The short answer is absolutely!
Using WPA2 with a password – even a publicly visible one – adds significant levels of security beyond an open Wi-Fi hotspot. Yes, even if everybody in the room knows the password.
When you’ve got an open Wi-Fi hotspot, all of the information that’s being transmitted by each of the computers connected to that hotspot is being transmitted in the clear. That puts the onus of security on each individual computer user. That’s not necessarily a good assumption to make.
Become a Patron of Ask Leo! and go ad-free!
When WPA2 is used, it has a very interesting characteristic. Even though the password that you use is the same for everybody, each individual connection between a computer and a hotspot uses a different encryption key.
What that means is that while there are multiple computers connected to the same hotspot, they cannot sniff each other’s data in any unencrypted form. They do not have mutual access to all of the information that’s being transmitted and received by that access point. It’s actually a very good design point for WPA.
It’s one of the many problems with WEP security. WEP encryption, besides being very weak by today’s standards, is the same for each connection to the hotspot. That means that all connected users can still see each other’s unencrypted traffic.
And of course with no password at all anyone with a laptop in range can monitor unencrypted traffic.
The public password
I honestly wish that every open Wi-Fi hotspot in the world would switch to this model. In other words, I wish that at Starbucks there was a board on the wall that said, “Today’s Wi-Fi password is…” and then you would need to specify that password in order to connect to the hotspot. It is a minor inconvenience for a very significant level of additional security.
Unfortunately, Starbucks and all of the other open Wi-Fi hotspot providers in the world know that anything that isn’t as simple as possible is going to give them customer service issues and the baristas just aren’t going to be prepared when someone asks for help.
So, that’s the issue. It is definitely much more secure to have the WPA2 connection with a publicly posted password than to have a completely open Wi-Fi hotspot.
Podcast: Download (Duration: 3:31 — 3.2MB)
Subscribe: Apple Podcasts | RSS
7 comments on “Does Having a Publicly Visible Wi-Fi Password Add Security Compared to an Open Wi-Fi Hotspot?”
All they would have to do is use a password simple as “starbucks” in all of their stores. It’s probably easier than the login screens they use now, although I think the login screen is necessary to cover the legal issues.
One of the reasons for the login screen is because the user is supposed to read a on acceptable use policy.
You did read the fine print, right?
Doesn’t this mean that, during the initial connection, there must be some sort of handshake between your computer and the access point, in order to establish what this “different encryption key” is? Theoretically, couldn’t someone eavesdrop on that handshake, and determine that other system’s key?
The handshake is a passing of the encryption keys between computers. The decryption keys remain on the original computer on which the key pair was created.
Starbucks only goal is to sell you coffee and food. They are not an ISP, so they may not care about WiFi security for their customers.
In a way, Starbucks is an ISP. They provide Internet service (the definition of ISP). And that Internet service is one of the reasons many people go to Starbucks. Any company interested in selling their product would be interested in protecting their customers’ security. I agree with Leo’s hypothesis that requiring a password would confuse a few customers and end up costing their employees a lot of time, and they probably would provide a password if feasible.
Some months I was told by my son that I always should set my wi fi connection to “public”, even if it was my own wifi at home. He explained that set it to “public” reduced the access from other devices on the same network, and for most people there was no reason not to set it to public.
As you have covered the aspects of security in general i thought that this would interest you – and look forward to your comment in a newsletter.