Not sure if this is a hot take, but: I believe most WiFi passwords serve no meaningful purpose and are actively harmful to security.
You all know how this works. You're in a hotel, at a conference, in a restaurant, etc., you want to connect to the wifi. There's probably a sign somewhere with the password.
First of all, it's annoying that you have to figure out where to find it, ask around if anyone knows it.
🧵
What security goal does that password serve? I'd say, there's no reasonable "threat" you're defending against.
The password is freely shared.
Yeah, you're "protecting" your Wifi from being used by a random stranger sitting somewhere close enough to use it, but not a guest of your facility/event/... - but is that really something it's worth to protect against?
But why actively harmful?
You're conditioning people to treat a "password" not like a secret. If you missed the sign at the entrance, you'll ask the next person for the wifi password. And, of course, they'll usually give it to you.
That's obviously not how you should treat passwords.
We call a thing a "password" if it serves a security purpose, locks access to something that's for you, not for random other people. We probably shouldn't call things "passwords" that aren't like that.
@hanno Technically it's a pre-shared key, no? I think that terminology much better describes what it does, but yeah, nobody is using it.
And I believe using a PSK serves as a very simple but effective purpose: if you're using an unencrypted WiFi, your clients may expose the SSID in their probe requests, making it very easy to create an ad-hoc fake AP for any of the unencrypted networks in their list.
hanno
Nils