If your office or home Wi-Fi still shows WPA2-Personal, WPA2-Enterprise, or WPA2/WPA3 transition mode, you are running wireless security below the current baseline Wi-Fi Alliance vendors have pushed since WPA3 certification began in 2018. For new deployments in 2026, anything less than WPA3-Personal (SAE) or WPA3-Enterprise deserves a documented upgrade plan.

WPA3 improves key exchange (SAE resists offline dictionary attacks better than WPA2’s 4-way handshake), adds forward secrecy on personal networks, and offers 192-bit security suites for enterprise. KRACK (2017) showed that unpatched WPA2 handshake implementations could also be attacked in range — see the KRACK section below. WPA3 does not replace network segmentation — guest Wi-Fi risks on shared hardware remain; see our guest network security guide.

Wi-Fi Alliance WPA3 overview:
https://www.wi-fi.org/discover-wi-fi/security

Minimum time to break each Wi‑Fi standard

Log-scaled comparison of how quickly an attacker with captured wireless traffic and commodity GPU hardware can defeat each protocol under typical weak-password assumptions. Actual times vary with passphrase length, dictionary quality, and firmware patches.

Logarithmic scale — longer bars mean more time required to break.

*WPA3-SAE removes the offline 4-way-handshake dictionary attack that makes weak WPA2 passphrases practical to crack. **KRACK (2017)** exploited handshake implementation bugs on unpatched WPA2 clients — a separate in-range attack, not an offline crack — see the KRACK section in this article. Online guessing and transition-mode downgrade remain separate risks — see the Wi‑Fi Alliance security overview. WEP and WPA-TKIP times reflect published cryptanalysis (e.g. PTW/Beck-Tews); WPA2 weak-PSK estimate aligns with common Hashcat GPU benchmarks on 8-character dictionaries.

KRACK: how WPA2 can still fail in practice

In October 2017, security researcher Mathy Vanhoef disclosed KRACKKey Reinstallation AttaCK — a flaw in how many WPA2 implementations handled the 4-way handshake. Headlines said KRACK could “break WPA2 encryption.” That is partly true, but the risk is more specific than an instant offline password crack.

What KRACK actually does

  • An attacker must be physically in Wi-Fi range of your network — not merely holding a captured handshake file from a parking-lot sniff.
  • They manipulate handshake messages so a vulnerable client reinstalls an already-used encryption key.
  • That can reset packet counters and, on unpatched devices, allow decryption, replay, or injection of Wi-Fi traffic — even though the passphrase itself was never guessed.

What KRACK does not do

  • It does not replace offline GPU dictionary attacks on weak WPA2 passphrases (shown in the chart above).
  • It does not automatically compromise every WPA2 network worldwide — impact depended on client and AP firmware, and most vendors shipped fixes in late 2017–2018.
  • Patched routers, phones, and laptops are much less exposed; unpatched IoT, old printers, and forgotten access points remain the worry in 2026.

Primary reference: krackattacks.com · US-CERT VU#228519

Illustrated KRACK attack chain

Step 1: Attacker joins radio range

Illustration: attacker within Wi-Fi range intercepting WPA2 four-way handshake messages

The attacker does not need your Wi-Fi password. They position a laptop or rogue radio near your office or home AP and passively records handshake traffic, then replays or modifies handshake frames to trigger key reinstallation on a vulnerable client.

Step 2: Key reinstallation weakens session encryption

Illustration: vulnerable laptop Wi-Fi session decrypted after encryption key reinstallation

When the client reinstalls a stale key, some implementations reset nonce/counter state. An attacker can then decrypt or forge packets for that session — exposing HTTP sessions, legacy app traffic, or metadata even while the network still “looks” secured with WPA2.

Business impact: eavesdropping on unencrypted or poorly encrypted app traffic, session hijack on non-TLS services, and injection of malicious content on captive portals or HTTP-only internal tools.

Step 3: Patch, then upgrade toward WPA3

Illustration: IT admin patching router firmware and client devices after KRACK

Immediate KRACK response (still relevant for stale hardware):

  1. Patch access points and controllers — Meraki, UniFi, ISP gateways, consumer routers.
  2. Patch every Wi-Fi client — Windows, macOS, iOS, Android; do not forget printers, VoIP phones, and IoT.
  3. Retire devices that never received vendor fixes.
  4. Force TLS everywhere — treat Wi-Fi as untrusted transport; KRACK mattered most where apps lacked HTTPS.
  5. Plan WPA3 migration — WPA3-SAE uses a different personal-network handshake that closes the KRACK-class flaw against offline PSK cracking and improves handshake robustness on modern stacks.
AttackRequires Wi-Fi range?Breaks weak PSK offline?Mitigation
Offline WPA2 PSK crackNo (capture once)YesLong random passphrase; move to WPA3-SAE
KRACK (key reinstallation)YesNoOS/router patches; retire EOL gear
WPA2/WPA3 transition downgradeOften yesSometimesDisable transition mode when clients allow

KRACK is a key reason “we use WPA2 with a password” stopped being enough for regulated Texas offices — but the fix is patching plus modernization, not panic about every WPA2 network being trivially readable from anywhere.

