In the early days of Wi-Fi, hardly anyone worried about security. We were all just so thrilled at going wireless and being able to connect at hotspots that security was given short shrift. A series of escalating hacker attacks, drive-by break-ins, and wireless phishing scams has erased that naiveté. Our top five tips on securing your Wi-Fi usage are the most important ones you'll read in this article. Don't just read them, implement them.

1. Secure Your Home Network

Question: Do I need to be concerned about Wi-Fi security in my home network? I have a firewall.

Answer: Yes, absolutely! While you should always use both a personal software firewall, and a hardware-based router firewall on your home network, these don't substitute for Wi-Fi security measures. You also need Wi-Fi protection because data being sent over the airwaves is there for anyone nearby to capture, regardless of whether you are using a firewall. A firewall only protects you against attacks coming over the Internet into your local network.

While home Wi-Fi networks can free you to work (or play!) anywhere in the house, too many users just plug them in, neglecting to turn on security features or set passwords. Yes, this is a chore, but the latest routers make the process relatively simple, and the alternative is allowing freeloaders on your network (at best), or malicious hackers bent on stealing your data (at worst).

Here are three simple things you can do to lock up your Wi-Fi net:

First, change the default router password provided by the manufacturer. That will ensure no one else can go back in and change the security settings you make next. Second, turn off the broadcasting of your SSID, and change the SSID to something non-obvious (i.e. NOT "Wireless" or "Netgear"). Finally, turn on WPA/WPA2 encryption if you have it, WEP if you don't. This will require entering a password on each of your client devices as well, but once stored, you won't have to enter it again.

One more step you can take if you want to tighten things up even further is to limit wireless access to devices with specific MAC addresses. Not all routers have this feature, but most do. For even more tips, see our Complete Guide to Wi-Fi Security.

2. Yes, You Need Encryption!

Question: Using encryption on my Wi-Fi router really slows things down. If I restrict Wi-Fi access by MAC address, so that only my portable can connect to it, can I then turn off encryption?

Answer: No. While limiting access to your Wi-Fi net by MAC address is a good idea (every computing device has a unique MAC address, usually printed on a label on the bottom along with the serial number), there are two big problems with relying on this security method alone. First of all, since Wi-Fi signals are simply radio waves, they can be read by any receiver without needing to be connected to your router. So if you don't use encryption, the data you transmit and receive wirelessly is sent in plain text for all to read.

Second, MAC addresses can be "spoofed." That is, someone can read your MAC address as it is sent over the air, and then pretend to be you, connect to your router, and gain full access to your network. It's always best to use every layer of security available to you, from system-level approaches like personal firewalls and antivirus software, to router-based functions like encryption, closed networks, and MAC address limitation, as explained in our Complete Guide to Wi-Fi Security.

So you should always use encryption, preferably WPA or WPA2, the latest and strongest. The trait that makes both WPA and WPA2 much more secure than WEP is the fact that the encryption key changes with every session, and keys are also specific to each client on the network. While WPA (Wi-Fi Protected Access) was a big step up from Wi-Fi's original WEP encryption protocol, it was always meant to be an interim solution until the government-grade IEEE 802.11i security standard became final, in the form of WPA2. Don't buy new Wi-Fi gear without it.

3. Setting Up a Secure Public/Private Wi-Fi Net

Question: How can I secure my home Wi-Fi net, while also providing public access for guests?

Answer: Well, there's two possibilities. The hard way, and the easy way! The hard way is via hardware, and the easy way is to simply use a VPN solution like JiWire Hotspot Helper to protect each computer on your network (Hotspot Helper secures you whether you are at home or on the road). If you want to go the hardware route, here's a solution. You'll need to set up two routers, one with strong encryption (WPA or WPA2) for your private use, and one public network for guests. The tricky part is how to share one broadband Internet connection between the two routers without allowing the public network access to the private one.

The answer comes courtesy of Linksys, whose networking team recommends using the DMZ feature found in most Wi-Fi routers as a separator for the public and private nets. Essentially, you connect your public Wi-Fi router's WAN port to a LAN port on your Internet-connected private Wi-Fi router. Then you configure the public router as a DMZ per your private router's manual.

