What is the best WiFi security setting on my router?

WPA3-Personal (SAE) if every one of your devices supports it. Otherwise WPA2-PSK with AES/CCMP only — never TKIP alone. If your router exposes a WPA2/WPA3 mixed mode, it is functionally equivalent to WPA2 because an attacker can force a WPA2 association and capture a standard handshake.

How long should my WiFi password be?

At least 14 characters if human-chosen, 12+ if machine-generated random. The practical threshold is to land outside every commodity wordlist. A three-word diceware passphrase like correct-horse-battery-staple has enough entropy to resist a GPU farm for years.

Does MAC filtering actually protect me?

No. MAC addresses are broadcast in plain text in every 802.11 frame, and spoofing a client MAC takes one command on Linux, macOS, or Windows. MAC filter raises the effort bar by a few seconds. It is a false sense of security and can be dropped from any serious threat model.

Should I disable WPS?

Yes. WPS PIN is trivially brute-forceable on most pre-2019 routers because of the 8-digit PIN with a checksum, and WPS push-button is a second-factor-less path into your network that an intruder in your building can use while you are not looking. Disable both.

How often should I change my WiFi password?

Only when you suspect compromise or someone you no longer trust has it (e.g., a former housemate). Rotating a strong passphrase on a schedule gains nothing against offline attacks and typically leads to weaker replacements.

Defender's guide

How to Actually Secure Your Home WiFi Network in 2026

Most home WiFi security advice on the internet is a copy-paste of marketing bullet points from router vendors. This is the other kind of guide — written from the perspective of someone who spends the working day cracking the weak networks. The tips below are ranked by what actually moves the needle against a motivated attacker sitting in a van outside your apartment or a neighbour with a USB WiFi card. No brand names, no affiliate links, just the controls that matter and the ones that don't.

Threat model first

Before the settings, decide what you are defending against. A home network has three realistic adversaries:

Opportunistic neighbour. Someone within RF range who tries the password "password123" once, then gives up. Defended by any non-trivial passphrase.
Motivated amateur. Someone with aircrack-ng and a wordlist, willing to let a laptop grind overnight. Defended by a long human-chosen passphrase outside common wordlists.
Funded attacker with a GPU rig. Someone who will throw a 4090 at your network for a week. Defended by a 14+ character random passphrase or WPA3-only mode.

Nation-state attackers, corporate APT, and physically present specialists with signal amplifiers are outside the scope of a consumer-grade guide. If that is your threat model, you need a site survey, not a blog post.

The single most important control: passphrase entropy

Everything else in this article is a rounding error compared to the passphrase. WPA2 security reduces to a PBKDF2 derivation of the passphrase with the SSID as salt. If an attacker captures a handshake, they grind candidate passphrases against the derivation at GPU speed until a match appears. The only defense that works is making the passphrase not appear in any wordlist and not crackable by rules applied to dictionaries.

Entropy is the measure of how hard your passphrase is to guess. A passphrase with 60 bits of entropy resists a 1 MH/s attack for ~35,000 years. A passphrase with 40 bits resists for ~13 days. Most human-chosen passwords come in at 25–35 bits and fall in hours. The following table gives real numbers for representative choices:

Passphrase	Bits of entropy	Time to crack on RTX 4090 (2.6 MH/s)	Safe in 2026?
password	~12	< 1 second	No
Summer2024!	~22	~8 minutes (rules)	No
mydogspot3	~30	~1 day	Marginal
correct-horse-battery-staple	~44	~214 years	Yes
K7$mP2vQ9nX4tR8w	~95	heat death of the universe	Yes

The practical recommendation: either use a passphrase of 4+ random dictionary words (diceware, 44 bits for 4 words), or a 14+ character fully random string generated by a password manager. Skip clever substitutions like "p@ssw0rd" — crackers apply those rules automatically, and they gain you maybe 2 bits of entropy at the cost of huge memorability overhead.

Pick the right protocol

WPA3-Personal (SAE) — preferred

The SAE handshake resists offline dictionary attacks. Even a weak passphrase gets substantial protection because every guess requires a live interaction with the AP. Use if every client supports it.

