There are a lot of knobs to tweak when making a home router as secure as possible. I keep a pretty comprehensive checklist of router security features on my RouterSecurity.org website.
But that list is targeted at techies. Non-techies need a simpler list with just the most important things to do/check/change. I mention this because on the August 13th episode of his Tech Guy radio show, Leo Laporte boiled down the router security list a bit too much.
In response to Tom from Huntington Beach, Laporte said “the only thing you really need to do is turn on WPA2 encryption … Turn it on and give it a password that isn’t obvious.”
That leaves out quite a lot, even for non-techies.
For one thing, WPA2 may not be a simple on/off checkbox. While it is on some routers, others offer an additional choice of AES or TKIP. Choosing TKIP, negates the benefits of WPA2; TKIP is, in effect, WPA version 1 rather than version 2.
And, even non-obvious passwords can be poor choices.
Most importantly, Wi-Fi passwords need to be loooooong. No matter what encryption is being used, a bad guy can capture the encrypted data traveling through the air, save it, take it home and make a billion password guesses a second (give or take). The only defense against a brute force attack like this is a really looooong password, preferably one with more than 14 characters.
Most nerds will suggest something like “kw6J3V97*w1vsRR”. I’m not most nerds.
If your password was “obvious”, then changing it to “obvious—obvious” makes you safer while still being easy to remember (obvious obvious with three dashes in-between).
Use your dog’s name for a password? Then consider “fido//////////”. Adding ten slashes after the dog’s name is, again, fairly easy to remember and much safer.
Look out your window. See a maple tree? Then consider “xxmaplexxtreexx”. Sure, an upper case letter would be nice, but a maple tree surrounded by pairs of Xs is still a good password.
If you see a Donald Trump building, then you could use your opinion of him as a password. Something like “!!! I [opinion] DonaldTrump”. Putting the exclamation points in the front makes it a great password.
Perhaps the biggest thing Laporte omitted was the other password, the one for the router itself. If your router was provided by your ISP, chances are it’s using a default password. That’s really bad.
Another biggie in the world of router security is WPS. It’s a security disaster and should be disabled. So too, remote administration is dangerous. It’s usually disabled, but worth verifying.
Some other things to look for are on the home page of RouterSecurity.org.
That said, many routers can not be made secure.
Perhaps the firmware is buggy and is no longer being updated. Perhaps the router lacks some security features. Thinking that simplicity is a selling point, a new wave of consumer-oriented routers omit 90% of the knobs and dials nerds like to tweak.
If your router was provided by your ISP, there is an excellent chance it can’t be secured no matter what you do. For example, its likely that employees of the ISP can make modifications to the router.
The real danger with routers is not Wi-Fi encryption, its the operating system of the device itself. ISPs have a poor track record for configuring routers in a secure manner. And, even if your ISP is the exception to the rule, remember that simply by issuing thousands, or millions, of identical routers, they have painted a target on your back for bad guys to aim at.
Me? I use a router that few have heard of. Even if it’s just as bad as all the rest (it’s not), hopefully it flies under the radar.