Do I have to have a WiFi password (encryption key)?

Published on: March 26th, 2015

I must I admit while this question is one we frequently get, I was actually inspired to write this after the CSI Cyber episode that air last night.   In the show, black hat hackers have figured out ways to control and start a fire with your electronic devices.  At one of the crime scenes one of the lead charters ask a 20 something old who was a victim of one of the fires, “how complex is your WiFi password?”.   The 20 something looks back at her with a deer in the headlights look and says “why does that matter?”.  While the storyline might be a bit exaggerate for Hollywood or entertainment purposes, they did make a valid real world point and concern.  Is it important to have that “password”? Is it important to have a “complex” one?

The answer is absolutely YES!  Not only that but you need to be careful who you give it to and should change it occasionally.  But Why?

To understand why we need to make sure everyone has a basic understanding of how or even why wireless networking “works”.   Even thought you do not have a server, are not sharing files, are not sharing printers, and not access one device from another, when you have set up the ability to share internet service through a WiFi (or even wired for that matter) network you do have a LAN (Local Area Network).  In other word most everyone (I do not know who does not but there has to be someone) has a LAN in their small business or home.   Knowing that you do have LAN, you also need to understand that on the LAN the communication between devices is less structured or control (less protected) than that coming over the WAN (Wide Area Network) or today “the internet”.  Your LAN’s perimeter is protected by your firewall that blocks a significant amount of garbage and attack that you will never even know about.

Most small business and homes today will have a single device that acts as your Router, WiFi AP(Access Point), and Firewall, a wireless router.  Sometimes this might also provide the “modem” that connects to the ISP.  Regardless of whether you have one device or multiple for this, once someone is on your LAN they are past that first line or perimeter defense of the Firewall.   In the “old days” before WiFi, this was not a big of a concern.  Then, in order to connect you had to physical connect via a wire (physical be there).  Today with WiFi you only have to be within signal range – not even in a place that you can see.  Once they are on your WiFi they are on your LAN beyond that first line defense, the firewall.

Truth is you probably have a less than 1% chance of falling victim to the kind of attack portrayed in the show.  However ask yourself two question:

– IF it did happen to you would it matter to you that in only happens to less the 1% of the population?
– What are some more likely, real world risk to you?

The more likely real world risk to you are:

– The person who does not know better that just selects any open WiFi network (or has the device set to automatically connect to open networks)
– The Teen next door that fancy her/himself a black hatter who’s parents have restricted access to “their internet”, so the teen uses yours instead.

Ok, so what if these people did connect to your WiFi and used your internet?  You are going to pay the same for your internet service anyway.  It’s not like they are causing you harm, right?

• What if the person who did not know better – also had a virus or other malware?
• Remember that Teen next door that fancy themselves a black hatter, what might they try to get into?
• What if one of those people, or someone you knowing let on your LAN (on your WiFi), accessed or downloaded something illegal, like copy righted materials or worse?  Does the put you are risk?

All of those thing put you at risk.  Once a computer is infected with Malware or a virus – one of its goals is to spread itself.  Once on the your LAN (your WiFi) it is easier for it to spread to other devices connect to the same LAN.   You can still get infected with malware even if you have the best and most current antimalware installed on your computers.   It could start sending SPAM messages out.  The might cause you a couple of problems, your companies IP address might get black listed – causing problems with you getting legit emails delivered.   If a significant amount of SPAM is sent your ISP might shutdown your service till you identify the problem computer and address the issue.  How are  you going to identify a computer with malware on it and get it cleaned that you do not even know was on your network? That you do not have control over?  you can’t.

And so what if someone “using my internet service” is doing something illegal like access or downloading copyrighted material or worse?  It’s not like it was me that did it after all.  Well, here’s the thing, the key words in all this is “my internet service”, when you signed up for the service you agreed to be responsible for what was done over it.  The legal authority (either the party that felt wronged by copy right infringement or law enforcement), is going to go after you for what infraction.  It your responsibility to go after the actual party of the crime.  Case in point, several university and colleges have had suits files against them for pirating of music and movies.  Now, in most cases they have the means to identify the actually person responsible.  Do you?   Think this is only because of the large number of students do it – think again – it is usually only one or two that are doing it.

What about that black hatter want to be.   In some sense it should be self evident, they are going to try and get into things that they should not.  However, the thing is they often do not have the skill or knowledge to do this alone.  So, they typically are downloading or using things that “help them hack”.   Most of that is riddled with malware that open up the doors for the real hackers to get in.

One other key point about why you need to set a “WiFi Password”.  The word password is really misleading.  In reality it not a password but the password is used because it is easier for the average user, at large to understand it meaning.  It is actually an encryption key.  One that encrypts the communication the is floating through the air  between your computer and that AP(the wireless router).  Now is it likely that you neighbor is going to have the ability to intercept that communication, probably not.   If it did happen to you would it matter that it only happens less that 1%?

Why should you change it occasionally?  I get it, its a pain to do.  Once done you have to go to every device and enter the “new” code.  The problem is that code(password or key) is stored in every device so you do not have to enter every time you want to connect.   That stored code is rather easy to get to and over time you lose track of who it has been given to. What happens if their device gets compromises (hacked or stolen)?

What about complexity, does it have to be complex?  The yes but it actually not as bad think.  You do not want it to be easy to guess like you phone number or street address.  It does need to be at least 26 charters long.  However, unlike a “password” it does not have to be some random set of letters and number.   you can use a phrase or sentence if you want..

Our recommendation are:

• Your key (password) needs to be 26 charters long.
• Change the default name of the WiFi network (the SSID)
  This should not identify the brand of the Wireless Router, your name, company  or address
• Change the default Admin (administrator) password for the router.
  Note: this is not the same thing as your Wireless Key (password) but allows access to make changes in the router.
• Homes that want to allow guest WiFi should get a router that allows a second “wireless” network to be setup for guest to use.
• Businesses that want to allow clients, and vendors WiFi access should set up more elaborate guest networks which require users to agree to Terms of use.   This will also capture identifying information in the event there is any legal recourse needed.