By the look of that they're simply complaining about the character length ("The advice followed a Which? snapshot investigation which found that hackers could access to home networks and connected appliances in as little as four days.")
The older hubs use 8 characters and the newer hub 3.0 uses 12. Both are comparable in complexity and have WPA / WPA2 protection - not WEP. WPA isn't fast to crack. To quote something about crack time
"(a) a standard desktop CPU can do roughly 1000 passwords/second. (b) a desktop GPU (graphics processor) can do roughly 80000 passwords/second, or 80 times the speed of a CPU, or 30 days to crack your hypothetical password (c) a cluster of 8 GPUs is 8 times the previous number, or 8*80000 or 640k passwords/second, or 4 days to crack your hypothetical password (d) Amazon EC2 uses older/slower GPUs"
You aren't going to find an Amazon cloud data center in your front yard. If a 'hacker' was trying to pop someone's WiFi, they would be doing so sat in their car using a laptop (low powered compared to a desktop.) And they'd be there for a very long time (month+, in short they wouldn't bother when they seen it wasn't running WEP.) 8 to 12 character WPA/WPA2 passwords on WiFi are a standard.
I'm not sure how Which was performing their tests, but it certainly wasn't putting an Amazon data center in peoples properties and illegal trying to pop the WiFi.
+Add: You could make comparison articles about any other ISP using similar length WPA/WPA2 passphrases. Looks like a nice little scare article based upon what you can theoeritcally do if: 1) if you can get Amazon to put a data center in someone's front/back yard and 2.) have Amazon agree it's there to hack that person's WiFi and 3.) hope the person doesn't notice the data center on their property...
Their's a line between feasible unfeasible and that article crosses it into unfeasible.
______
Leaving in 2019 - has been a good experience.