WPA2-PSK with AES/CCMP — acceptable

The default for 2010-2023 hardware. Strong cipher, but protocol leaks a verifiable handshake — your passphrase must carry the whole load.

WPA2/WPA3 mixed mode — weak

Marketed as WPA3, but an attacker can force WPA2 association and capture a standard handshake. Functionally equivalent to WPA2-only in attack surface.

WPA2-TKIP / WPA / WEP — broken

TKIP has known weaknesses, WPA is legacy, WEP is trivially broken in minutes. If your router only offers these, replace it.

For the full technical comparison of WPA3 vs WPA2, see WPA3 vs WPA2 security.

Router admin credentials

Every consumer router ships with a default administrator password, often printed on a sticker under the device. Default credentials are enumerated in databases used by attackers: once they are on your network they try admin/admin, admin/password, the ISP-branded default, and they are in the admin UI. From there they can change DNS, enable remote management, pivot to LAN devices. See our default router password reference; if yours appears in that list, change it now.

Change the admin password to something different from the WiFi passphrase. Using the same password for both means any guest who gets WiFi access effectively has admin too. If your router supports local-only admin (disabling remote management / WAN access to UI), enable it.

Disable WPS

WiFi Protected Setup (WPS) is the push-button or PIN-based feature that pairs a client with the router without typing the passphrase. Two design flaws killed it:

PIN structure is brute-forceable. The 8-digit PIN is validated as two halves with a checksum, reducing the effective keyspace from 100 million to ~11,000. Reaver or Bully can grind through it in 4–10 hours on pre-2019 firmware.
Push-button is an unauthenticated physical access path. Anyone within reach of your router for 30 seconds can press the button and pair their device. In an apartment building where the router is near a shared wall, this is exploitable.

Modern routers implement rate-limiting that defeats PIN brute-force, but the push-button flaw remains. Turn both off in the router UI. Pair clients by typing the passphrase like civilized people.

Guest network with client isolation

A separate SSID for guests, set up correctly, is a real security win. Three settings matter:

Isolation from LAN. Guest clients must not be able to reach your NAS, printer, or PCs. Look for "access intranet" or "allow guest to access local network" and disable.
Client isolation within the guest SSID. Guests should not see each other's devices either. Stops a compromised guest device from attacking another.
Bandwidth cap. Prevents one visitor's phone from saturating your uplink.

Give the guest SSID a reasonable passphrase (12+ chars is fine, it does not need to be a state secret), and rotate it when trust changes — a former housemate, a contractor, a house-sitter.

MAC filtering is theater — skip it

MAC filters maintain an allow-list of device MAC addresses that can join. Routers advertise this as a security feature. It is not:

MACs are broadcast in plain text. Every 802.11 frame contains the source and destination MAC unencrypted. An attacker with a monitor-mode card reads your allow-list off the air in seconds.
Spoofing is one command. sudo ip link set dev wlan0 address aa:bb:cc:dd:ee:ff on Linux. A single line on macOS and Windows.
It breaks legitimate devices. iOS and Android randomize MAC per SSID in recent versions, which breaks MAC filter every time a device joins.

MAC filtering raises attacker effort from zero to about ten seconds. Not worth the maintenance overhead. Skip it.

Firmware updates — the unsexy essential

Router firmware is how vendors ship security fixes. WPA3 Dragonblood patches, KRACK patches, WPS improvements, CSRF fixes in the admin UI — all arrive through firmware updates. A 2018 router that has never been updated is running 2018 vulnerabilities.

Turn on automatic firmware updates if the router supports them (most post-2020 firmware does). If not, set a calendar reminder every 6 months to check the vendor support page. When the vendor drops support (typically 5 years after release), the router is a liability — replace it or flash OpenWrt if your model is supported.

IoT segregation with VLANs

Smart bulbs, cameras, thermostats, and doorbells are the weakest link in a modern home network. They often cannot support WPA3, they are rarely updated by their vendor, and a compromised one can pivot to your laptops and NAS.

The fix is a dedicated VLAN for IoT, with its own SSID and firewall rules that block traffic from IoT to your main LAN. This requires a router with VLAN support: OpenWrt, UniFi, pfSense, some higher-end ASUS and Netgear firmware. The IoT SSID runs WPA2 because many IoT devices do not support WPA3, but the blast radius if an IoT device is compromised is contained to the VLAN.

