Think Positive Cyber

R8B25D65D-T2Phal-002-251
June 30, 2025

Everything you send on a wireless network — unless protected — travels through the air in the clear. Passwords, management frames, and even logins can be sniffed with tools like Kismet or Wireshark. That’s why encryption and authentication are mission-critical for modern networks — and why the Security+ exam wants you to understand it.

WPA2-PSK has been the standard for years, but it carries a serious flaw: the 4-way handshake exposes a hash that can be captured and cracked offline. Anyone in range can record it once and try millions of passwords later using GPU or cloud cracking tools.

Enter WPA3, which replaces the handshake with Simultaneous Authentication of Equals (SAE) — a Diffie-Hellman-like method nicknamed the Dragonfly handshake. Unlike WPA2, no hash is ever transmitted. The session key is derived fresh with each login, which means attackers must be present in real-time to attempt an attack. Encryption defaults to GCMP-256, a secure counter mode with built-in authentication.

At home, WPA3-Personal is common — using a preshared key (PSK). But in business, education, and government, WPA3-Enterprise (or WPA2-Enterprise) with 802.1X is the standard. Why? Because it allows individual usernames, passwords, and certificates. You don’t share the same Wi-Fi password with 50 employees. You authenticate against a backend server like RADIUS or TACACS+, with logs, VLAN assignment, and access control all built in.

This system is known as AAA — Authentication, Authorization, and Accounting. The supplicant (your device) talks to the authenticator (the AP or switch), which relays credentials to the AAA server. If approved, you’re in. If not, you’re denied access.

This matters not just for test scores — but for real-world security and hiring readiness. Knowing the difference between PSK and 802.1X, between RADIUS and TACACS+, is table stakes for cybersecurity roles.

I’m studying it now so I don’t just pass — I internalize it.