Security tiers at a glance

Label on device or routerStatus
Open / None❌ No encryption — never for business
WEP / WPA (TKIP)❌ Broken — replace hardware
WPA2-Personal (PSK)⚠️ Legacy baseline — upgrade planned
WPA2-Enterprise⚠️ Acceptable with strong RADIUS; still not WPA3
WPA2/WPA3 transition⚠️ Mixed — WPA2 clients can still connect
WPA3-Personal / WPA3-SAE✅ Current home/SMB target
WPA3-Enterprise (192-bit)✅ Regulated / high-assurance target

Illustration: weak WPA2 Wi-Fi versus WPA3-protected wireless network

Important: 2026 AirSnitch research shows WPA3 alone does not stop guest-network isolation failures on shared access points. You need both strong encryption and proper VLAN or hardware separation for guest traffic.

How to check if you are on WPA3

Verify the network you use for work — not only a guest SSID.

Illustration: checking Wi-Fi security on laptop and smartphone

Windows 10 / Windows 11

Settings UI

  1. SettingsNetwork & internetWi-Fi
  2. Click the connected networkProperties
  3. Read Security type — want WPA3-Personal, WPA3-SAE, or WPA3-Enterprise

Command line

netsh wlan show interfaces

Check Authentication:

  • WPA3-Personal / WPA3-SAE → WPA3 ✅
  • WPA2-Personal → WPA2 only ⚠️
  • Open → no encryption ❌

Profile detail for a saved network:

netsh wlan show profiles name="YourNetworkName" key=clear

Mac (macOS)

  1. Hold Option (⌥) and click the Wi-Fi menu bar icon
  2. Hover the connected network — read Security: (WPA3 Personal vs WPA2 Personal)

Or: System SettingsWi-FiDetails… on the active SSID.

iPhone / iPad (iOS)

  1. SettingsWi-Fi
  2. Tap next to the connected network
  3. Review details — some iOS versions show Security type directly

If not shown: check the router admin panel (below) or ask IT. After upgrading the router to WPA3, Forget the network and rejoin so iOS renegotiates.

Android

  1. SettingsNetwork & internetInternet / Wi-Fi
  2. Tap the connected network (gear icon on some devices)
  3. Look for SecurityWPA3-Personal vs WPA2-Personal

UI varies by Samsung, Pixel, etc. — router admin is authoritative when the phone hides the field.

Router admin (authoritative for all platforms)

Illustration: IT admin upgrading router wireless settings to WPA3

  1. Sign in to router or cloud controller (Netgear, Linksys, UniFi, Meraki, ISP gateway)
  2. Open Wireless / SSID settings per network
  3. Set WPA3-SAE or WPA3-Enterprise — avoid WPA2-only unless every client is legacy and you are in a timed transition
  4. Document the change in your security policy (Texas SB 2610 programs)

Upgrade path for offices and homes

  1. Inventory clients — printers, VoIP phones, old tablets may lack WPA3; plan replacements or a temporary transition SSID.
  2. Replace EOL routers that cannot receive WPA3 firmware.
  3. Use long random passphrases — WPA3-SAE helps, but weak passwords still fail.
  4. Separate SSIDs — staff on WPA3-Enterprise or WPA3-Personal; never share staff PSK on guest networks.
  5. Layer defensesVPN, TLS, and MFA on business apps regardless of Wi-Fi tier.
  6. Retest quarterly — run netsh wlan show interfaces or Option-click Wi-Fi after firmware updates.

Why Texas businesses should care

CPAs, law firms, and medical offices often assume “we use Wi-Fi passwords, so we’re secure.” WPA2-only networks with shared PSKs on busy office floors are common — offline cracking of captured handshakes remains practical when passphrases are weak, and unpatched KRACK-vulnerable clients can still leak session traffic to someone in the parking lot. Pair wireless upgrades with Five Eyes foundational controls and Fortinet edge patching.

Independent Cybersecurity Audit

We audited consumer and enterprise Wi-Fi vendor domains on June 26, 2026:

Organization (Domain)OverallRisk Level
Netgear (netgear.com)72%Good
Linksys (linksys.com)68%High Risk
Meraki / Cisco (meraki.com)58%High Risk
HPE Aruba (arubanetworks.com)54%Critical Risk

Scores reflect public email/website posture — not whether your SSID uses WPA3 today.

Audit links:


Protect your organization.

Run a free audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for WPA3 migration planning and wireless policy documentation.


Sources: Wi-Fi Alliance — Security · KRACK Attacks — Mathy Vanhoef · US-CERT VU#228519 · Kaspersky — AirSnitch context · EmailMeNow audits — netgear.com