Every WiFi router should use WPA or better security, as well as AES encryption. The pre-shared key should follow strong password guidelines, being comprised of random letters, numbers, mixed case, and symbols. While the minimum is 8 characters, 14 or more is recommended.
Hackers have been able to easily crack all of the security modes. WEP is no longer recommended at all as a result. Cracking tools allow hackers to record the conversations between connected devices and WiFi routers, and then allows them to either brute force or guess the passphrase/pre-shared keys configured by the WiFi routers. Similarly, TKIP has been abandoned as a cipher in favour of AES, as it proved easier to crack as well.
Unless there is a good reason to allow anybody to use a WiFi router, WiFi security should be enabled. This rates 4/5 shields only because even the strongest WiFi security today can be easily compromised due to other factors such as security mode (WEP vs. WPA vs. WPA2), encryption (TKIP vs AES), and choice of passphrase (memorable versus really strong and random) impacting how hackable this feature is.
The above screen shows the lab WiFi router configuration screen, configured to use WPA-Personal, either WPA or WPA2 modes, and AES for the cipher. The pre-shared key/passphrase is 10 characters long.
The screen above is the cracking result of “guessing” the pre-shared key used by the WiFi router. Despite using WPA and AES, the passphrase was still successfully guessed in 6 seconds!
This highlights why it is important to use a random string of mixed upper and lower case letters, numbers, and symbols in place of easily remembered phrases. The cracking software used a list of well-known passwords that have been revealed by previously publicized hacks. In this case, the “RockYou” password list of over 1 million common passwords was used as a dictionary by the cracking software. It turns out that the phrase “roadrunner” that was used by the lab WiFi router configuration was near the top of the list!
Had a proper mix of random characters been used, then a dictionary attack as shown above would have failed. Instead, a brute-force attack that generated all possible combinations of characters would have to be employed. The result? Depending on the length of the passphrase, it would have taken somewhere between 1 second and millions of years to successfully find the passphrase. A lot safer!