WPA2 vs WPA3: Wi-Fi security explained

Acutis · plain-English network help · updated June 2026

The short answer

WPA2 and WPA3 are the encryption standards that lock your Wi-Fi so outsiders can't read your traffic or join your network. WPA3 is the newer, stronger one — use it if your router and devices support it. If some of your gear is too old for WPA3, run WPA2/WPA3 mixed mode, which lets new devices use WPA3 while older ones fall back to WPA2. The one rule that matters most: never run WEP or open (no-password) Wi-Fi, and avoid plain WPA — those are broken.

A quick history: WEP, WPA, WPA2, WPA3

Wi-Fi security has gone through four generations, each fixing the failures of the last:

• WEP (1999). The original. Cracked years ago — its keys can be recovered in minutes with free tools. Treat WEP as no security at all.
• WPA (2003). A stopgap to patch WEP's worst flaws. Better, but also long since broken and deprecated.
• WPA2 (2004). The long-standing standard, using strong AES encryption. Still considered safe for home use with a good password, though it has known weaknesses.
• WPA3 (2018). The current standard. It closes WPA2's gaps and makes guessing passwords and decrypting captured traffic dramatically harder.

Why WPA3 is safer

WPA3 isn't a small tweak — it changes how devices prove they know the password. Two improvements stand out:

• SAE (Simultaneous Authentication of Equals). This replaces WPA2's handshake with one that resists offline password guessing. With WPA2, an attacker could capture the handshake and then try millions of passwords at leisure; SAE blocks that, so a weak password is far harder to crack.
• Forward secrecy. Each session uses fresh keys, so even if an attacker records your encrypted traffic today and later learns the password, they still can't decrypt what they captured. WPA2 lacked this — recover the key and old traffic was readable.

The practical upshot: WPA3 protects you better even if your password isn't perfect, and it protects past traffic from future compromise.

WPA2/WPA3 mixed mode

Most routers offer a "WPA2/WPA3" or "WPA3 Transition" mode. It advertises both standards on the same network: WPA3-capable phones and laptops connect with WPA3, while older devices that only speak WPA2 still get on. This is the right default for a typical home with a mix of new and old gear — you get WPA3's protection where it's available without locking anything out. Only switch to WPA3-only once you're certain every device supports it, since WPA3-only will refuse older hardware.

Guest networks

A guest network is a separate Wi-Fi name that keeps visitors — and untrusted smart-home gadgets — off your main network and away from your computers, printers, and files. Give it its own password, enable client isolation if your router offers it, and you can hand out the guest password freely without exposing anything important. It's one of the easiest security wins available and worth turning on even at home for cheap IoT devices you don't fully trust.

How to set it in your router

1. Open a browser and go to your router's address — often 192.168.1.1 or 192.168.0.1 — and sign in.
2. Open Wireless or Wi-Fi Security settings.
3. Set the security mode to WPA3-Personal, or WPA2/WPA3 mixed if you have older devices.
4. Use a strong passphrase — at least 12 characters, not a dictionary word.
5. Save and apply. Devices will reconnect; you may need to re-enter the password on each.

What to do about old devices

If switching to WPA3 knocks an older printer, smart plug, or streaming stick offline, you have a few options. First, use mixed mode so the old device can stay on WPA2 while everything else upgrades. Second, check the device maker for a firmware update that adds WPA3. Third, move legacy IoT gadgets to the guest network so they're isolated even on the weaker standard. As a last resort, keeping one device on WPA2 in mixed mode is far safer than dropping the whole network back to WPA2-only — and worlds better than WEP or no password.