Hello, I am Zhuoke.
Regarding Wi-Fi security issues, we often feel that there are many threats. Let me reassure you: Actually, all applications related to privacy and property are well protected.
This protection comes from cryptography on one hand and laws and regulations on the other. In other words, for specific applications, laws require certain levels of encryption.
Therefore, most people, even if they are completely unaware of the existence of passwords and security measures, can generally use them without encountering hacking. This level of security is similar to how most of us do not need to understand the details of airplane manufacturing and aviation management; as long as we fly on commercial flights normally, we will generally arrive safely at our destination.
But you may have indeed heard in the news about passwords being hacked and financial losses occurring, you might be curious, if everything is well protected, why do such news stories still exist?
From a cryptographic perspective, we have indeed done quite well. But vulnerabilities often arise from operational mistakes during actual use or human laziness.
The weaknesses of human nature are also weaknesses of passwords, and these human weaknesses are difficult for cryptography to address. Hackers will exploit these aspects.
Knowing this, you will understand that making your passwords more secure in daily life requires not only enhancing cryptographic knowledge but also avoiding operational mistakes and combating human weaknesses.
Why do I say this? Let’s first look at how Wi-Fi passwords are stolen.
The simplest method is user operational mistakes. For example, a wireless router needs to be properly set up with several passwords to function normally; some people may only know the Wi-Fi username and password while neglecting the others.Many Wi-Fi passwords are stolen in this manner.
Specifically, routers have many parameters that can be set, such as who can log in, traffic limits, etc., which also includes the Wi-Fi name and password. To set these parameters, another set of usernames and passwords is required, which is different from the Wi-Fi name and password.
Many router brands have the default username as ADMIN, with the password also defaulting to ADMIN, and the address is often 192.168.1.1. This is meant to make it easier for people to use for the first time. Users are supposed to change this default ADMIN after the first use, just like how we change the default password on a new bank card right away.
But many people are unaware of this, especially those who are not IT-savvy, and many set up their Wi-Fi with help from others, who may think it’s better not to complicate things, leaving the default values unchanged.
In this case, the configured wireless router remains accessible to anyone who can log in via ADMIN and change the settings. If I know this vulnerability, I can enter the router’s settings interface and make the Wi-Fi password visible, thus seeing the username and password and using someone else’s internet for free.
The method to prevent this vulnerability is simple: change the default username and password for the router’s settings interface.
Of course, this example is the simplest; there are slightly more complex methods as well.
For instance, in the Android operating system, there is a folder that saves the names and passwords of Wi-Fi networks you have logged into. This way, next time you log in, everything is automatic without needing to re-enter.
Under normal circumstances, this folder is not accessible, but some people who have rooted their phones can access this folder, making the stored Wi-Fi usernames and passwords visible.
Many may have used an app called “万能钥匙” (Universal Key); with it, you can connect to many password-protected Wi-Fi networks. When you install that app, it uploads the Wi-Fi usernames and passwords stored on your phone to its server.
After accumulating enough data, when a user uses the Universal Key, the app checks the server for corresponding passwords based on the Wi-Fi name; if found, it sends the password to the user to try, and sometimes it successfully connects.
You see, Wi-Fi passwords can be stolen this way.
Many people do not understand, “He’s just using my internet; what’s the big deal? I don’t care.” But I must tell you that behind stolen Wi-Fi lies many traps—If hackers gain access to your wireless router settings, they can compromise the privacy of everyone connected to that router.
Hackers can log into the router to see what devices the owner has used, such as phones, tablets, or TV boxes, and then discover the accounts for WeChat, Weibo, QQ, Taobao, and JD from the traffic logs, and possibly even unencrypted photos.
Some might say, I don’t have any secrets; WeChat, QQ, and Weibo are public; I don’t mind if my photos are seen.
But it’s not just that; hackers can also know in real-time which pages you have logged into, and then use redirect links to hijack you to the fake pages we just talked about.
You might be on the real Taobao one second, and the next second, you are redirected to a fake Taobao, and after re-entering your username and password, your privacy and money will be at risk.
