Everything we’re told about digital security says that you should never let strangers roam your network without your permission. But if you’re a Comcast customer, that’s exactly what will happen as the company's Xfinity WiFi service rolls out. Fortunately, there’s a way to bar the door.

With Xfinity WiFi, we're all hotspots now

Mike Mozart via Flickr Comcast says it'll give plenty of notice before your modem is Xfinity-WiFi-enabled.

If you live in a major metropolitan area in the East Coast or in the Midwest, chances are Xfinity WiFi's already operating in your area. The service takes advantage of the dual-band (2.5GHz/5GHz) Xfinity Wireless Gateway 2 modem (model DPC3939) it's been distributing to customers for the past year. (Other modems Comcast uses also have the capability.) Comcast reserves one band and antenna for your own use, and one to serve as a public Xfinity Wi-Fi hotspot.

There’s an easy way to tell whether the public hotspot's enabled on your modem: You should see an “xfinitywifi” public SSID broadcast from your own router. To access it, users will need a Comcast Xfinity login and password.

Comcast has already installed 1 million Xfinity WiFi hotspots across the nation, with plans to reach 8 million by the end of the year. Target metropolitan areas include Atlanta, Baltimore, Boston, Chicago, Denver, Detroit, Hartford, Houston, Indianapolis, Miami, Minneapolis, Nashville, Philadelphia, Pittsburgh, Portland, Sacramento, Salt Lake City, San Francisco, Seattle and Washington D.C., Comcast says.

All you'll need to log in to Xfinity Wi-Fi is your Xfinity login and password.

Comcast customers at the “Performance” (25-Mbps) tier or above will be able to surf on any public Xfinity WiFi hotspot for an unlimited amount of time, for free. (If you’re a Comcast customer at a slower tier, or not a customer at all, you can try it free for two one-hour sessions, according to a Comcast spokesperson.)

To ensure your bandwidth isn’t monopolized, only five people will be able to sign onto an Xfinity Wi-Fi hotspot at one time, the spokesperson added.

Is sharing safe?

The security questions are more difficult question to answer. According to Comcast, if someone logs on and begins downloading pornography, for example, such actions will be linked to that person’s account. You won’t be liable, the spokesman said.

But whether that person will be able to access other devices on your network, including your hard drive, is a separate question. And Comcast’s response isn’t reassuring.

Comcast encourages users to set strong passwords, and it supplies antivirus software to its customers. If the company does detect an unusual amount or source of traffic, such as a customer who may have been infected by a virus and turned into a zombie, or ‘bot,” that customer will be notified.

That doesn’t answer the question of whether an elderly customer blissfully surfing away on an unprotected PC will be unduly exposed by Xfinity WiFi. Comcast recommends that customers use antivirus protection plus a firewall and take advantage of its gateway’s 128-bit WPA and WPA2 encryption. “If a consumer doesn’t put the in the necessary precautions, to at least take some of these steps, they’re not doing everything they can to protect their account,” the spokesman said.

The Xfinity wireless gateway.

Comcast says that users should have been notified of their router’s evolution into an Xfinity hotspot via email, mailers, and even a press release. If you don’t want Xfinity WiFi, however, you have to opt out. Here’s the process, as noted by Dwight Silverman:

Log into your Comcast account page at customer.comcast.com .

. Click on Users & Preferences.

Look for a heading on the page for “Service Address.” Below your address, click the link that reads “Manage Xfinity WiFi.”

Click the button for “Disable Xfinity Wifi Home Hotspot.”

Click Save.

You can also call Comcast and ask that they put the modem into “bridge mode.”

The answer: buy an approved third-party router

The easiest way, of course, is to simply ditch Comcast’s modem entirely. PCWorld contributor Eric Geier gets into the nuts and bolts. To its credit, Comcast makes the process simple from its end as well.

First, check Comcast’s site to see whether your existing cable modem is expiring, as Comcast may not tell you. An older modem may be hobbling your premium-broadband service. Proceed to Comcast’s dedicated site to buy a new cable modem. (Cox has its own list of compatible modems, as does Time Warner Cable.)

On the Comcast site, you’ll find prices as low as $70 (new from Amazon) for the Arris/Motorola SB6121 bare-bones modem. (On the low end, of course, you’ll need to supply a separate router.) Have a look at the specs, too: the SB6121 can transfer 172 Mbits/s down and upload up to 131 Mbits/s. That’s more than enough for most small families, especially if your service is only rated at, say, 16 Mbits/s. But if you’re thinking of upgrading to the Extreme 150 tier, for example, that might be pushing it a bit. The $90 Arris SB6141 downloads up to 343 Mbits/s at a time.

One great alternative to the Comcast Xfinity gateway is this simple, inexpensive cable modem from Arris and Motorola.

You can also pay more, if you wish, to buy a true gateway with integrated router capabilities, including the most recent 802.11ac technology for higher-bandwidth wireless streaming and MoCA capability for using your existing coax runs as wired networking cables.

It’s fairly certain the third-party gateways on the Comcast site won’t suddenly sprout Xfinity WiFi capabilities. Simply buy Comcast’s low-end recommended modem and attach your own router to it—either one you already own, or a new model. (Here’s the PCWorld roundup of the best 802.11ac routers of 2013.)

The most annoying part of the process may be returning your existing router, and phoning in your new router’s MAC address to ensure it can be identified by your cable provider.

Eventually, of course, any new cable modem you purchase will itself become obsolete. That doesn’t look like it will happen anytime soon, however. Last Halloween, CableLabs released the specifications for DOCSIS 3.1, which sets the stage for whopping 10-Gbit/s connections. As Light Reading notes, end-to-end deployment trials will likely begin in 2016. And most cable operators are thinking of DOCSIS 3.1 in the context of a world where video is passed entirely over IP streams, which may be far in the future.

So far, Comcast hasn't given any indication that it will penalize users for not adopting its Xfinity WiFi router. In other words, you can opt out of supplying a public WiFi hotspot, and still take advantage of other Xfinity hotspots in airports and elsewhere. (Or Starbucks, for that matter.) And with 4G cellular plans becoming cheaper, there's always the option of tethering to your phone, too.

The bottom line, however, is that owning your own cable modem allows you to save money and control your own security. And if Comcast’s new Xfinity WiFi hotspot network weirds you out, that’s another reason to switch.