Everything were told about digital security says that you should never let strangers roam your network without your permission. But if youre a Comcast customer, thats exactly what will happen as the company's Xfinity WiFi service rolls out. Fortunately, theres a way to bar the door.

If you live in a major metropolitan area in the East Coast or in the Midwest, chances are Xfinity WiFi's already operating in your area. The service takes advantage of the dual-band (2.5GHz/5GHz) Xfinity Wireless Gateway 2 modem (model DPC3939) it's been distributing to customers for the past year. (Other modems Comcast uses also have the capability.) Comcast reserves one band and antenna for your own use, and one to serve as a public Xfinity Wi-Fi hotspot.

Theres an easy way to tell whether the public hotspot's enabled on your modem: You should see an xfinitywifi public SSID broadcast from your own router. To access it, users will need a Comcast Xfinity login and password.

Comcast has already installed 1 million Xfinity WiFi hotspots across the nation, with plans to reach 8 million by the end of the year. Target metropolitan areas include Atlanta, Baltimore, Boston, Chicago, Denver, Detroit, Hartford, Houston, Indianapolis, Miami, Minneapolis, Nashville, Philadelphia, Pittsburgh, Portland, Sacramento, Salt Lake City, San Francisco, Seattle and Washington D.C., Comcast says.

Comcast customers at the Performance (25-Mbps) tier or above will be able to surf on any public Xfinity WiFi hotspot for an unlimited amount of time, for free. (If youre a Comcast customer at a slower tier, or not a customer at all, you can try it free for two one-hour sessions, according to a Comcast spokesperson.)

To ensure your bandwidth isnt monopolized, only five people will be able to sign onto an Xfinity Wi-Fi hotspot at one time, the spokesperson added.

Is sharing safe?

The security questions are more difficult question to answer. According to Comcast, if someone logs on and begins downloading pornography, for example, such actions will be linked to that persons account. You wont be liable, the spokesman said.

But whether that person will be able to access other devices on your network, including your hard drive, is a separate question. And Comcasts response isnt reassuring.

Comcast encourages users to set strong passwords, and it supplies antivirus software to its customers. If the company does detect an unusual amount or source of traffic, such as a customer who may have been infected by a virus and turned into a zombie, or bot, that customer will be notified.

That doesnt answer the question of whether an elderly customer blissfully surfing away on an unprotected PC will be unduly exposed by Xfinity WiFi. Comcast recommends that customers use antivirus protection plus a firewall and take advantage of its gateways 128-bit WPA and WPA2 encryption. If a consumer doesnt put the in the necessary precautions, to at least take some of these steps, theyre not doing everything they can to protect their account, the spokesman said.

Comcast says that users should have been notified of their routers evolution into an Xfinity hotspot via email, mailers, and even a press release. If you dont want Xfinity WiFi, however, you have to opt out. Heres the process, as noted by Dwight Silverman:

Log into your Comcast account page at customer.comcast.com.

Click on Users & Preferences.

Look for a heading on the page for Service Address. Below your address, click the link that reads Manage Xfinity WiFi.

Click the button for Disable Xfinity Wifi Home Hotspot.

Click Save.

You can also call Comcast and ask that they put the modem into bridge mode.

The answer: buy an approved third-party router

The easiest way, of course, is to simply ditch Comcasts modem entirely. PCWorld contributor Eric Geier gets into the nuts and bolts. To its credit, Comcast makes the process simple from its end as well.

First, check Comcasts site to see whether your existing cable modem is expiring, as Comcast may not tell you. An older modem may be hobbling your premium-broadband service. Proceed to Comcasts dedicated site to buy a new cable modem. (Cox has its own list of compatible modems, as does Time Warner Cable.)

On the Comcast site, youll find prices as low as $70 (new from Amazon) for the Arris/Motorola SB6121 bare-bones modem. (On the low end, of course, youll need to supply a separate router.) Have a look at the specs, too: the SB6121 can transfer 172 Mbits/s down and upload up to 131 Mbits/s. Thats more than enough for most small families, especially if your service is only rated at, say, 16 Mbits/s. But if youre thinking of upgrading to the Extreme 150 tier, for example, that might be pushing it a bit. The $90 Arris SB6141 downloads up to 343 Mbits/s at a time.

You can also pay more, if you wish, to buy a true gateway with integrated router capabilities, including the most recent 802.11ac technology for higher-bandwidth wireless streaming and MoCA capability for using your existing coax runs as wired networking cables.

Its fairly certain the third-party gateways on the Comcast site wont suddenly sprout Xfinity WiFi capabilities. Simply buy Comcasts low-end recommended modem and attach your own router to iteither one you already own, or a new model. (Heres the PCWorld roundup of the best 802.11ac routers of 2013.)

The most annoying part of the process may be returning your existing router, and phoning in your new routers MAC address to ensure it can be identified by your cable provider.

Eventually, of course, any new cable modem you purchase will itself become obsolete. That doesnt look like it will happen anytime soon, however. Last Halloween, CableLabs released the specifications for DOCSIS 3.1, which sets the stage for whopping 10-Gbit/s connections. As Light Reading notes, end-to-end deployment trials will likely begin in 2016. And most cable operators are thinking of DOCSIS 3.1 in the context of a world where video is passed entirely over IP streams, which may be far in the future.

So far, Comcast hasn't given any indication that it will penalize users for not adopting its Xfinity WiFi router. In other words, you can opt out of supplying a public WiFi hotspot, and still take advantage of other Xfinity hotspots in airports and elsewhere. (Or Starbucks, for that matter.) And with 4G cellular plans becoming cheaper, there's always the option of tethering to your phone, too.

The bottom line, however, is that owning your own cable modem allows you to save money and control your own security. And if Comcasts new Xfinity WiFi hotspot network weirds you out, thats another reason to switch.