Home & Travel Security

Most home networks are only as strong as a few router settings most people never open. Five changes do almost all of the work:

• Change the router's admin login. Your router has two separate logins: the Wi-Fi passphrase devices use to join, and an administrator account that controls the router itself. They are not the same, and the admin password is the one attackers look up by model number. Change it first; if someone reaches the admin side, they can undo everything else.
• Use WPA3 (or WPA2-AES) with a long passphrase. Set the encryption to WPA3-Personal, or WPA2-Personal (AES/CCMP) if WPA3 is not offered. Never use WEP or WPA/TKIP; if those are the only options, the router is old enough to replace. Choose a long passphrase, a short sentence is better than a short complex string.
• Turn off WPS. The eight-digit WPS PIN is brute-forceable in hours regardless of how strong your passphrase is, and disabling it is the only real fix. See WPS for why.
• Keep firmware updated, and retire end-of-life routers. Turn on automatic updates if the router offers them; a router the manufacturer no longer patches is a standing risk.
• Disable remote administration and UPnP unless you specifically need them. Both widen the attack surface from the internet side for convenience you probably are not using.

Almost every modern router can broadcast a second guest network, and it is the single most useful thing most people never turn on. Put visitors on it, and put your IoT and smart-home devices (cameras, plugs, TVs, speakers) on it too. Those devices are the least-patched, least-trustworthy things on your network; keeping them on a separate, isolated network means a compromised smart bulb cannot reach your laptop, your files, or the router's settings.

While you are in the settings: rename the network (SSID) to something that is not your name, address, or unit number, and do not bother hiding it, a hidden network is trivially discovered and protects nothing. Real security comes from the encryption and the passphrase, not from a secret name. For each smart device, change its default password, turn on automatic updates, and enable two-factor authentication if it is offered.

Open Wi-Fi at a coffee shop, hotel, or airport is convenient and, by default, unencrypted: anyone else on the same network can potentially see unprotected traffic. Worse, an attacker can stand up an evil twin, a rogue access point with the same name as the real one, and a captive-portal phishing page that copies the normal sign-in screen to harvest what you type. The FBI specifically warns travelers about evil twins on hotel and airport networks.

• Prefer your own cellular connection. For banking, email, or work, your phone's mobile data or personal hotspot is far safer than any public network. The FCC makes this point directly.
• If you must use public Wi-Fi: stick to sites showing https (the lock), avoid logging into anything sensitive, log out when done, and consider a reputable VPN, which encrypts everything between your device and the internet. HTTPS has made public Wi-Fi much safer than it used to be, but it protects the contents of a page, not which sites you visit, and it does not save you from a fake captive portal.
• Verify the network name with staff. Evil twins win by looking right. Ask for the exact name before connecting, and do not connect to lookalikes.
• Tame your device's radios. Turn off auto-join for open networks, and "forget" a public network after you leave so your phone does not silently rejoin a same-named twin later. Turn Wi-Fi and Bluetooth off when you are not using them, or use airplane mode, and leave MAC-address randomization on.
• Keep the basics current. Patch your operating system and browser, and use a screen lock and device encryption so a lost or stolen device keeps its secrets.

Even when you never connect, a phone with its radios on constantly announces itself, and those signals can be used to track movement through a venue. The device-off and minimize-radios advice above is the simplest mitigation; for the full picture of how Wi-Fi, Bluetooth, and cellular signals are used to locate people, and what genuinely blocks it (down to Faraday pouches), see Wireless and Health.

• FTC, "How To Secure Your Home Wi-Fi Network": https://consumer.ftc.gov/articles/how-secure-your-home-wi-fi-network
• FTC, "Securing Your Internet-Connected Devices at Home": https://consumer.ftc.gov/articles/securing-your-internet-connected-devices-home
• FTC, "Are Public Wi-Fi Networks Safe? What You Need To Know": https://consumer.ftc.gov/articles/are-public-wi-fi-networks-safe-what-you-need-know
• CISA, "Securing Your Home Wi-Fi" (Project Upskill, Module 5): https://www.cisa.gov/audiences/high-risk-communities/projectupskill/module5
• CISA, "Securing Portable Electronic Devices During Travel": https://www.cisa.gov/news-events/alerts/2019/11/22/securing-portable-electronic-devices-during-travel
• NSA, "Best Practices for Keeping Your Home Network Secure": https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-best-practices-for-keeping-home-network-secure.pdf
• FCC, "How To Protect Yourself Online" (public Wi-Fi, VPN, imposter hotspots): https://www.fcc.gov/consumers/guides/how-protect-yourself-online
• Wi-Fi Alliance, "Wi-Fi CERTIFIED WPA3" (WPA3 and Enhanced Open): https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security
• EFF, "Why Public Wi-Fi Is a Lot Safer Than You Think" (HTTPS nuance): https://www.eff.org/deeplinks/2020/01/why-public-wi-fi-lot-safer-you-think
• SANS Internet Storm Center, "Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability": https://isc.sans.edu/diary/Wi-Fi+Protected+Setup+(WPS)+PIN+Brute+Force+Vulnerability/12292