Helping people with computers... one answer at a time.

Using a password protected WPA2 is a minor inconvenience for a very significant level of additional security. I'll explain...

I handle the Wi-Fi hotspot for a library and have been using WPA2 with an openly distributed passphrase. Another library has no security whatsoever. Is there a greater risk using no security because for our library the passphrase is so openly available to possibly bad guys?

The short answer is absolutely! Using WPA2 with a password adds significant levels of security beyond an open Wi-Fi hotspot, even if everybody in the room knows the password.

When you've got an open Wi-Fi hotspot, all of the information that's being transmitted by each of the computers connected to that hotspot is being transmitted in the clear. That puts the onus of security on each individual computer user.

That's not necessarily a good assumption to make.

They all then have to make sure that they're using https and secure connections and doing the right thing to use an open Wi-Fi hotspot safely. I've got an article on that.

Chalkboard Password

Using WPA2

When WPA2 is used, it has a very interesting characteristic. Even though the password that you use is the same for everybody, each individual connection between a computer and a hotspot uses a different encryption key.

What that means is that while there are multiple computers connected to the same hotspot, they cannot sniff each other's data in any unencrypted form. They do not have mutual access to all of the information that's being transmitted and received by that access point. It's actually a very good design point for WPA.

Using WEP

It's one of the many problems with WEP security. If you're using WPA even though everybody's using the same password, the actual encryption key that gets applied to the data is selected to be unique for each connection and therefore each connection is safe from every other connection.

I honestly wish that every open Wi-Fi hotspot in the world would switch to this model. In other words, I wish that at Starbucks there was a board on the wall that said, "The Wi-Fi password is..." and then you would need to specify that password in order to connect to the hotspot. It is a minor inconvenience for a very significant level of additional security.

Unfortunately, Starbucks and all of the other open Wi-Fi hotspot providers in the world know that anything that isn't as simple as possible is going to give them customer service issues and the baristas just aren't going to be prepared when someone asks for help.

So, that's the issue. It is definitely much more secure to have the WPA connection with a publicly posted password than to have an open Wi-Fi hotspot.

Article C6409 - April 22, 2013 «

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Mark J
April 22, 2013 11:01 AM

All they would have to do is use a password simple as "starbucks" in all of their stores. It's probably easier than the login screens they use now, although I think the login screen is necessary to cover the legal issues.

The "login" page, which isn't really logging you in, has nothing to do with security. It's more about legalese protecting the establishment from your behavior than anything else. The password I'm talking about would be required to even connect to the hotspot, which would naturally increase the support burden as many people don't get that.
Leo
23-Apr-2013

Doug Brace
April 22, 2013 2:54 PM

One of the reasons for the login screen is because the user is supposed to read a on acceptable use policy.

You did read the fine print, right?

Ken B
April 23, 2013 12:05 PM
Even though the password that you use is the same for everybody, each individual connection between a computer and a hotspot uses a different encryption key.
Doesn't this mean that, during the initial connection, there must be some sort of handshake between your computer and the access point, in order to establish what this "different encryption key" is? Theoretically, couldn't someone eavesdrop on that handshake, and determine that other system's key?
It's actually a fairly complex process, but it does at one point involve asymmetrical encryption to then pass a symmetrical encryption key. It's been a while since I looked at it, but it's pretty slick. With asymmetrical encryption you can pass one key in the clear but you still don't have enough to decrypt was was encrypted using that key. Think public-key encryption.
Leo
23-Apr-2013
Mark J
April 23, 2013 12:15 PM

@Ken B
The handshake is a simple passing of the encryption keys between computers. The decryption keys remain on the original computer on which the key pair was created.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.