For best performance, set the two routers to widely separated Wi-Fi channels (such as 1 and 11). Also, to avoid IP conflicts, the public router's subnet needs to be changed to be different than the primary (private) router. For example, if the primary router uses 192.168.1.1, the secondary should be set to something else, like 192.168.2.1 or 10.10.2.1. Computers connected to the secondary (public) router will get IP addresses assigned in that subnet. Linksys says "this configuration allows users of the public Wi-Fi router access to the Internet, but no access to the LAN."

Finally, to avoid DNS problems that can arise when Internet data must traverse two NAT routers, you should manually program a DNS address into the secondary router, pointed at a good known DNS server address. Using 4.2.2.1, for instance, will force the secondary router to use this DNS service instead of the one that was automatically assigned to the secondary router by the primary router. (DNS servers are the giant databases pairing up verbal domain names, like www.google.com, with numerical IP addresses, such as 64.23.192.5. Without DNS, you'd need to know the numeric address for every site you browse to. And if DNS is not working, you won't be able to call up Web pages.)

In other words, the solution for DNS woes is to go into your secondary router's WAN setup area, and give it a fixed address for the DNS server, rather than automatically retrieving it from your ISP. Your ISP can give you a list of valid DNS server addresses to choose from. Some routers may force you to use a static IP address as well if you want to have a static DNS. This is fine, and probably a good thing. Just choose a number from the range assigned by your primary router. For example, if your primary router is at 192.168.2.1, then you might choose an IP address of 192.168.2.30 for your secondary router. The "gateway" or "router" IP address is 192.168.2.1, and the subnet mask will be 255.255.255.0.

4. Protecting Yourself at Hotspots

Question: I keep reading stories about Wi-Fi "phishing" attacks, such as at recent conventions in Las Vegas and London. What are these attacks and how can I protect myself?

Answer: So-called "Evil Twin" networks have been around for a while, where hackers place access points in hotspot areas to hijack traffic. But a new, more dangerous, twist has cropped up recently and is what you are seeing reported widely in the news.

The new twist adds a fake login page that looks just like the real thing -- like a lure that attracts fish, hence the name -- enabling phishers to capture your passwords and credit card information, load viruses and spyware onto your machine, or simply capture everything you type or transmit over the Internet.

How can you protect yourself? Take simple precautions like checking the SSID of the network you are connecting to, making sure that you are in a legitimate hotspot area (use the JiWire Hotspot Directory to find out).

Most importantly, when signing in at pay hotspots, only type your username, password, or credit card information into a secure Web page. You'll know the page is secure if you see "https" in front of the sign-in page's Web address and you also see the lock icon on your browser window. However, if your browser presents an alert that the page's security certificate is expired or invalid, you're better off moving to another hotspot down the street.

Remember that at most hotspots, even if you sign in securely, your data is transmitted in the clear, easily intercepted by anyone close by unless you use a Virtual Private Network (VPN) service, like JiWire Hotspot Helper. To test your current Wi-Fi setup, take the Wi-Fi Security Test.

5. Keeping Shared Folders Safe at Hotspots

Question: I have several folders enabled for sharing on my home Wi-Fi network. Is there some easy way to "unshare" these folders when using a public hotspot?

Answer: Good question. Security at public hotspots is a big issue, since most have no encryption or other protection. If you are using a VPN when you connect at a hotspot, such as JiWire Hotspot Helper, there is no need to worry. All data flowing to and from your computer will be routed through a safe tunnel. Without VPN, you should indeed make sure that hackers cannot access your machine through file sharing.

There are two basic options for this. First, you could turn off file sharing altogether, in which case you'll need to turn it back on again when you get home. This is the safest method, but a potential hassle. Second, you can configure sharing to restrict access to only specially authorized users, and turn off any "guest" accounts. The latter requires that you disable Simple File Sharing (on by default in Windows XP), and then configure permissions for folders you want to share.

Microsoft has instructions for configuring file sharing in Windows XP here and here.

Mac users should also make sure they have set restrictive permissions for file sharing before connecting at hotspots (including turning off any guest accounts without passwords), or simply turn off file sharing altogether in the Sharing System Preferences pane.