How do I know if my router supports WPA3?

Open the router admin page (usually 192.168.1.1 or the app), find Wi-Fi → Security. If you see WPA3, WPA3-Personal, or WPA2/WPA3 in the dropdown, you have it. Any router made after 2020 almost certainly does.

What's a good Wi-Fi password?

16+ characters, ideally a passphrase of 4-5 random words ("raincloud-pencil-bicycle-pillow"). Easy to type, very hard to brute-force. Avoid pet names, addresses, and birthdays.

Should I change my Wi-Fi password regularly?

No, not for most homes. Frequent rotation tempts people to use simpler passwords. Set a strong one once, change it only if you suspect it leaked (visitor saw you type it, old roommate moved out, you used it on a phishing page).

Wi-Fi & Network · Beginner explainer

Wi-Fi security: WPA2 vs WPA3 in 2026

Wi-Fi security got an upgrade in 2018 (WPA3) and became mandatory on the 6 GHz band in 2020 — meaning every Wi-Fi 6E and Wi-Fi 7 router supports it whether you use it or not. The 2026 default for a home is WPA2/WPA3 mixed mode with a long password, WPS turned OFF, and a guest network for visitors and IoT gadgets. Three settings, ten minutes, and the security tier of the network jumps several notches.

The mental model

WPA2 vs WPA3 is like the difference between a regular door lock and a deadbolt with anti-pick pins. Both keep casual visitors out, and the older lock isn't "broken" — but a determined intruder with the right tools can pick the old one offline.

WPA2's weakness: if someone records you using the key (the 4-way handshake), they can take that recording home and try millions of password guesses against it at their leisure.
WPA3's SAE handshake is built so even if they record the unlock, they cannot practice on it at home. They have to keep trying in front of the door, where you can see them.
Two more settings matter as much as the WPA version: **turn WPS off** (it's a well-known back door), and put visitors + IoT devices on a **guest network** so a compromised smart bulb cannot pivot to your laptop.

Words you will see

WPA2: The Wi-Fi password security standard from 2004. Still widely used, still works, but has known weaknesses — KRACK exposed in 2017 (patched), and offline password-guessing attacks that cannot be patched out.
WPA3: The 2018 successor. Replaces WPA2's old handshake with SAE, adds protection against password guessing, and forward secrecy (past traffic stays secure even if password leaks later). Required on any device using the 6 GHz band.
SAE (Simultaneous Authentication of Equals): The new "handshake" used by WPA3. Replaces WPA2's 4-way PSK handshake. An attacker cannot record the handshake and guess your password offline at their leisure.
WPA3 Transition Mode (WPA2/WPA3 mixed): The router runs both at once. Modern devices connect with WPA3; older devices fall back to WPA2. Best default for most homes in 2026.
WPS (Wi-Fi Protected Setup): A "press this button to connect" feature from 2006. Has a brute-forceable PIN attack (2011) and the Pixie Dust attack (2014). Still dangerous in 2026, still on by default on many routers. Turn it off.
Guest network / IoT SSID: A separate Wi-Fi network for visitors and "smart" gadgets (cameras, plugs, bulbs). Keeps the chatty / less-trustworthy devices off the network where your laptops and phones live.
PSK (Pre-Shared Key): The fancy name for "the Wi-Fi password you type in." Same idea in WPA2 and WPA3 from the user's side — what changes is how the handshake validates it.

The 30-second recommendation for a 2026 home

Set Wi-Fi security to **WPA2/WPA3 mixed** (also called "WPA3 Transition" or "WPA2-PSK + WPA3-Personal"), use a **16+ character random password** (a passphrase of four random words works), **turn WPS off**, and **enable a guest network** for visitors and IoT gadgets.

That's the modern baseline. Everything else on this page is the *why*.

What actually changed under the hood

WPA2 has been around since 2004 and is the protocol most home Wi-Fi has used for the last 20 years. WPA3 replaces the "4-way handshake" with **SAE**, which prevents the main WPA2 attack — capturing the handshake and guessing passwords offline.

WPA3 also adds **forward secrecy**, meaning past traffic stays encrypted even if your password leaks later, and **OWE** (encrypted open networks, useful for guest Wi-Fi without a password).

It's not that WPA2 is suddenly broken in 2026 — it's that WPA3 closes doors WPA2 left open.

Transition mode reality — and what may break

On WPA2/WPA3 mixed, your router advertises both protocols and each device picks the strongest one it supports. Modern phones, laptops, and tablets connect on WPA3; older smart-home gear falls back to WPA2-AES.

Most of the time this works invisibly. But some legacy clients refuse the mixed beacon: older Sonos speakers, first-generation Chromecasts (2013-2015), some 2017-and-earlier smart bulbs (older Hue/LIFX), older Ring/Roku models, Android 9 and below.

The fix is usually to put those devices on a separate "IoT" or guest SSID that's WPA2-only, while keeping the main SSID on mixed mode.

The WPS problem — the most important paragraph

WPS lets you press a button on the router to add a device. Convenient, until you realize attackers don't need physical access — they exploit the WPS PIN remotely.

A 2011 design flaw lets a guesser try the 8-digit PIN in two halves of ~10,000 combinations each (not 100 million), and the 2014 Pixie Dust attack can derive the PIN from a single handshake in seconds on many routers. A 2026 Which? report found WPS exploitable on about 73% of the routers tested.

**Disable WPS in your router admin panel** — and not just the physical button. Disable it in software so attackers can't trigger it remotely.

Guest network and the IoT problem

The cheap smart bulb, the off-brand camera, the kid's old tablet — these are the soft underbelly of home networks. Put them on a **guest network** or a separate IoT SSID.

If one of them gets compromised, the attacker is stuck on the guest segment and can't pivot to your laptop, NAS, or work machine. Most modern routers (eero, TP-Link, Asus, UniFi, Netgear) make this a single toggle. Use it.

The smart-home segmentation guide covers VLAN-level isolation if you want to go further.

Common misconceptions

Many people think: My password is 24 characters long, so it doesn't matter if I'm on WPA2 or WPA3.

Actually: A long random password really does defeat most attacks on WPA2 in practice. But WPA3 still wins on forward secrecy. If someone records your WPA2 handshake today and your password leaks five years from now, they can decrypt the old traffic. With WPA3, they can't.

Many people think: Hiding my Wi-Fi name (SSID) makes me safer.

Actually: Security theater. Your devices broadcast the hidden name every time they look for the network; anyone with free scanning software captures the name in under a minute. You've just made your own life harder typing it on every new device.

Many people think: MAC address filtering keeps strangers off my Wi-Fi.

Actually: MAC addresses are visible to anyone scanning your Wi-Fi. Spoofing one is a one-line command. MAC filtering creates work for you (every new device must be added) and gives zero real protection. Skip it.

Many people think: WPS is convenient and basically harmless.

Actually: The 2011 PIN flaw and 2014 Pixie Dust attack remain exploitable on a majority of consumer routers in 2026. WPS is the single biggest "you left the back door unlocked" mistake in 2026 home networks.

Many people think: WPA3 is just for businesses; home users don't need it.

Actually: WPA3 has been mandatory on every Wi-Fi 6E and Wi-Fi 7 device since 2020 to use the 6 GHz band. If you bought a router in the last three years, you almost certainly already have WPA3. Using it is one checkbox in the admin panel.

Ready to actually fix it?

Wi-Fi security touches several other problems — pair this with the related diagnostics:

Last reviewed

2026-05-27