Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: WPA2 Shared Secret Rotation: How to Avoid Downtime?
2 points by tonymet on Nov 28, 2023 | hide | past | favorite | 2 comments
Let's assume you like to rotate your WPA2 shared secret (SSID passphrase) once a year. How do you do it without downtime and with minimal fuss? Is it possible to do it without changing SSID?

Here's how I do it:

1. Start with existing SSID `wireless-net`

2. Add new virtual SSID `wireless-net-A` with new shared secret.

3. one by one update each client to the new SSID + shared secret

4. once empty, disable `wireless-net`

The two big downsides are : (1) updating clients 1-by-1 and (2) losing SSID name . Also, some routers do not support virtual SSID

Any better approach?



While your approach to rotating the WPA2 shared secret (SSID passphrase) is efficient, it does have the drawbacks you mentioned. Fortunately, there are incident management tools to minimize the cost and downtime for your organization. We use Squadcast, and we've experienced a reduced client update burden. We're maintaining the existing SSID, and automation is also possible for runbooks.


Unfortunately, there isn't a way for access points to tell clients 'use this SSID and secret from now on, goodbye'.

I guess you need to have a list of people that are the only ones allowed access, then tell them. Maybe include a paper with the new SSID and secret and maybe a QR code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: