Safer Internet: Connection: Encrypt Wi-Fi


  • driveway+ Protect unencrypted traffic from hackers and eavesdroppers -- at least part of the way
  • + Block unauthorized users (slowdowns, datacaps, illegal activity)
  • - Some admin setup required
  • - Provide password to your users


Wi-Fi Encryption

  • playgroundIf you use https: for web browsing, and SSL/TLS for email, much of your important traffic will already be encrypted.
  • However, this isn't always possible for all sites & situations, and there are other reasons to protect your router and connection.
  • Encrypt Wi-Fi networks you control with WPA (Wi-Fi Protected Access)
  • relativesWeak/no password could create problems if neighbors use your connection (& IP address) for illicit activities or excessive downloads -- not an issue if your WiFi range does not extend outside, or for hard-wired devices (via Ethernet cable)
  • WEP (Wired Equivalency Protocol) is easily cracked, barely better than no encryption
  • WPS (Wi-FI Protected Setup) lets you use WPA without having to enter a long password; however, you may be vulnerable if you have not changed the pre-shared WPA key from the factory default setting, and PIN feature is enabled.
  • [Refs:Wi-Fi]: "Wi-FI Protected Setup (WPS) is Insecure: Here's Why You Should Disable It"
  • Network figures
  • with no encryption (Wi-Fi, SSL/https): {Figure 1. TCYOP-2: 39; TCYOP-1: 39}
  • with Wi-Fi encryption: {Figure 3. TCYOP-2: 41; TCYOP-1: 41}
  • Netgear WPAChange encryption level to WPA/WPA2
  • consult your router manual (download .pdf from manufacturer) to locate settings
    and local IP address, e.g., router has its own web server!
  • use web browser to connect locally to router, or use manufacturer configuration app
  • Apple Airport {Figure 2. TCYOP-2: 40; TCYOP-1: 40}
  • Netgear: Wireless Settings > Security Options > WPA2
  • TP-Link: Wireless (freq) > Wireless Security > WPA/WPA2 [screenshot]
  • keep calmCheck encryption level from client: none?, WEP?, WPA?
  • macOS: menubar > [option-click] Wi-Fi icon: current network stats displayed; other networks: hover to display stats
  • iOS10: Settings > Wi-Fi insecure connection shown in red
  • iOS(older): there doesn't appear to be a built-in way to see security details of any routers, whether connected or not
  • Android, macOS, Windows: How to Check WiFi Security Encryption Type 1/24/2014
  • Don't connect automatically to open (insecure) Wi-Fi networks.
  • iceland no wifiBy default, macOS & iOS connect automatically only to "known" networks, i.e., open or password-protected networks that you've connected to before
  • Automatic connections might occur in older systems or on other platforms?
  • For a new, unknown network, you can be prompted to join it, or to select it manually. it won't connect automatically
  • macOS: System Preferences > Network > Wi-Fi > Ask to Join New Networks : "on" (prompt you when a new network is avail) or "off" (you'll select manually)
  • iOS: Settings > Wi-Fi > Ask to Join Networks (same as macOS)
  • To remove a network from the list of automatically connecting "known" networks (that you've connected to previously)
  • macOS: System Preferences > Network > Wi-Fi > Advanced > W-Fi > (select network) > "-"
  • iOS: Settings > Wi-Fi > "i" (for network) > Forget This Network
  • [2] To make your network freely available to others, e.g., during a disaster, setup a separate guest network (with no password), rather than disabling security on your regular network [screenshot]
  • [Refs:Wi-Fi]: "How (and Why) to Safely Open Your Wi-Fi Network During a Disaster"
  • cafe[2] Consider using a Virtual Private Network (VPN) (covered in next section) if
  • no password; in a public area, attacker might provide access point, e.g., "Free WiFi"; or greedy ISP might inject ads
  • weak password: WEP, WPS
  • widely known password, e.g., coffee shop
  • [Refs:Wi-Fi]: "The Dangers of Unsecured Wifi Hotspots"
  • [Refs:Wi-Fi]: "Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk"

Router Password

  • p-a-s-s-w-o-r-d routerSet a strong admin password -- this is for router itself (not the Wi-Fi password you use or supply to guests)
  • if required to be short, also change admin user name
  • Netgear: Maintenance > Set Password
  • TP-Link: System Tools > Password [screenshot]
  • If you setup your smartphone to share its data connection via Wi-Fi (aka Personal Hotspot or tethering), be sure to set a password for security and avoiding other using your data allocation.

[2] Router/Device DNS

  • If your Wi-Fi connection seems 'stuck', first reset/get new device IP address; otherwise, restart cable/DSL modem, then router
  • macOS: System Preferences > Network > Advanced > TCP/IP > Renew DHCP Lease
  • iOS: Settings > Wi-Fi > (current network "i" icon) > Renew Lease
  • Netgear DNSChange DNS (Domain Name System) name servers; e.g., Netgear (right)
  • free: OpenDNS; Google Public DNS; Recursive DNS
  • benefits: speed; security; non-existent domains (ad redirection)
  • Netgear: Basic Settings > DNS Address
  • TP-Link: DHCP > DHCP Settings [screenshot]; Network > WAN [screenshot]
  • If you have no router (or it's someone else's), you can change DNS directly on device via "Network > DNS settings"
  • config atommacOS: System Preferences > Network > Advanced > DNS > DNS Servers
  • iOS: Settings > WiFi > (network: "i") > IP Address > DHCP > DNS
  • If possible, create separate network profile, e.g., Home, Travel?
  • [Refs:DNS]: "7 Reasons to Use a Third-Party DNS Service"; "Pharming Attack Targets Home Router DNS Settings"
  • island[3] Encrypt DNS lookups, e.g., DNS Crypt: article, download free for macOS, Win from OpenDNS (now Cisco); GitHub download Mac: 1.0.12
  • benefits: privacy; security (spoofing and man-in-the-middle attacks)
  • macOS: [menubar] > "DNSCrypt"

[3] Advanced

  • Netgear remoteDisable remote administration -- hopefully it was already off by default
  • Netgear: Advanced > Remote Management
  • TP-Link: Security > Remote Management [screenshot]
  • If you change many admin settings, consider making a backup.
  • Netgear: Maintenance > Backup Settings
  • TP-Link: System Tools > Backup & Restore
  • Check if an update (usually infrequent) is available for your router's firmware, automatically upon login, or manually.
  • Netgear: Maintenance > Router Upgrade
  • TP-Link: System Tools > Firmware Upgrade [screenshot]
  • telepathyIf you rent a router from your ISP, check with them about updates.
  • On some devices, e.g., iPhone, iPad*, you can lock your SIM card so that cellular data can't be used without entering a PIN -- whenever you swap SIM cards or restart. To enable, disable or change your SIM PIN:
  • iPhone: Settings > Phone > SIM PIN
  • iPad: Settings > Cellular Data > SIM PIN (*Wi-Fi + Cellular models)



DNS, IP Addresses



Modem, Router