The Wi-Fi Alliance announced WPA3 in 2018 as the successor to WPA2, which had been the default since 2004. The motivation was not a single catastrophic break but an accumulation: WPA2's personal mode had an inherent offline-cracking weakness, the 2017 KRACK attacks exposed flaws in its four-way handshake, and "open" public Wi-Fi still offered no encryption at all. WPA3 set out to fix each of these in turn.
The WPA2 Problem: Offline Password Cracking
WPA2-Personal authenticates devices with a Pre-Shared Key (your Wi-Fi password) using a four-way handshake. The flaw is that an eavesdropper who captures that handshake — just four frames, exchanged whenever a device joins — obtains enough material to guess the password offline. They take the captured handshake home and run billions of candidate passwords per second against it until one matches. No further contact with the network is needed, and you never know it happened.
This is why WPA2 security collapsed to the strength of the password. A short or common passphrase fell in minutes. A handshake could even be forced by sending a deauthentication frame to knock a device off so it reconnects and re-handshakes within the attacker's capture window.
SAE: The Dragonfly Handshake
WPA3-Personal replaces the four-way Pre-Shared Key handshake with Simultaneous Authentication of Equals (SAE), a handshake based on the Dragonfly key exchange (RFC 7664). SAE is a Password-Authenticated Key Exchange — the same family of techniques that lets two parties prove they share a password without exposing anything an attacker could crack offline.
The crucial consequence: capturing an SAE handshake gives an attacker nothing to grind against offline. To test even one password guess, they must interact with the network live, in a fresh handshake attempt — which is slow, rate-limitable, and detectable. This single change converts an offline attack measured in GPU-hours into an online attack measured in years.
WPA2: capture once, crack forever, offline. WPA3 with SAE: every password guess requires a live, observable handshake with the access point. The economics of attacking a home network shift entirely.
SAE also delivers forward secrecy: each session derives fresh keys, so capturing today's traffic and learning the password later does not retroactively decrypt it — something WPA2-Personal could not promise.
Encrypting Open Networks: OWE
WPA3's companion feature, Enhanced Open (based on Opportunistic Wireless Encryption, RFC 8110), addresses the coffee-shop problem. Traditional open Wi-Fi sends everything in cleartext over the air; anyone nearby can passively read unencrypted traffic. OWE performs an unauthenticated Diffie-Hellman exchange so each device gets an individually encrypted link to the access point — with no password and no setup change for the user.
The honest caveat: OWE protects against passive eavesdropping, not active attacks. Because there is no authentication, a nearby evil-twin access point can still impersonate the network. Enhanced Open makes silent mass snooping much harder; it does not make open Wi-Fi trustworthy.
Dragonblood: When the Fix Had Bugs
WPA3 is a good example of why "new protocol" never means "case closed." In 2019, researchers Mathy Vanhoef (who also discovered KRACK) and Eyal Ronen published Dragonblood — a set of vulnerabilities in early WPA3 implementations and in the SAE handshake's design.
- Side-channel leaks. Timing and cache-based side channels in how some implementations computed the SAE password element leaked information that enabled a partial password-partitioning attack.
- Downgrade attacks. Because of the long WPA2 coexistence period, an attacker could force a device into a WPA2-style handshake (or a weaker SAE group), reintroducing the offline-cracking exposure WPA3 was meant to remove.
- Denial of service. SAE's computation is relatively expensive, which a flood of forged handshakes could exploit to overload an access point.
The Wi-Fi Alliance and vendors issued fixes, and SAE was hardened (notably with the "hash-to-element" method that closes the main side channel). The lesson generalizes well beyond Wi-Fi: a sound protocol design still depends on careful implementation, and transition modes that keep the old weak option alive are a recurring source of downgrade attacks.
| Property | WPA2-Personal | WPA3-Personal |
|---|---|---|
| Offline password cracking | Possible from one capture | Blocked (SAE) |
| Forward secrecy | No | Yes |
| Encryption on open networks | None | Yes (Enhanced Open) |
| Resists evil-twin AP | No | No |
| Protects against a malicious insider on the same network | No | No |
What WPA3 Still Doesn't Protect
It is worth being precise about WPA3's scope. It secures the link between your device and the access point. It does nothing about anything past that point:
- Your router, ISP, and every server you connect to still see your traffic exactly as before.
- Anyone who knows the Wi-Fi password (a guest, a former housemate, a compromised IoT device) is on the trusted side of the link.
- A coerced or rogue access point still sees and routes all your traffic.
- DNS lookups, unencrypted HTTP, and metadata leak the same as on any other network.
WPA3 secures the first hop — the radio link to your access point. It says nothing about the dozens of hops, and the destination server, after that.
What to Actually Do
Practical guidance is simple. Enable WPA3 if your router and devices support it; use WPA3-only mode rather than the WPA2/WPA3 "transition" mode where you can, since the mixed mode is what enables downgrade attacks (transition mode is a reasonable compromise only while you still have WPA2-only devices). Keep router firmware updated — the Dragonblood fixes arrived as updates. And still choose a strong passphrase: SAE makes guessing dramatically harder, not impossible.
Most importantly, treat link-layer encryption as the floor, not the ceiling. WPA3 is a meaningful upgrade to the weakest part of everyday networking, but it protects one hop of a long journey. The content that genuinely must stay private regardless of which network carries it — your messages, your email, your files — needs end-to-end encryption that doesn't care whether the Wi-Fi underneath is WPA3, WPA2, or a hostile hotspot in an airport. Layered defenses are the whole game; WPA3 is one good layer.