Menu
What's new
By:
Filters Better Search

WPA2 Shared Secret Rotation: How to avoid downtime?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tonymet

tonymet

Occasional Visitor
Let's assume you like to rotate your WPA2 shared secret (SSID passphrase) once a year. How do you do it without downtime and with minimal fuss? Is it possible to do it without changing SSID?

Here's how I do it:

  1. Start with existing SSID `wireless-net`
  2. Add new virtual SSID `wireless-net-A` with new shared secret.
  3. one by one update each client to the new SSID + shared secret
  4. once empty, disable `wireless-net`

The two big downsides are : (1) updating clients 1-by-1 and (2) losing SSID name . Also, some routers do not support virtual SSID

Any better approach?
 
Sure..don't change it. There is no reason to change your SSID or passphrase unless your network has been hacked. It is possible to hack a WPA2 WIFI (WPA is much easier) but someone really would need to want to access your WIFI.
 
bbunge said:
Sure..don't change it. There is no reason to change your SSID or passphrase unless your network has been hacked. It is possible to hack a WPA2 WIFI (WPA is much easier) but someone really would need to want to access your WIFI.
Click to expand...
Why is this shared secret exceptional ?
 
tonymet said:
Why is this shared secret exceptional ?
Click to expand...

For one thing, it's useless to anyone more than ~100 yards away from you. That cuts the population of potential hackers quite a lot.

If you have reason to distrust your nearest neighbors, you should probably be rotating passwords, and maybe more often than yearly. Otherwise, there are better things to do with your time (hint: like hardening anything that's exposed to the wider internet).

EDIT: one thing I would recommend, if your devices allow it, is to update to WPA3 security. By all reports that offers a meaningful improvement in password protection. If you have a mix of older and newer devices, it might be worth segregating the not-WPA3-capable devices onto their own SSID and VLAN. I just finished making that conversion locally, and I'm happier now that I don't have to trust my IoT devices as much.
 
bbunge said:
Sure..don't change it. There is no reason to change your SSID or passphrase unless your network has been hacked. It is possible to hack a WPA2 WIFI (WPA is much easier) but someone really would need to want to access your WIFI.
Click to expand...

Pretty much - I'm not seeing a reason these days to run a WPA/WPA2 mixed mode network...

WPA2 is generally sufficient - using a proper password/passphrase is always a good thing, and key rotation of 3600 seconds/1 hour is still more than enough. If clients permit, moving over to WPA2/3 is a good thing - there are benefits there, and PMF adds a bit more..

That being said, if one wants to rotate passwords on an as needed basis - nothing wrong with that except for the admin overhead of updating every client out there...
 
sfx2000 said:
Pretty much - I'm not seeing a reason these days to run a WPA/WPA2 mixed mode network...

WPA2 is generally sufficient - using a proper password/passphrase is always a good thing, and key rotation of 3600 seconds/1 hour is still more than enough. If clients permit, moving over to WPA2/3 is a good thing - there are benefits there, and PMF adds a bit more..

That being said, if one wants to rotate passwords on an as needed basis - nothing wrong with that except for the admin overhead of updating every client out there...
Click to expand...
Just to bring us back on topic. What are the best practices for shared secret rotation. that's the point--how to reduce admin overhead.
 
tgl said:
For one thing, it's useless to anyone more than ~100 yards away from you. That cuts the population of potential hackers quite a lot.

If you have reason to distrust your nearest neighbors, you should probably be rotating passwords, and maybe more often than yearly. Otherwise, there are better things to do with your time (hint: like hardening anything that's exposed to the wider internet).