Moreover, those who have rooted their phones have opened their privacy doors wide. If apps gain this permission, they can do anything.
How can this vulnerability be avoided?
The method is simple: change the default username and password for the router settings, do not root your phone, or simply use an iPhone.
You see, this issue is not a failure of cryptography; it still falls under operational mistakes.
To save on internet costs, some people use certain apps to steal Wi-Fi, but in doing so, they expose themselves to significant risks; this is not a failure of cryptography, but rather those apps exploit the human tendency to seek small gains.
Let’s talk about why you should avoid using Wi-Fi without a password.
If your Wi-Fi is self-set, you will certainly encounter an option during password setup regarding the Wi-Fi encryption method, usually WPA2-PSK.
With it, the wireless router will automatically encrypt your data during transmission. Even if hackers use sniffers to capture these electromagnetic signals, what they obtain is merely encrypted ciphertext, and decrypting it is extremely difficult.
On the other hand, free Wi-Fi without a password means no encryption.
There’s no such thing as a free lunch. Free Wi-Fi without a password is unlikely to be due to someone forgetting to set a password; it is more likely to be a bait set by someone. When your phone or computer connects to this Wi-Fi, all data must pass through their computer, and they can retain and analyze all the data.
Most of the information is unencrypted, with only a small portion of software adding encryption at the login or payment stage due to legal requirements. But even those unencrypted parts are enough for a hacker to analyze a significant amount of critical information.
The best way to avoid this risk is not to connect to Wi-Fi without a password.
Besides these, there are also some small tips related to network security that you can pay attention to.
You can look at the address bar of the browser; you will notice a prefix before www.If this prefix is http://, the security level is somewhat lower;if it starts with https://, the site is more secure because it verifies the authenticity of the website.
Currently, more than half of websites have switched to starting with https. Most of the familiar websites you use are like this; only those pages that do not bear user functions and only transmit information unidirectionally still use http for efficiency.
For example, the homepages of NetEase and Sina are now using https; while in areas like entertainment, sports, automobiles, and military, http might still be used.
Once it involves user login pages, they must start with https. If you find a website that does not use https on its username and password input page, that site is very untrustworthy.
It’s not difficult to tell whether a website uses https or not; just look at the beginning of the address bar.Some sites have a lock icon before https without writing it out, which is also secure.In general, it’s not hard to judge; with a little attention, you can distinguish it.
Some fake websites, like fake Taobao or fake JD, cannot be distinguished by visual design or layout alone. When you enter your username and password and find that you haven’t entered the logged-in page, or you are repeatedly prompted that your password is incorrect, it means your username and password have been collected by the fake website. With this information, they can do many things.
To prevent this vulnerability, you can choose to use better browsers.Moreover, the browser market is highly competitive, and most browsers available for download have functions to automatically identify fake websites.
For example, if you accidentally click on a fake Taobao site, the browser will not display the page directly but will first pop up a large red warning indicating that the page may have serious risks, allowing you to choose whether to continue opening it. This step is not redundant; as long as you don’t stubbornly enter your username and password, you can avoid it.
You see, in this case, a password breach is not a failure of cryptography; it is caused by deliberate deception leading to operational errors.
Therefore, overall, under the protection of passwords, most information flow and product transactions are reliable. Knowing the typical operational mistakes mentioned above is enough to help us avoid the vast majority of risks.
We recommend Teacher Zhuoke’s“30 Lectures on Cryptography”. Is it safe to use WeChat and Alipay for payments? What is the safest password combination? Among fingerprint unlocking, pattern unlocking, and password unlocking on mobile phones, which is the safest? These questions closely related to our daily lives will be answered one by one by Teacher Zhuoke.
In 2019, the “Friends of Time” New Year’s Eve speech had the theme “Basic Situation,” and we invited renowned financial scholar Xiang Shuai to join the academic team of the New Year’s speech to help you see clearly“What is the basic situation of the wealth of Chinese people?”.
There are still 4 days until seat reservations open, and you are welcome to pre-order on the Logic Thinking Tmall flagship store on the 21st.
