A critical need of a network is security. As wireless networks can be accessed from a distance, it is quite important that they are secure. This is typically done via a password.
While the password is simple in concept, it can be troublesome in actual use. The recommendation is to have the password be 12 or greater characters, with a combination of letters, both upper and lower case, and numbers as well as special characters. Users tend to gravitate towards much easier to remember dictionary phrases, such as the all too common “password,” “qwerty,” or “123456.” While we can chuckle at the naiveté of such simple phrases, this does become quite a bit more complex for a home user that has to keep multiple passwords organized for email accounts, computer logins, work accounts, and countless web services that require a login.
WPS and why you should avoid it like the plague
A possible solution dates back to 2006, known as WPS, which stands for Wi-Fi Protected Setup. WPS was designed to offer a simplified method of adding a new device onto a router’s network. While these days we think about this technology in terms of a little button on the device to be added, as well as on the router. By pressing buttons, a passphrase gets generated, sent back and forth, and the new device is added to the network securely. The intention was that this was to be more secure as the passphrase would be from random characters (not a dictionary word), and a strong password containing the elements discussed above would be used rather than an insecure one.
While the push button method became the most popular implementation, it is not the only one. Another method involved a PIN that was on a sticker on the router. By entering it into the device to be added, a passphrase got created. Yet another method is with a USB flash drive. This is typically created in a host computer already on the network, and then brought to the next computer to be added. A final method involved NFC (near field communication) between devices when they were brought in proximity, although this did not see wide deployment. The PIN and push button currently are the only two methods that are used for WPS.
While WPS was born out of convenience, it became known for a security flaw. The more popular implementation with the push button seems that it would be secure as it was based on physical access to both the router and the client device. However, it really is based on the PIN method which uses a eight digit numeric code. While an eight digit code should offer at least a moderate level of protection, it actually is worse than that as it really is two sets of a four digit code.
With the router and network able to be accessed via a four digit numeric code- which would have a finite 10,000 combinations, this makes WPS quite vulnerable to a brute force attack. On top of that, consumer routers do not “Time out” after multiple PIN attempts, a feature that would lock the hacker out for a finite or increasing amount of time after each incorrect guess, making the router even more vulnerable as it is available for an unlimited number of guesses. There is even software available that is built specifically to hack WPS that takes advantage of this.
Now that we know that WPS is highly insecure and easy to crack, precautions must be taken. The ideal would be to have a router that does not have any WPS. However, WPS has been included on most modern routers as a standard feature. The general advice is to disable WPS in the router settings. While this does often work, there are reports that even with WPS set to off, specifically on Linksys routers, that WPS is still vulnerable to PIN hacking as described above. Some routers, such as the Netgear shown in the screenshot above allow WPS to only be enabled via push button, but not via PIN.
While WPS was born out of convenience to connect devices, it represents a significant security vulnerability. Go into the router settings, and close the hole as much as possible, as manufacturers continue to include this in their routers. Here’s hoping that the router manufacturers kick WPS to the curb and move on to a better standard for this need.
This article was contributed by the DSLReports.com community. If you'd like to receive payment for writing content like this for our front page, please drop us a line.