Just don’t lose control over your Wi-Fi

Be it at work or in your own home: Fast and secure Wi-Fi is pretty much taken for granted these days. When it comes to security, the reality may look very different. Or are you able to keep track of exactly who is in your company network at all times?

Consider this scenario: As a network operator, you want to onboard numerous Wi-Fi devices into different parts of your network. You may do this by giving new employees a pre-shared key for them to access the company Wi-Fi with their devices. This ensures that new employees automatically land in the intended area of the network.

And yet employees, visitors and others present companies with a major security risk from cyber attacks. A risk that every company wants to minimize. According to a study conducted by the German digital association, Bitkom, 7 out of 10 German companies (68%) had been subject to a cyber attack in the last two years. This is reason enough to question the way we handle Wi-Fi passwords.

Global passwords mean that companies as network operators are losing a significant amount of control over their Wi-Fi. Preferably, employees and visitors should be given an individual password automatically. Private pre-shared keys (PPSK) and LEPS-U are known methods for providing individual Wi-Fi passwords, and they significantly minimize the risk of cyber attacks and data theft.

Data (in)security in companies

For companies working with data that is sensitive and confidential, data security is essential. This data, along with personal employee data, is the primary target for many hackers. Using a global Wi-Fi password offers an easy way for visitors or employees to login to the company network. Often, all of the Wi-Fi clients share just one global passphrase (pre-shared key, PSK). Consequently, users only need to remember one passphrase to connect different Wi-Fi clients to the network.

While this makes things nice and easy on the one hand, on the other, there is a risk that a password treated carelessly will get lost and land in the hands of unauthorized persons. The human risk factor should not be underestimated either. After all, employees regularly leave the company and take knowledge of the passphrase with them. In both cases, the passphrase should be changed in the interests of security. However, this work is unnecessary and can be avoided.

Wi-Fi passwords: for individuals

A remedy to this situation is the use of PPSK (private pre-shared key), an extension of the PSK method. A PPSK is an individual Wi-Fi password that is assigned to individuals, groups or devices for a single SSID. This is implemented by methods such as the LANCOM Enhanced Passphrase Security-User/-MAC (LEPS-U/LEPS-MAC).

This involves the initial creation of individual user groups (e.g. visitors, employees, etc.), which can additionally be assigned to a  VLAN, which restricts them to specific parts of the network. This significantly reduces the risk of external attacks on the overall wireless network. Should a user’s passphrase be lost, the risk of it being misused for other purposes is negated simply by deleting that one passphrase, so closing the security loophole.

Highly relevant for IoT?

A survey of a group of experts on the subject of IT security in 2025 revealed that they estimate the proportion of attacks on IoT to be 34%. This is not the only reason why private pre-shared keys are becoming increasingly important as a result of the “Internet of Things”. Wi-Fi clients are often inadequately protected from attacks on the corporate network and are increasingly being targeted by hackers. They attempt to enter the company’s networks via Wi-Fi-enabled devices, including smart coffee machines.

However, the use of individual Wi-Fi passwords generated via LEPS-U/-MAC make this significantly more difficult. A vulnerability can be identified more quickly and associated with a particular user. All of the other passphrases remain valid and confidential. Even if a passphrase is leaked and misused, only one device and one user are affected.

Many IoT devices are only able to connect to the network using the WPA(2)-PSK authentication method, i.e. by means of a (common) Wi-Fi password. In many cases, use of the 802.1X authentication method is impracticable. If you nevertheless need to be able to assign individual credentials to each and every IoT device—and thus to implement access control at user level—the LEPS-U method is a viable option.

Full control with LEPS-U/LEPS-MAC

Configured passphrases can be assigned to individual users or groups.

LEPS-U/LEPS-MAC gives businesses full control over who is in their Wi-Fi. Passwords that are assigned to individuals and groups significantly minimize the likelihood of a successful attack on the corporate network. LEPS-MAC provides an additional column in the access control list (ACL) and it assigns an individual passphrase to each MAC address. This unique combination of passphrase and MAC address makes the spoofing of the MAC addresses futile—and LEPS-MAC thus shuts out a potential attack on the ACL.

For further information about LANCOM Enhanced Passphrase Security-User/-MAC and private pre-shared keys in general, see our techpaper at https://www.lancom-systems.com/publications/?publication_id=931.

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *

When you leave a comment, the system automatically stores the following data:

    • your name or your pseudonym (mandatory information / will be published)
    • your e-mail address (mandatory / will not be published)
    • your IP address (the IP address will be deleted automatically after 60 days)
    • date and time of the comment submitted
    • a website (optional)
    • your comment text and personal data contained therein
    • I also agree that all personal data entered together with my IP address will only be checked and stored by the Akismet spam filter in the USA for the purpose of spam prevention. Further information on Akismet and revocation options can be found here.