WPA3

WPA2 (introduced 2004) has well-known vulnerabilities: KRACK (Key Reinstallation Attack) allows attackers in range to decrypt traffic, and offline dictionary attacks against captured handshakes can crack weak passwords. WPA3 addresses both.

WPA3-Personal

Uses SAE (Simultaneous Authentication of Equals), replacing WPA2's PSK (Pre-Shared Key) handshake. SAE provides forward secrecy: each session uses a unique key, so recording encrypted traffic today and learning the password tomorrow doesn't allow decryption of past sessions. It also resists offline dictionary attacks — attempts to crack the password must happen in real time, against a live network.

WPA3-Enterprise

The enterprise mode (used with 802.1X authentication) adds an optional 192-bit security mode for high-security environments. This isn't relevant for most organizations — standard WPA3-Enterprise with 802.1X and RADIUS is already strong.

Transition and compatibility

WPA3 requires hardware support. Devices manufactured before 2019 generally lack it. Most current enterprise access points and client devices support WPA3, but mixed environments are common.

Transitional mode (WPA2/WPA3 mixed) allows both WPA2 and WPA3 clients to connect to the same network — WPA3-capable devices negotiate WPA3 automatically. This is the practical approach during the transition period.

If your network supports WPA3, enable it. The security improvements are meaningful and the transition is transparent to end users.