If you were to set up a wireless network in your home, you would need to buy a wireless router. If you were to do that today, chances are the router would come pre-configured with some kind of password probably a nonsensical string of gobbledigook.

There’s a good reason for this. A few years ago (for example, when I bought my wireless router in 2004), wireless routers didn’t come with preconfigured passwords. Out of the box, a wireless router used to have no security at all. It would create what is called an “open access point,” meaning anyone strolling by with a laptop could just connect to your wireless network. Depending on where you live, having someone stroll by with a laptop could as rare as having an ivory billed woodpecker fly past your house, or as common as seeing someone talking on a cell phone. I live in Cambridge, Massachusetts, so I happen to fall into the latter category.

The reason routers need to come with the passwords enabled by default is that approximately 99% of users never used to bother to turn them on. Things are better today, and here’s why.

Ethernet is Ridiculously Easy to Eavesdrop on

I am taking a night class in computer networking because I really need to learn more about this stuff myself. What I found out is:

  1. Wi-Fi is variation on the Ethernet networking protocol
  2. the way Ethernet works has appalling implications for security

You might think when your computer sends data over Wi-Fi, it sends data straight to the access point. That would be incorrect. In fact the Wi-Fi card in your computer broadcasts data over a radio signal that can be picked up from anywhere nearby. But that’s not all! There’s more! If you actually read the above link about how Ethernet works, then you’d realize that all the data you send over Ethernet (or Wi-Fi) goes to all the other computers on the network. Each computer gets every piece (called a frame) of data and checks to see who is supposed to get it. If the data is intended for another computer, then the recipient throws it away.

In other words, a computer on an Ethernet or Wi-Fi network has to go out of its way not to eavesdrop on other members of the network. It is a pretty simple matter for an attacker to tell his/her computer not to go to the trouble, and just pick up everything.

Now, really sensitive data you send over the Internet is probably done using HTTPS, which is encrypted. Your bank account password and credit card numbers are probably safe. But there is still plenty of private stuff that could easily be picked up by the teenager next door. All your e-mail, for starters (incoming and outgoing). If you wouldn’t want the text of all your e-mail, and the contents of every Web site you visit, printed in the local newspaper, then Wi-Fi encryption is for you.

What To Do

If you bought your wireless router after 2006 or so, relax. It probably came with encryption pre-configured (encryption is what the WEP or WAP password is for).

If your router is a few years old, you probably remember setting up the encryption for it. Or not. In that case you would be well-advised to find or download the user’s manual for your router and find out how to enable encryption. I would love to tell you exactly how to do that, but the fact is it depends a little on what brand of router you have and what version of Windows/MacOS/whatever you are using, and if I were to research all that I would expect to get paid for it and you wouldn’t get the information for free anyway.

But I’ll give you a hint: you can try the time-tested troubleshooting method professionals use. Start by going to http://192.168.1.1 (If you get prompted for a username and password, try guessing. If you guessed right, then that’s another problem right there– change the admin password for your router. And write it down, and keep it under your mattress or something).

The Next Level

If all you do is turn on basic encryption, then I’ve accomplished my goal of informing the public and I can pat myself on the back. However, I cannot yet bring myself to shut up about this subject, so by all means, read on.

WPA instead of WEP

Many wireless routers use WEP for encryption. That’s an acronym for “Wired Equivalent Privacy,” meaning it’s as hard to eavesdrop on as if the data were flowing through a wire instead of broadcast through the air. As if. WEP was OK for a couple of years but now there are well-known programs that can defeat it. It’s still a lot better than nothing, but I think a more appropriate expansion for the acronym today is “Weak Encryption Problem.”

WPA is better, so use it if you have a choice. But even WPA can be broken.

There is a basic principle at work here: no encryption is perfect and can last forever. Sooner or later, someone will figure out how to break it. This is not to say encryption isn’t worthwhile: it will keep out an inexperienced or opportunistic intruder, but not a real professional. Using encryption is analagous to locking the front door of your house. You definitely want to do it, in spite of the fact that a really determined intruder can just break a window, or chop through the door with a fire axe for that matter.

Not Being Seen

There is another basic principle that covers a lot of flaws in your encryption, though: not being seen.

What you can do — and I think this is pretty slick — is configure your router to not broadcast your network’s name. In fact, it won’t announce its presence at all.

If you live in a condo or apartment building, or take your laptop to a public place like a railway station or hotel, you’ll probably notice in your wireless network configuration that there are a lot of other wireless networks around. Probably a lot of them have names like “linksys” or “default.” Others have names like “Steve’s Network” or “Jones.” All of these network names are set up by the router’s configuration. The wireless router broadcasts this name, which is technically called an SSID. This makes it easy for people to find and connect to the network.

That’s great for a coffee shop or other public network, but not so great for your home. Quick question: do you want people outside your home to easily find and log on to your home network? I didn’t think so.

Rule #1: For heaven’s sake, don’t put your own name or other identifying information in your SSID. That gets broadcast to the world. If anyone happened to be looking to break into your network in particular, you’d be practically giving them directions. My network SSID is something like “g45J87nwQ”. I can tell it’s mine, but damn if anybody else can.

Rule #2: You don’t need to broadcast your SSID at all. A network that doesn’t broadcast its SSID can still be connected to — by people who already know the SSID. So you can do what I do: write down the SSID, stick it under a mattress or somewhere, and then don’t broadcast. Yes, it’s a bit less convenient to connect to the network (you have to find the paper and type in the SSID). But that’s the whole point.