WPA2 Encryption Basics

Wired Equivalency Protocol (WEP) uses a naive encryption standard that has become virtually useless. WEP was supplanted by WiFi Protected Access (WPA). WPA was found to be too weak too, and it has been supplanted in turn by WiFi Protected Access 2 (WPA2), which seems to be strong enough for now. ;-)

Windows 8, 7, Vista and Windows XP SP3 support WPA2. Windows XP SP2 supports WPA2 too, but requires the Wireless Client Update [update KB893357 at Microsoft’s Download Center (support.microsoft.com)].


Change the Default SSID on Wireless Access Points and Routers at About.com is a good generic how-to for changing the default SSID of your router.

Encryption and keys

Encryption scrambles messages so that an opponent or attacker cannot intercept them. Most encryption is based on encryption keys, which are merely secret codes used to scramble and unscramble the message. Strong encryption requires strong keys.

WPA2-PSK (Preshared Key) is the strongest and most practical form of WPA for most home users. WPA2 is more secure than WPA because it uses the much stronger AES (Advanced Encryption Standard) protocol for encrypting packets. [more] [Smart Computing]

The encryption key may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits. The maximum length results in 256 bit strength, which is what 64 digits (8 bits each) multiplied by 4 bits/digit yields. I recommend that you use at least 32 random characters.

Don't let those specifications panic you. Grab your own personal, custom-made maximum-length router passwords at Steve Gibson's site. The trick to using these long passwords is to cut and paste them when connecting a device to your network.

Or you can make your own, which might look like this
and if you must type them in it helps to break them up like this
[u4bg vt7f 5e37 kzMt r11z iahw zgBa xfsq k72q gHgm qc4b d1ze a5hy ahcq 3rnd wgxp]. Of course you don't type the spaces. Notice that I've converted a password with all lowercase letters to a stronger one by changing just a few letters to uppercase to make it easier to type.

To protect against current brute force attacks, a truly random pre-shared key of at least 20 characters should be used, and 33 characters or more is recommended. But, pre-shared keys are usually configured only once, and users don't need to enter them every time. You might as well use the strongest possible encryption key. :-)

Your SSID (wireless network name)

Due to the naive design of WPA2, the name of your network is the starting point for hackers. It is broadcast in the clear, and it's easy to look up your encryption key on widely available rainbow tables if your SSID is simple. The more random your network name, the better. Treat your WiFi network name as you would a password. Make it complex and avoid using any whole words. Maximum length for an SSID is 32 characters.

I use something like "ASZumFY2J6JeIbpv8xNWVRqmY8SDF8AX" (without quote marks) for my SSID. You can use one of the key generators below to generate your own random SSID. Just trim it back to 32 characters, and you'll have a very strong one.

Preshared key generators

Use these to create 63 OR 64 character WPA2 keys and 20 to 32 character SSIDs.


63 random printable ASCII characters:
ZCTf}xc1ag.n~](j;&:6DrfE7!!ntd[[email protected]_?bkKewh#C_~g2wCPD:6>sX

64 random hexadecimal characters (0-9 and A-F):

Questions and answers

What is TKIP?
TKIP (Temporal Key Integrity Protocol) is a backwards compatible protocol for legacy equipment or handheld devices that cannot support the stronger AES, the most advanced encryption protocol. Some routers (Linksys) can operate in a dual TKIP/AES mode. However... It is probably best to select AES alone, not the combined mode as there may be vulnerabilities due to backward compatibility provisions in TKIP.