How to increase the security of your WiFi
Has your internet been slow lately? Or has there been odd behaviors in the network? Chance has it that you might have some freeloaders on your network. In the worst case, it might even be someone recording your traffic. But don’t worry there are quite a few handy ways to prevent people from joining your network without your permission.
Disclaimer: someone who really wants to will get access
If someone really wants to get access to your wireless network and has above average technical knowledge, they will be able to do so given enough time. Your freeloading neighbors, however, probably won’t have the technical skills required to hack a network so taking some simple precautions will most likely ward off 99% of the people trying to get in.
Password protect your network
An unprotected network will definitely be the victim of freeloading neighbors when it’s just a simple click away for them to join and start using. If you put a password on your network it will require them to either hack your network or do some good guesswork.
What encryptions should be selected when setting the password?
When setting a password for your network you can choose what type of encryptions it should use. The most common and strong one to date is WPA2, and most devices will be able to connect to it. In some cases, you might need to choose WPA to get some older smartphones to be able to connect
Wired Equivalent Privacy (WEP) was created back in 1997 and was “retired” in 2004 when its successor WPA came around. The main reason for its retirement was that it is ridiculously easy to hack in a matter of minutes with some software (e.g aircrack-ng) and an old laptop.
WPA was created in 2003 as an intermediate alternative to WEP which was at that time not so secure anymore. It was partially supported by most network interfaces by doing firmware upgrades but not all hardware would support it. The encryption used is PSK or TKIP and it is stronger because it varies the encryption keys for every packet, something that WEP didn’t do.
The successor to WPA came in 2004 and used a stronger encryption called AES (which is approved by the U.S government for security) so it should probably be good enough for your internet needs as well. All wireless hardware since 2006 has support for both WPA and WPA2 as it became a requirement for the WiFi-certification. WPA2 is today used as the default setting for new routers and their passwords.
Use a strong password
Although WPA and WPA2 are considered secure there are various ways it can be broken. One common reason for hacked networks is because of using weak passwords. The recommendation is to use a password that is not a common word as those can easily be tested from a dictionary. Also mixing uppercase and lowercase characters, numbers and special characters is good. Another good way to increase the strength is to make the password longer. A password longer than 20 characters will take too long to guess and can be easily remembered if you make it a phrase or common words (see this xkcd comic)
- A strong password won’t be easy or quick to hack
- A complex password can be hard to remember
- A long password might be hard to type correctly (especially on mobile)
Disable WPS if you don’t use it
Wi-Fi Protected Setup or WPS is a handy little feature on routers that allows you to connect to the wireless either by giving a simple PIN number or by clicking the WPS button on the router and at the same time on the device. There is, however, a big security problem with this as the WPS PIN number can be brute-forced in under 4 hours, which is not optimal at all.
So if you don’t use the WPS feature on your router/modem, just disable it from the web interface to prevent it being hacked.
- Remove one security hole in your router
- No simple PIN to connect to router (password still works though)
- No WPS “click to connect” functionality
MAC filtering is another way to limit/give access to the network. Every network device has it’s own unique address consisting of numbers mixed with letters combined into 6 groups of 2. Here’s an example address: b4:b2:76:22:8f:1f
By using the MAC address you can simply either
- Block access to the network for an address
- Give access to the network for an address
The downside with MAC filtering is that it will only work to prevent the average person from getting access. An experienced person will simply sniff for MAC addresses of already allowed devices and spoof its own address when connecting.
- Will prevent the average Joe/Jane from accessing your network.
- MAC addresses can be sniffed and spoofed and
- When connecting more devices you will have to log in to the web interface of the router and give access to them. This can be especially annoying if you have friends over.
Hiding the SSID of your network
Another way to prevent people from trying to connect to your network is to hide the SSID of your network so that they won’t be able to see it in their list of available networks. This can prevent people from easily finding your network and starting to guess the passwords
- Average Joe/Jane can’t find the network and start guessing passwords
- An experienced person can still find the SSID by sniffing the network traffic.
When a user connects to the network the router automatically assigns an IP address to that device, this is what’s called DHCP. If you disable it then every device needs to be manually configured to have an IP address for connecting to the router. A regular Joe/Jane won’t probably know how to do this either and therefore won’t be able to use the network. The downside is that a technical person will easily find it out and set an IP
- Connecting to the network will require that the person knows what IP address to be set
- Anyone skilled with technical stuff will figure this out and be able to access the network
- Having to manually set up each device with a static IP
Other things to consider
These are some other things that you can do to make it a bit harder for a neighbour to figure out how to connect to your network or just make it harder.
This is a bit more out there and might seem a little paranoid, but if you know who is leeching on your network and where they are located you can block the signal or make it much weaker by shielding the signal in that direction.
Why this works is that the WiFi signals are basically radio frequencies and they don’t travel too well trough aluminum for example, so the signals can easily be shielded / redirected with some aluminum. This won’t totally remove the signal but at least make it weaker and less reliable.
So if for example, a neighbor is stealing your WiFi you can place aluminum foil between the antenna(s) and the direction of your neighbor. One added benefit of this is also that the signal in the other direction will become a bit boosted because of the reflection.
Change default network name
Having the wireless network name (also known as SSID) be the default will most likely give away what type of router you have. Knowing what router you have will also give away what security measures there are to consider when hacking it. For example reading the manual for the router the default username/password for the web interface will be known (unless you’ve changed it)
Change web interface default username / password
If someone has access to your network make sure that you have changed the default username / password so that no one will be able to go and make changes to your network.
All in all, there are many ways you can make it harder to get access to a network for an unauthorized person. Some of the tricks listed above might be overkill and actually, make it harder for yourself and friends to use it. But usually, the following rule applies: The easier it is to connect for an authorized person the easier it is to hack for an unauthorized person.
Our recommendation is that you
- Set the wireless security to WPA2
- Set a long or complex password for the WiFi network
- A long password phrase is easier to remember and will take longer to brute-force. (compare p4$$W0rD to thisismyawesomelongpassword)
- Disable the WPS functionality (unless you use it often)
- Change the network name to something other than default
- Why not have a little fun at the same time?
- Change the default username/password to the router's web-interface
That way you’ll be secure for 99% of the cases when someone is trying to use your WiFi without your permission.