Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!
Does Having a Publicly Visible Wi-Fi Password Add Security Compared to an Open Wi-Fi Hotspot?
Using a password protected WPA2 hotspot is a minor inconvenience for a very significant level of additional security. I'll explain...
I handle the Wi-Fi hotspot for a library and have been using WPA2 with an openly distributed passphrase. Another library has no security whatsoever. Is there a greater risk using no security because for our library the passphrase is so openly available to possibly bad guys?
The short answer is absolutely!
Using WPA2 with a password – even a publicly visible one – adds significant levels of security beyond an open Wi-Fi hotspot. Yes, even if everybody in the room knows the password.
When you’ve got an open Wi-Fi hotspot, all of the information that’s being transmitted by each of the computers connected to that hotspot is being transmitted in the clear. That puts the onus of security on each individual computer user. That’s not necessarily a good assumption to make.
When WPA2 is used, it has a very interesting characteristic. Even though the password that you use is the same for everybody, each individual connection between a computer and a hotspot uses a different encryption key.
What that means is that while there are multiple computers connected to the same hotspot, they cannot sniff each other’s data in any unencrypted form. They do not have mutual access to all of the information that’s being transmitted and received by that access point. It’s actually a very good design point for WPA.
It’s one of the many problems with WEP security. WEP encryption, besides being very weak by today’s standards, is the same for each connection to the hotspot. That means that all connected users can still see each other’s unencrypted traffic.
And of course with no password at all anyone with a laptop in range can monitor unencrypted traffic.
The public password
I honestly wish that every open Wi-Fi hotspot in the world would switch to this model. In other words, I wish that at Starbucks there was a board on the wall that said, “Today’s Wi-Fi password is…” and then you would need to specify that password in order to connect to the hotspot. It is a minor inconvenience for a very significant level of additional security.
Unfortunately, Starbucks and all of the other open Wi-Fi hotspot providers in the world know that anything that isn’t as simple as possible is going to give them customer service issues and the baristas just aren’t going to be prepared when someone asks for help.
So, that’s the issue. It is definitely much more secure to have the WPA2 connection with a publicly posted password than to have a completely open Wi-Fi hotspot.
7 comments on “Does Having a Publicly Visible Wi-Fi Password Add Security Compared to an Open Wi-Fi Hotspot?”
All they would have to do is use a password simple as “starbucks” in all of their stores. It’s probably easier than the login screens they use now, although I think the login screen is necessary to cover the legal issues.
The “login” page, which isn’t really logging you in, has nothing to do with security. It’s more about legalese protecting the establishment from your behavior than anything else. The password I’m talking about would be required to even connect to the hotspot, which would naturally increase the support burden as many people don’t get that.
Even though the password that you use is the same for everybody, each individual connection between a computer and a hotspot uses a different encryption key.
Doesn’t this mean that, during the initial connection, there must be some sort of handshake between your computer and the access point, in order to establish what this “different encryption key” is? Theoretically, couldn’t someone eavesdrop on that handshake, and determine that other system’s key?
It’s actually a fairly complex process, but it does at one point involve asymmetrical encryption to then pass a symmetrical encryption key. It’s been a while since I looked at it, but it’s pretty slick. With asymmetrical encryption you can pass one key in the clear but you still don’t have enough to decrypt was was encrypted using that key. Think public-key encryption.
@Ken B
The handshake is a passing of the encryption keys between computers. The decryption keys remain on the original computer on which the key pair was created.
In a way, Starbucks is an ISP. They provide Internet service (the definition of ISP). And that Internet service is one of the reasons many people go to Starbucks. Any company interested in selling their product would be interested in protecting their customers’ security. I agree with Leo’s hypothesis that requiring a password would confuse a few customers and end up costing their employees a lot of time, and they probably would provide a password if feasible.
Hi
Some months I was told by my son that I always should set my wi fi connection to “public”, even if it was my own wifi at home. He explained that set it to “public” reduced the access from other devices on the same network, and for most people there was no reason not to set it to public.
As you have covered the aspects of security in general i thought that this would interest you – and look forward to your comment in a newsletter.
Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.
I want comments to be valuable for everyone, including those who come later and take the time to read.
All they would have to do is use a password simple as “starbucks” in all of their stores. It’s probably easier than the login screens they use now, although I think the login screen is necessary to cover the legal issues.
23-Apr-2013
One of the reasons for the login screen is because the user is supposed to read a on acceptable use policy.
You did read the fine print, right?
Doesn’t this mean that, during the initial connection, there must be some sort of handshake between your computer and the access point, in order to establish what this “different encryption key” is? Theoretically, couldn’t someone eavesdrop on that handshake, and determine that other system’s key?
23-Apr-2013
@Ken B
The handshake is a passing of the encryption keys between computers. The decryption keys remain on the original computer on which the key pair was created.
Starbucks only goal is to sell you coffee and food. They are not an ISP, so they may not care about WiFi security for their customers.
In a way, Starbucks is an ISP. They provide Internet service (the definition of ISP). And that Internet service is one of the reasons many people go to Starbucks. Any company interested in selling their product would be interested in protecting their customers’ security. I agree with Leo’s hypothesis that requiring a password would confuse a few customers and end up costing their employees a lot of time, and they probably would provide a password if feasible.
Hi
Some months I was told by my son that I always should set my wi fi connection to “public”, even if it was my own wifi at home. He explained that set it to “public” reduced the access from other devices on the same network, and for most people there was no reason not to set it to public.
As you have covered the aspects of security in general i thought that this would interest you – and look forward to your comment in a newsletter.
A.Karbek