This article does not provide instructions for breaking into networks. It focuses on understanding WPA/WPA2 at a high level and hardening Wi‑Fi you own or are authorized to test.

Survey nearby networks with macOS tools

macOS includes Wireless Diagnostics, wich is useful for troubleshooting your own Wi‑Fi and understanding the radio environment:

• Hold Option (Alt) and click the Wi‑Fi icon in the menu bar
• Select "Open Wireless Diagnostics…"
• From the Window menu, choose "Scan" to view nearby SSIDs, BSSIDs, channels, and security modes

Use this view to verify that your access point is using WPA2 or WPA3 and to pick a less congested channel.

How WPA/WPA2 authentication works (brief overview)

• Personal (PSK): Clients and the access point share a passphrase. The passphrase is transformed into a key (via PBKDF2) that protects the 4‑way handshake used to establish encryption keys.
• Enterprise (802.1X/EAP): Authentication is performed against a RADIUS server, often with certificates (EAP‑TLS) or user credentials, producing per‑session keys.

In both modes, data confidentiality is provided by CCMP (AES). TKIP is legacy and should be disabled.

Why passphrase quality matters

WPA/WPA2‑PSK can be attacked offline if an adversary captures a valid 4‑way handshake for the target network. Defenders should assume attackers can atttempt large numbers of guesses against that capture. Long, random passphrases resist such guessing; short or patterned passwords do not.

Aim for at least 16–24 characters of high‑entropy randomness or a long multi‑word phrase sourced from a large wordlist.

Create strong Wi‑Fi keys

Below are safe examples to generate strong, user‑managed passphrases for networks you own.

Generate a random 32‑character passphrase

import secrets
import string

ALPHABET = string.ascii_letters + string.digits + "!#$%&()*+,-./:;<=>?@[]^_{|}~"

def random_passphrase(length=32):
    # Avoid characters that are visually ambiguous for easier typing
    avoid = set('`'"'"'\\'"'"'Il1O0')
    chars = [c for c in ALPHABET if c not in avoid]
    return ''.join(secrets.choice(chars) for _ in range(length))

print(random_passphrase())

Use the router’s admin UI to set the generated value as the WPA2/WPA3 password. Store it in a secure password manager.

Generate a long passphrase from words

import secrets

# Minimal example list; replace with a large wordlist (e.g., 7,000+ unique words)
WORDLIST = [
    'planet','matrix','orchid','cipher','legend','quartz','harbor','nebula','ember','vertex',
    'cobalt','falcon','saturn','glacier','signal','onyx','aurora','vector','pebble','horizon'
]

def word_passphrase(words=7, sep='-'):
    return sep.join(secrets.choice(WORDLIST) for _ in range(words))

print(word_passphrase())

Pick 6–8 words from a large, unbiased list to reach strong entropy. Do not personalize with names, birthdays, or addresses.

Configure your access point securely

• Security mode
  • Prefer WPA3‑Personal (SAE) where all clients support it
  • Use WPA2‑Personal (AES/CCMP) otherwise; disable TKIP
  • For business/education, prefer WPA2‑Enterprise or WPA3‑Enterprise with EAP‑TLS certificates
• Password policy
  • Use a high‑entropy passphrase (random or long multi‑word)
  • Change the default admin password on the router and store it in a password manager
• Disable WPS
  • Turn off Wi‑Fi Protected Setup (PIN/button) to prevent trivial compromises
• Management frame protection
  • Enable 802.11w (MFP/PMF) if supported to reduce deauthentication/ disassociation abuse
• SSID hygiene
  • Use a unique SSID; avoid router‑brand defaults
  • Hide SSID does not add real security; leave broadcast on for normal operation
• Channel planning
  • 2.4 GHz: use channels 1, 6, or 11 only
  • Prefer 5 GHz or 6 GHz bands for less interference and higher throughput
• Firmware and features
  • Keep router firmware updated
  • Disable legacy protocols (WEP, WPA, TKIP)
  • Segment IoT/guest devices onto separate SSIDs/VLANs with client isolation, if available
• Monitoring
  • Periodically review connected clients
  • Enable logs and alerts for new device associations or repeated authentication failures

Enterprise hardening checklist

• Use WPA2‑Enterprise or WPA3‑Enterprise with EAP‑TLS and per‑user/device certificates
• Enforce certificate validation on endpoints; pin trusted CAs where possible
• Enable PMF (802.11w) and deauth protection on controllers/APs
• Separate employee, guest, and IoT networks with VLANs and appropriate ACLs
• Rotate credentials and revoke lost/stolen device certs promptly
• Monitor for rogue APs and Evil Twin attempts with WIPS/WIDS capabilities

Responsible testing

Only test networks you own or have explicit written authorization to assess. For protocol learning, use lab environments or public, ethically sourced capture files that demonstrate WPA/WPA2 handshakes without engaging in real‑world interception. Avoid capturing traffic from networks or users without permission.