If your office Wi-Fi is secured with WPA2, you're probably thinking you're covered. WPA2 has been the gold standard for wireless security since 2004 — it replaced the broken WEP standard and for years it did its job well.
But it's 2026. WPA2 is over 20 years old, and in security terms, that's ancient. There are now well-documented attacks that can crack WPA2 networks — some of them require surprisingly little skill or equipment.
Here's what changed, why it matters for your law firm specifically, and what you should do about it.
What WPA2 actually does — and where it fails
WPA2 encrypts the traffic between your devices and your wireless router so that someone nearby can't just passively read your data out of the air. That part still works. The problem is in how WPA2 handles authentication — specifically, how it proves that a device is allowed to join the network.
WPA2 uses a process called a four-way handshake. When your laptop connects to your office Wi-Fi, it exchanges a series of messages with the router to establish a secure connection. Here's the problem: an attacker can capture that handshake and take it home to crack offline.
An attacker sits in the parking lot of your office building with a laptop running freely available software. They either wait for a device to connect, or they force a reconnect by sending a deauthentication packet. They capture the handshake. They go home and run it against a password dictionary or brute force it. If your Wi-Fi password is a word, a name, or anything under 12 characters — it will crack.
This isn't theoretical. Tools like Hashcat running on a modern GPU can test billions of password combinations per second against a captured WPA2 handshake. A simple 8-character password can fall in minutes.
The KRACK attack changed everything
In 2017, security researchers discovered a fundamental flaw in the WPA2 protocol itself called KRACK — Key Reinstallation Attack. It allowed attackers in range of a WPA2 network to potentially decrypt encrypted traffic, inject data, and in some configurations intercept sensitive communications.
Most major operating systems were patched. But here's the catch: your router also needed a firmware update. Many routers — especially older ones in small offices — never received that update, or received it but were never rebooted to apply it.
Unpatched KRACK vulnerabilities still exist in small office environments. If your router is more than 3-4 years old and you've never checked for firmware updates, there's a real chance it's still vulnerable.
WPA3 — what changed and why it matters
WPA3 was released in 2018 and addresses the core weaknesses of WPA2. The most important improvement is something called Simultaneous Authentication of Equals (SAE), which replaces the vulnerable four-way handshake.
Vulnerable handshake
Handshake can be captured and cracked offline. Weak passwords fall quickly. No forward secrecy.
SAE authentication
Even if password is captured, it cannot be cracked offline. Forward secrecy protects past sessions.
WPA3 also provides forward secrecy — meaning even if an attacker somehow gets your password later, they can't use it to decrypt traffic they captured in the past. Each session gets a unique encryption key.
What your office should actually do
Step 1: Check if your router supports WPA3
Log into your router admin panel (usually at 192.168.1.1 or 192.168.0.1) and look at the wireless security settings. If you see WPA3 or WPA2/WPA3 mixed mode as an option — enable it. Mixed mode lets newer devices use WPA3 while older devices still connect via WPA2.
Step 2: If your router doesn't support WPA3
Consumer routers from before 2019 generally don't support WPA3. If yours is in that category, upgrading your router is worth serious consideration — especially if you're handling sensitive client data. A business-grade Wi-Fi 6 router with WPA3 runs $150-300 and will serve your office well for years.
Step 3: Strengthen your WPA2 password in the meantime
If you can't upgrade immediately, make your Wi-Fi password significantly harder to crack:
- Minimum 20 characters
- Use a passphrase — a random string of words works well (example: correct-horse-battery-staple)
- No dictionary words, names, or addresses
- Change it immediately if any former employee knew it
Step 4: Separate your networks
Regardless of WPA2 or WPA3, make sure your client-facing guest network is completely isolated from your internal staff network. Even if someone cracks your guest network password, they should have no path to your internal systems.
ABA Rule 1.6 requires you to make reasonable efforts to protect client information. Running an unpatched WPA2 network with a weak password in 2026 is difficult to defend as reasonable. WPA3 or a hardened WPA2 configuration with proper network segmentation is the standard you should be meeting.
Not sure where your office stands?
A Tier 1 security audit covers your entire wireless setup — encryption standards, password strength, network segmentation, firmware versions, and more. You get a plain-English report telling you exactly what needs attention and in what order. It starts at $500 and takes about two hours of your time.
If you'd rather talk through it first, book a free 15-minute call and I'll tell you what I'd look for in your specific setup.
Get your Wi-Fi security assessed
Find out exactly what your wireless setup looks like from an attacker's perspective.
Book Free Call