EDIT: one thing I would recommend, if your devices allow it, is to update to WPA3 security. By all reports that offers a meaningful improvement in password protection. If you have a mix of older and newer devices, it might be worth segregating the not-WPA3-capable devices onto their own SSID and VLAN. I just finished making that conversion locally, and I'm happier now that I don't have to trust my IoT devices as much.
Click to expand...
In reading this it goes against most of the conventional wisdom of secret management. Regardless, let's just assume the goal is to rotate the shared secret (the point of the topic). Any suggestions?
 
tonymet said:
Just to bring us back on topic. What are the best practices for shared secret rotation. that's the point--how to reduce admin overhead.
Click to expand...
tonymet said:
In reading this it goes against most of the conventional wisdom of secret management. Regardless, let's just assume the goal is to rotate the shared secret (the point of the topic). Any suggestions?
Click to expand...
There is no "best practice" because it would depend entirely of the risk assessment of each use case. For example, if you were providing Wi-Fi for a large office you might change the passwords weekly or monthly, plus every time an employee left. On the other hand if you're running a home Wi-Fi that only you and your wife ever connect to, and there aren't any malicious neighbours in Wi-Fi range then you might not ever change the password. Personally, I'm in the latter category.
 
tonymet said:
Just to bring us back on topic. What are the best practices for shared secret rotation. that's the point--how to reduce admin overhead.
Click to expand...
The only thing that comes to mind is that Apple devices have this feature called "configuration profiles" whereby you can centrally manage stuff like SSID secrets. Probably Android can do something similar. I don't know much about these, and particularly not how seamless an update is. But you could go research it, because I think the whole point is to manage enterprise-grade wireless security requirements.
 
Not needed even on my business network. Unauthorized devices can't connect, wired or wireless.
 
ColinTaylor said:
There is no "best practice" because it would depend entirely of the risk assessment of each use case. For example, if you were providing Wi-Fi for a large office you might change the passwords weekly or monthly, plus every time an employee left. On the other hand if you're running a home Wi-Fi that only you and your wife ever connect to, and there aren't any malicious neighbours in Wi-Fi range then you might not ever change the password. Personally, I'm in the latter category.
Click to expand...
Again, let's just assume we've already decided on that. The point of this topic is to discuss how we would go about rotating the shared secret. Do you have any helpful thoughts on that?
 
tgl said:
The only thing that comes to mind is that Apple devices have this feature called "configuration profiles" whereby you can centrally manage stuff like SSID secrets. Probably Android can do something similar. I don't know much about these, and particularly not how seamless an update is. But you could go research it, because I think the whole point is to manage enterprise-grade wireless security requirements.
Click to expand...
this is a great tip i'll see if these configuration profiles provide a way to rotate SSIDs e.g. "if SSID-A then use it, else use SSID-B". great tip!
 
tonymet said:
Again, let's just assume we've already decided on that. The point of this topic is to discuss how we would go about rotating the shared secret. Do you have any helpful thoughts on that?
Click to expand...
As you're talking specifically about changing PSKs stored on the clients it probably comes down to what options you have available to you for those clients. Similar to the previous post, Windows allows you to have multiple Wi-Fi profiles so if one SSID went offline it would try to connect to another SSID that it already has credentials for. Of course you wouldn't want this "backup" SSID configured permanently but it would mean that you could update the clients' "main" SSID password at your leisure rather than having to big-bang it. It also might not help with non-Windows devices.
 
Why change the SSID, just change the password and send out an email with the new password.

You can schedule it like Friday at 5:00pm or 7:00 to reduce down time. How about 7:00am Monday morning.

It seems like less fuss than changing the SSID.

I am using WAP2/WAP3 on my Cisco wireless Wi-Fi6 APs.
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Tutorial Guest Wifi random password + QR code generator for display on smart TV
Replies
10
Views
5K
joomlafab
J
T
Input on ways to implement IOT network
Replies
3
Views
3K
nikr
N
daviworld
  • Poll
RT-AC5300 Performance & Security Guide
2 3 4
Replies
71
Views
82K
L&LD
L&LD
I
How to build a spectacularly fast network and server for small engineering dept.
2
Replies
35
Views
21K
coxhaus
C
S
Test results, HomePlug 'round the house
Replies
4
Views
14K
stevech
S

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 696 (members: 22, guests: 674)
Top