Wireless Security with Passphrases

This blog post provides an in-depth look at the evolution of wireless security from WEP to WPA3-SAE, emphasizing the importance of passphrases and the challenges in managing old and new devices while maintaining network security.

Using a passphrase to gain access to a wireless network, and then build the encryption keys to secure that connection, is about as old as 802.11 itself. Originally introduced as Wired Equivalency Protocol, or WEP, the latest version is WPA3-SAE, or Simultaneous Authentication of Equals. While a lot of the background processes and technologies have changed, the method and ease of use for the end user hasn’t changed much; this easily makes it the most used method of all of the techniques in use to secure a Wi-Fi connection.

The Passphrase

Using a passphrase, or password, to access something is almost as old as humans themselves. Say the secret word or sequence of words to the right person and access is granted. Therefore it is very easy for people to grasp and use the password version of security when these types of networks are discovered in the wild.

Really quick sidebar here.... The passphrase being discussed here isn’t the same as anything that is entered on a captive portal. Captive portals aren’t a security tool. They never have been and never will be. What is being discussed here are passphrases that are used to encrypt the connection between the client and the AP, not a barrier to access the internet.

The original encryption used in Wi-Fi was WEP. Hopefully everyone knows and understands that WEP was compromised back in the early 2000’s with tools like aircrack.ng and John the Ripper. WEP contains a couple of fatal flaws that allow it to be brute force attacked in a matter of seconds, which led it to be “officially retired” in 2004. I say “officially retired” because, while the problems with WEP still exist, there are networks that can be found in use today that still utilize WEP thanks to client devices that don’t support any newer encryption.

In 2003, after WEP had been compromised but before the IEEE was able to officially introduce the 802.11i amendment, the Wi-Fi Alliance released WPA as a stop-gap solution for networks that needed to migrate from WEP before 802.11i was ratified and WPA2 released. Granted, it was a critical stop-gap, but nonetheless, when 802.11i was ratified in 2004 it was “replaced” by Wi-Fi Protected Access 2, or the WPA2 protocol that all of us are now familiar with.


WEP was easily cracked because it only ever used one key during the encryption process, and if that key was captured, it was a simple process to just reuse that same key. WEP also was very limited in the number of bits used in the encryption. As a general rule, less bits = less complexity to crack = faster times to crack the encryption.

Luckily with 802.11i we got WPA2 with AES-CCMP encryption. AES-CCMP improved the overall encryption algorithm, including the number of bits used in the encryption. More bits = more complexity to crack = longer times to crack the encryption.

But, as with everything, there is a balancing act in Wi-Fi. We don’t get anything for free. Older devices prize ruggedness and stability while newer devices look for speed and flexibility. Stuck in the middle is the desire to make sure that we keep our connections and data secure even though some of the most critical devices on our network don’t always support the latest and greatest security.

Trying to operate these old and new devices on the same SSID can drive any administrator crazy, so anything they can do to achieve the balancing act of keeping both old and new functioning is probably going to happen, including having different SSIDs on the same radio to support the different security capabilities.

Now, WPA2 has been our trusted friend since 2004 and for the most part has served us well. Sure, there has been a hiccup here and there (remember KRACK?) but when deployed and managed in a responsible manner, it was and still is very secure. However, when researchers examined WPA2-PSK in detail, they discovered some issues with how it builds the encryption keys.

Also, it was about this time that people realized that WPA2 had been out for 14 years, and it was probably time for a refresh. This refresh happened in 2018 in the form of WPA3.

Introducing WPA3-SAE

Just like with all things in technology, innovations assist the attackers of a network just as much, if not more than, the legitimate network operators and users. As processor speeds and ability increased to help people do more on their mobile devices, it also made it faster for attackers to brute force passwords and credentials captured in the wild. Cloud computing and ubiquitous internet connections made it faster and easier for organizations to spread out their workload, same as it did for attackers.

What used to take months to brute force attack can now be done in days; what used to take weeks can now be cracked in hours, if not minutes. With the ability of the attackers to collect encryption keys from everywhere and then send them either to a Cloud computing instance or back to a central cracking server to work on, the cost to crack an encryption key is much cheaper than it used to be.

WPA3-SAE (Simultaneous Authentication of Equals) introduced new encryption methods similar to what is used in 802.1X making it much harder to crack either in the wild or offline using a brute force encryption cracker server custom-built for the task at hand. The one thing it didn’t change is that WPA3-SAE still uses a password provided by the network operators to the end user, just the same as WPA2-Personal, WPA, and even WEP. While the back-end encryption is totally different, for end users the process is still the same, just more secure due to some really technical processes that we won’t cover here.

We still don’t want to be sharing this password with everyone we meet on the street, but for the time being, WPA3-SAE uses something known as Elliptical Curve Cryptography to generate the encryption keys without needing to send any part of the keys over the air that attackers can capture and then reverse engineer. And, for now, this is something that is impossible for attackers to crack. However, just like with previous generations, not every device today supports WPA3, so we still have our balancing act from before.


In a world where we seem to feel pressured to always have the “latest and greatest,” some of the details can get lost in the shuffle. While WPA2/3-Enterprise is where we should be aiming for, it’s ok if not every device ends up on that network. With WPA3-SAE we have a password-based security/encryption method that is comparable to the Enterprise version, assuming people aren’t sharing that information on social media, either accidentally or on purpose.

While WPA2-Personal might not be the “best”, remember that with some best practices thrown in (like using RUCKUS DPSK), the combined solution is still really secure. While WEP can be cracked by a competent attacker in a matter of seconds, it becomes the requirement if that is all the critical devices on the network will support, although I would STRONGLY recommend upgrading to almost anything to get off of WEP. But that is a conversation for a different day.

While security can sometimes be overwhelming to think about and understand, rest assured that RUCKUS Networks is working hard to enable your organization to walk the line between keeping required devices on the network, preventing unwanted devices from joining, and enabling administrators to monitor and manage the network all at the same time. For more information about how RUCKUS can help, please check out other Security blogs, RUCKUS’s network segmentation capabilities, secure on-boarding and authentication capabilities, and RUCKUS WAN Gateway (RWG).