Just say no to WEP

Whether you're running a home wireless network or a corporate wireless network, you need to know the truth about Wired Equivalent Privacy (WEP). When WLAN hardware first came out, WEP was the standard encryption scheme offered to secure that wireless network.

By design, WEP protects a wireless network from eavesdropping. However, it has significant and well-documented vulnerabilities.

Weak Encryption Protocol?

WEP's major flaw is its use of static encryption keys. But the encryption standard isn't the problem.

WEP uses RC4 (also known as ARC4 or ARCFOUR) to protect the confidentiality of the transmitted data. However, every device on the network uses one key to encrypt every transmitted packet. That means an eavesdropper using a wireless hacking tool can intercept enough WEP-encrypted packets to eventually figure out the key.

Of course, you can mitigate this vulnerability by periodically changing the WEP key; most routers allow you to store up to four keys. But if you change the key on the router, that means you also have to change the key on every device on the network. Depending on the size of your network, this can quickly become a time-consuming, never-ending task.

WEP is so insecure and/or time-consuming to add even a small level of confidentiality to your WLAN, but what can you do? Why don't you switch to Wi-Fi Protected Access (WPA) or WPA2?


While there are several flavors of WPA available today, the easiest to use and most widely supported version is WPA Personal — often called WPA Pre-Shared Key (PSK). Using this encryption is relatively easy.

To encrypt a network with WPA Personal/PSK, configure your router with a plain-text pass phrase between eight and 63 characters long. Using an encryption protocol called Temporal Key Integrity Protocol (TKIP), WPA uses that pass phrase — along with the network service set identifier (SSID) — to generate unique encryption keys for each wireless client.

Those encryption keys continuously change at the beginning of each transmitted frame. WPA cycles to a new key and broadcasts the change.


Very few wireless devices sold today don't support WPA. However, WEP is always the first option for encryption (alphabetically), and most consumers don't know the difference between the two.

When it comes to client computers, Windows XP Service Pack 2, Windows Vista, and Mac OS X support WPA. When setting up the client, just make sure the data encryption — TKIP or Advanced Encryption Standard (AES) — matches the router's setting. Most routers support AES, which offers a stronger encryption cipher than the one used by TKIP.

Final thoughts

Properly configured, WPA provides your WLAN great protection from roaming wireless hackers. And here's one last suggestion: Change the default SSID. Most routers default the SSID to the name of the company that makes the router (e.g., Linksys).

In addition, avoid dictionary words in both the SSID and WPA. If you can use WPA2 (which uses AES), then use it. When it comes to security and encryption standards, using the latest and greatest standard is always a good thing.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks