I have a modern router for WPA3 and an older router that does WPA1 but is firewalled from the rest of the network and only allows access to a small range of IPs.
If you're on a network that has both WPA2 and WPA3 enabled, are you really even benefiting from all of the WPA3 security improvements? Any attacker can just fall back to your WPA2 SSID and crack your network that way. And once they have access to your network, unless you're doing some advanced network segmentation, does it matter which version of WPA you're using?
Many wireless networks have multiple segments to them, for example a company has a "guest" network and a company network. Make the WPA2 network like a guest network, i.e. it's basically like being outside the company at a coffee shop.
I think you overestimate what is "common". It might be "common" for the network admins or highly technical people browsing this website. It is not common whatsoever for the vast majority of the public that uses WPA for home networking or small businesses. Security is significantly decreased for everyone if it's only practical for those that are highly technical.
It would be great if it actually was common, and such features came pre-configured out of the box for users. Unfortunately, most of the routers I'm aware of that are given to users from ISPs don't even support guest modes.
Uh, sure, if you're only talking about home users then of course current and future products are a disaster. That's more a function of the markets than the standard.
You're right, and that's a problem even for companies. Security is a game of weakest links. Your company can spend billions of dollars accomplishing 99.99% vulnerability coverage on their networks, but it will be meaningless if your employees go home and connect their work laptops to a compromised home network.
I don't think there's an easy fix for this and I'm not criticizing WPA3 or anything. Ideally we could just update/throw out old, incompatible devices, but realistically I know that's not going to happen. I'm just pointing out that the suggestion to "keep WPA2 enabled for your old, WPA3-incompatible devices" kinda misses the point about WPA3 in the first place.
I don't see how "keep WPA2 enabled for your old, WPA3-incompatible devices" is any more of a problem than "keeping WPA2 enabled" was a problem yesterday.
If you're vulnerable to compromised coffee shop or home networks already, you're likely to also be vulnerable tomorrow. The only change is a slight increment in the standard. And the worst companies are not going to be saved by any change in the standard.
I guess I don't really see the point of this entire subthread.
>I don't see how "keep WPA2 enabled for your old, WPA3-incompatible devices" is any more of a problem than "keeping WPA2 enabled" was a problem yesterday.
There's a false implication here that "keeping WPA2 enabled yesterday" isn't a problem. But it is. There are flaws in WPA2, and fixing those flaws is the entire point of developing WPA3. Security is supposed to get better as time goes on (hackers are certainly getting better whether your security is or not). But security isn't getting better if you just keep using the old standards.
Would you feel comfortable enabling WEP on all your company's routers with the justification "well we're not any more vulnerable today with WEP than we were in 1998 with WEP"?
>I guess I don't really see the point of this entire subthread.
Obviously not all, but at least it would benefit from the forward secrecy of the new handshake, even if the user does nothing else.
For ordinary users, setting a strong passphrase is all they need to do to have network with improved security, even in the mixed mode.
In addition, you can isolate the WPA2 SSID away (for all those printers, Internet of Trash, some old smartphones that are never going to receive security updates, etc) from the rest of the network, and use strong, and independent passphrases for each network, the compromise of WPA2 would not affect WPA3 to a large extent.
- I can install/upgrade some packages on my OpenWrt router/computers to enable it.
- I can leave a WPA2 SSID for my old gadgets.
> By the time the average person upgrades all their gear to WPA3 stuff, it'll be cracked and we'll be on WPA5.
Perhaps vendors can implement a WPA3/WPA2 mixed mode? Or just use the dual SSID hack...