What is the difference between the WPA2 Personal, WPA and WPA2 WiFi security passcodes?
I was editing the configuration for my Time Capsule, when I noticed that I had the following options for network encryption:
Why is there an option of WPA/WPA2? Is it as secure as WPA2 Personal?
When looking for the network with other devices, I'm am told to enter a WPA2 Password. Thus, I thought that I had configured it using WPA2 Personal.
I believe that WPA was the original WPA standard, and WPA2 was an improved version of it. Some network cards can’t connect to WPA2 networks. From the Wikipedia page on WPA:
The later WPA2 certification mark indicates compliance with the full IEEE 802.11i standard. This advanced protocol will not work with some older network cards.
The Wikipedia article cites a white paper from the Wi-Fi Alliance:
WPA is both forward and backward-compatible and is designed to run on existing Wi-Fi devices as a software download.
In a nutshell, a WPA/WPA2 network will any network card that supports WPA or WPA2 to connect to it; whereas a WPA2 only network locks out network cards that only support the newer standard. I don’t think there’s any meaningful difference in the security.
FWIW, I’ve used WPA2 Personal on my Airport Extreme since I bought it, and no device has ever had problems connecting.
Confession: I initially misread the question as being about the difference between Personal and Enterprise, and wrote this. Although not directly answering the question, I include it for interest.
“Personal” and “Enterprise” just refer to the two flavours of WPA and WPA2. From the Wi-fi Alliance’s page on WPA2:
WPA2 can be enabled in two versions - WPA2 Personal and WPA2 Enterprise. WPA2 - Personal protects unauthorized network access by utilizing a set-up password. WPA2 - Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.
I believe that WPA and WPA2 both come in these two flavours, hence the either/or. Personal is more suitable for a home network, but it’s less secure than enterprise. Enterprise connects to a “RADIUS server” for authentication. I don’t know what that is, but it sounds clever and secure.
I’d guess that a device connecting to your Time Capsule just sees a request for a WPA2 password, hence why it doesn’t ask you for a WPA2 Personal password.
Both 'WPA' and 'WPA2' use AES to encrypt the information transiting the WiFi network, but
WPA uses something called TKIP to manage the keys used to encrypt the data. TKIP is vulnerable to attack (it's not secure) and should not be used.
WPA2 uses AES-CCMP for key management.
"WPA/WPA2 Personal", also called mixed-mode, allows negotiation of key management modes and reduces the security of the network to the lowest common denominator.
BOTTOM LINE: If you're concerned about security/privacy of information on your networks (wired and wireless) , DON'T use WPA or WPA/WPA2. Use WPA2 only. And, if you don't already know, WEP is basically the same as having no security at all.
Another poster points out that the 'Enterprise' modes send authentication requests to a server before allowing a client on the network. The two big advantages are:
- central management: I don't have to set keys on every access point, and I can disable accounts of individual users. There's also traceability: I know which WiFi device belongs to which user.
- much longer keys (like 2048 bit, versus 128 for 'personal'). This further decreases the likelihood that an attacker can figure out the key in the time it's in use.
The 'personal' pre-shared key ("PSK") is derived from the passphrase you type into your client, so even if PSK allowed long keys, you'd have to type a passphrase that most people would object to.