not connect properly.
  • The newer 802.11ac WiFi specification only operates in the 5GHz band.

Luckily for us, both networks can accept much of the same information. We’ll need to configure a few things for each network.

SSIDs, whats in a name.

(e)SSID/Name – This is the name that gets broadcast in the Air. When you look for wireless networks on your device, these are the names you’d see in the list.

  • Pick a name that does not share any information about you, or your location. Don’t pick “Ayka’s WiFi” or “Apartment B” or anything that could give an attacker more information about the network.
  • Some routers allow you to “hide” the SSID, do not do this. Hiding an SSID offers no protection to even a novice, and can cause issues with some devices.
  • Don’t pick a common used name, and don’t leave this as default. Some common attacks on WiFi Networks use precomputed tables that rely on matching the SSID. By not using a common SSID, you lower the chance of an attacker having a table that matches your SSID. A random string of Characters and Numbers is your best bet.

Security Types (AKA: You pick WPA2)

There are several options that get displayed for Security Type, and there is only one right answer. I’ve always questioned why legacy security methods are still so easy to pick on a consumer device, but the answer lies in backwards compatibility. Devices
such as the original Nintendo 3DS do not support modern encryption schemes.

  • WPA 2 Personal: This is the option 99% of people should be picking. WPA2 Personal, if your router gives you an option between TKIP and AES, you’ll need to pick AES.
  • WPA 2 Enterprise: This option allows you to use certificate-based or credential-based authentication, since it requires specialized software in the form of a user database, and a radius authentication server; its generally considered overkill for most home users. This is for the additional 1% of power users who have a home lab.
  • WPA (TKIP): Older encryption option that has been broken.
  • WPA & WPA2: Some routers offer a “compatibility” mode that includes both WPA and WPA2.. don’t do this. You inherit all of the problems of WPA; and likely none of the compatibility that it would provide. An overwhelming majority of devices support WPA2.
  • WEP (64 or 128): Garbage. If you select this you deserve it when your identity gets stolen off your home network. On another note, check out our WEP Hacking tutorial to see just how easy it is to crack these networks yourself.
  • Open: No.

Picking a Key.

WiFi Password Entry on OSXThis is the key you type into your device when you join your WPA2 Personal Network; you did select WPA2 Personal for the Security Type right? Arguably, this is the most important part of all of the choices you’ll make. Currently, the only commonly known attacks vs. a WPA2 Encrypted network essentially boil down to “guess” the key. We can use that to our advantage. One thing to take note, there is always a trade off between security, and convenience.

The key we pick here won’t be easy to type, and even harder to remember.

  • The key needs to contain both Letters, Number and Symbols.
    • Valid symbols include:  a-z, A-Z, 0-9, $@^`,|%;.~()/\{}:?[]=-+_#!
  • Keys are allowed to contain between 8 and 63 Characters.
  • Your Key needs to contain at least twenty characters, ideally over 32.
  • Your key should have no “words”, no dates, and be completely random.
    • You can use to generate a password.
  • Examples could include:
    • B15c77bD!!bVse__vs!7H!#H^e2xEx6w
    • W=b?u!Y2lX50$WvZY#jIMf6aR0R_hFR6
    • C#uxJoAg0Y_fGv@l&RVKm3oZLINyUWow
If you’re uncomfortable with a completely random Key, picking a series of random words, and mixing in numbers and punctuation should be sufficient for most home users as long as it ends up longer than 32 Characters. It would also be easier to remember if you don’t want to, or can’t, write it down.Akay

You’ll likely need to write these passwords down. Do so on paper. Store that piece of paper no where near your Wireless Router, and away from prying eyes.

As long as you’ve selected a Random SSID, selected WPA2, and a passcode of at least 20 Characters you’ll be reasonably secure. Someone with enough computing resources could theoretically crack your passcode, but doing so would take an unreasonable amount of resources; the likes of which are generally only achieved by Government entities.


Maintaining your WiFi

Simply securing your WiFi does not make you safe forever. Wireless keys are stored in insecure ways on client devices, so if your key is compromised through other methods (such as someone gained physical access to a PC that had it entered) its possible for someone to simply just type it into their client.

As such, you should do the following maintenance on a minimum of monthly basis.

  • Change your WiFi Password. Simply generate a new character string and replace your previous key. This is going to suck, as you’ll need to then type it into your devices again. Direct trade off of Convenience vs. Security.
  • Update your router firmware. Most routers have a function that will alert you to the presence of an update; you should take advantage of this.

If your curious as to why any of this is actually required, check out some of our articles on Wireless-based Attacks that can compromise weak WPA2 Passcodes, and take out WEP Encrypted networks in a few command lines arguments.

If you have any questions, drop them in the comments below: or check us out on IRC.