Minimal two-VLAN setup:

Main VLAN (WPA3, 2.4 and 5 GHz): phones, laptops, desktops, NAS, trusted Apple TV / Chromecast.
IoT VLAN (WPA2, 2.4 GHz only): smart bulbs, cameras, thermostats, robot vacuum. Firewall rule: IoT can reach the internet, cannot initiate connections to Main.

If you want cross-VLAN access for specific devices (main to IoT camera feed), add targeted allow rules, not a blanket permit.

Change the SSID — seriously

Default SSIDs ("NETGEAR99", "TP-LINK_D3F1", "Verizon_ABC123") are a minor but real security hole. The SSID is the PBKDF2 salt in WPA2 key derivation. Reused SSIDs enable precomputed rainbow tables: a public 1-million-SSID / 1-million-password rainbow table exists and covers the common vendor default patterns. A unique SSID (e.g., "KangaroosInCardigans") forces attackers to compute PBKDF2 per-guess, which is what gives the protocol its strength.

Avoid personally identifying SSIDs ("JohnSmithApartment4B") because they make social-engineering follow-ups easier. Make it nonsense.

Disable remote management

Remote management exposes the router admin UI to the WAN side (the internet). It is off by default on most consumer routers but on by default on some ISP-provided gateways. If it is on:

Your admin credentials are guessable from anywhere on the internet, not just from inside your LAN.
Any CVE in the admin UI becomes remotely exploitable rather than requiring LAN access first.
Shodan indexes your router. Literally search Shodan for your ISP's router model; thousands of open admin panels are listed.

Log into the router, find "Remote Management" or "WAN Access to Router" or "Management Access" and turn it off. If you need to manage the router while away from home, use a VPN back to your LAN instead.

Ranked checklist (do in order)

1
Replace the WiFi passphrase with a 14+ char random or 4-word diceware. This single change defeats 90% of real-world attacks.
2
Switch to WPA3-only if every device supports it; otherwise WPA2-PSK with AES/CCMP (never TKIP).
3
Change the router admin password to a different, strong passphrase.
4
Disable WPS (both PIN and push-button).
5
Turn on automatic firmware updates or set a 6-month reminder.
6
Enable a guest network with LAN isolation and client isolation.
7
Change the SSID away from the vendor default.
8
Disable remote management / WAN access to the admin UI.
9
If your router supports VLANs, segregate IoT onto its own VLAN.
10
(Skip) MAC filtering — it is security theater.

Frequently asked questions

Should I hide my SSID?

No. Hiding the SSID (non-broadcast) forces clients to probe for it on every channel, which leaks the name anyway and makes joining unreliable. It was marginal protection in 2005; it is obstruction in 2026.

Is a VPN a substitute for WiFi security?

No. A VPN encrypts traffic from your device to the VPN server, which is useful on untrusted public WiFi. It does not stop an attacker who joins your home network from reaching your LAN devices, which remain vulnerable to the WiFi security controls you did or did not configure.

What about 2.4 vs 5 vs 6 GHz?

Security implications are identical across bands. 5 and 6 GHz have shorter range, which incidentally reduces RF reach into a neighbour's unit, but it is a side effect, not a security control.

Are mesh systems more or less secure?

The same as single-AP systems. Mesh nodes communicate on a separate backhaul, which is usually WPA3 or proprietary encryption. The client-facing security is the same.

Does the ISP have my WiFi password?

If they provisioned the router and you never changed the passphrase, yes — the default is in their provisioning database. Change the passphrase after installation. They cannot see the new one.

The one-line summary

Long passphrase, WPA3 if you can, WPA2-AES if you must, WPS off, firmware updated, admin password changed. Everything else is a rounding error.

Recap

Passphrase entropy is 90% of the battle.
WPA3-only > WPA2-AES > WPA2/WPA3 mixed = WPA2.
MAC filtering and SSID hiding are theater.
Disable WPS and remote management.
Segregate IoT if your router supports VLANs.

Goal: be the boring target in the apartment building. Attackers move on.