What's new

WPA2 Shared Secret Rotation: How to avoid downtime?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tonymet

Occasional Visitor
Let's assume you like to rotate your WPA2 shared secret (SSID passphrase) once a year. How do you do it without downtime and with minimal fuss? Is it possible to do it without changing SSID?

Here's how I do it:

  1. Start with existing SSID `wireless-net`
  2. Add new virtual SSID `wireless-net-A` with new shared secret.
  3. one by one update each client to the new SSID + shared secret
  4. once empty, disable `wireless-net`

The two big downsides are : (1) updating clients 1-by-1 and (2) losing SSID name . Also, some routers do not support virtual SSID

Any better approach?
 
Sure..don't change it. There is no reason to change your SSID or passphrase unless your network has been hacked. It is possible to hack a WPA2 WIFI (WPA is much easier) but someone really would need to want to access your WIFI.
 
Sure..don't change it. There is no reason to change your SSID or passphrase unless your network has been hacked. It is possible to hack a WPA2 WIFI (WPA is much easier) but someone really would need to want to access your WIFI.
Why is this shared secret exceptional ?
 
Why is this shared secret exceptional ?

For one thing, it's useless to anyone more than ~100 yards away from you. That cuts the population of potential hackers quite a lot.

If you have reason to distrust your nearest neighbors, you should probably be rotating passwords, and maybe more often than yearly. Otherwise, there are better things to do with your time (hint: like hardening anything that's exposed to the wider internet).

EDIT: one thing I would recommend, if your devices allow it, is to update to WPA3 security. By all reports that offers a meaningful improvement in password protection. If you have a mix of older and newer devices, it might be worth segregating the not-WPA3-capable devices onto their own SSID and VLAN. I just finished making that conversion locally, and I'm happier now that I don't have to trust my IoT devices as much.
 
Sure..don't change it. There is no reason to change your SSID or passphrase unless your network has been hacked. It is possible to hack a WPA2 WIFI (WPA is much easier) but someone really would need to want to access your WIFI.

Pretty much - I'm not seeing a reason these days to run a WPA/WPA2 mixed mode network...

WPA2 is generally sufficient - using a proper password/passphrase is always a good thing, and key rotation of 3600 seconds/1 hour is still more than enough. If clients permit, moving over to WPA2/3 is a good thing - there are benefits there, and PMF adds a bit more..

That being said, if one wants to rotate passwords on an as needed basis - nothing wrong with that except for the admin overhead of updating every client out there...
 
Pretty much - I'm not seeing a reason these days to run a WPA/WPA2 mixed mode network...

WPA2 is generally sufficient - using a proper password/passphrase is always a good thing, and key rotation of 3600 seconds/1 hour is still more than enough. If clients permit, moving over to WPA2/3 is a good thing - there are benefits there, and PMF adds a bit more..

That being said, if one wants to rotate passwords on an as needed basis - nothing wrong with that except for the admin overhead of updating every client out there...
Just to bring us back on topic. What are the best practices for shared secret rotation. that's the point--how to reduce admin overhead.
 
For one thing, it's useless to anyone more than ~100 yards away from you. That cuts the population of potential hackers quite a lot.

If you have reason to distrust your nearest neighbors, you should probably be rotating passwords, and maybe more often than yearly. Otherwise, there are better things to do with your time (hint: like hardening anything that's exposed to the wider internet).

EDIT: one thing I would recommend, if your devices allow it, is to update to WPA3 security. By all reports that offers a meaningful improvement in password protection. If you have a mix of older and newer devices, it might be worth segregating the not-WPA3-capable devices onto their own SSID and VLAN. I just finished making that conversion locally, and I'm happier now that I don't have to trust my IoT devices as much.
In reading this it goes against most of the conventional wisdom of secret management. Regardless, let's just assume the goal is to rotate the shared secret (the point of the topic). Any suggestions?
 
Just to bring us back on topic. What are the best practices for shared secret rotation. that's the point--how to reduce admin overhead.
In reading this it goes against most of the conventional wisdom of secret management. Regardless, let's just assume the goal is to rotate the shared secret (the point of the topic). Any suggestions?
There is no "best practice" because it would depend entirely of the risk assessment of each use case. For example, if you were providing Wi-Fi for a large office you might change the passwords weekly or monthly, plus every time an employee left. On the other hand if you're running a home Wi-Fi that only you and your wife ever connect to, and there aren't any malicious neighbours in Wi-Fi range then you might not ever change the password. Personally, I'm in the latter category.
 
Just to bring us back on topic. What are the best practices for shared secret rotation. that's the point--how to reduce admin overhead.
The only thing that comes to mind is that Apple devices have this feature called "configuration profiles" whereby you can centrally manage stuff like SSID secrets. Probably Android can do something similar. I don't know much about these, and particularly not how seamless an update is. But you could go research it, because I think the whole point is to manage enterprise-grade wireless security requirements.
 
Not needed even on my business network. Unauthorized devices can't connect, wired or wireless.
 
There is no "best practice" because it would depend entirely of the risk assessment of each use case. For example, if you were providing Wi-Fi for a large office you might change the passwords weekly or monthly, plus every time an employee left. On the other hand if you're running a home Wi-Fi that only you and your wife ever connect to, and there aren't any malicious neighbours in Wi-Fi range then you might not ever change the password. Personally, I'm in the latter category.
Again, let's just assume we've already decided on that. The point of this topic is to discuss how we would go about rotating the shared secret. Do you have any helpful thoughts on that?
 
The only thing that comes to mind is that Apple devices have this feature called "configuration profiles" whereby you can centrally manage stuff like SSID secrets. Probably Android can do something similar. I don't know much about these, and particularly not how seamless an update is. But you could go research it, because I think the whole point is to manage enterprise-grade wireless security requirements.
this is a great tip i'll see if these configuration profiles provide a way to rotate SSIDs e.g. "if SSID-A then use it, else use SSID-B". great tip!
 
Again, let's just assume we've already decided on that. The point of this topic is to discuss how we would go about rotating the shared secret. Do you have any helpful thoughts on that?
As you're talking specifically about changing PSKs stored on the clients it probably comes down to what options you have available to you for those clients. Similar to the previous post, Windows allows you to have multiple Wi-Fi profiles so if one SSID went offline it would try to connect to another SSID that it already has credentials for. Of course you wouldn't want this "backup" SSID configured permanently but it would mean that you could update the clients' "main" SSID password at your leisure rather than having to big-bang it. It also might not help with non-Windows devices.
 
Why change the SSID, just change the password and send out an email with the new password.

You can schedule it like Friday at 5:00pm or 7:00 to reduce down time. How about 7:00am Monday morning.

It seems like less fuss than changing the SSID.

I am using WAP2/WAP3 on my Cisco wireless Wi-Fi6 APs.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top