dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7464
share rss forum feed


Reno7
Premium
join:2008-10-26
Keller, TX

WPA2 password advice - for my mom


Next weekend I'm going to setup WiFi at my mothers house. I'm going to upgrade to a higher end router and giver her my old router and use WPA2 Personal.

Myself, I've always used a randomly generated 63 ascii character password (which the only negative is typing that sucker into a cell or something where you can stick it on a text pad and paste it in).

My mother has a lot of family and close friend visitors with a few that occasionally stay the night. They are going to be using the WiFi.

So, I'm trying to figure out exactly what to do for a password. I'm not around to watch her network, so I want something secure, but I also need something that's easy for 'guests' to type in.

Any thoughts? Like maybe some kind of sentence or phrase that's easy to type? Thanks!



GadgetsRme
RIP lilhurricane
Premium
join:2002-01-30
Canon City, CO

1 edit

When my folks had a computer and needed a password I used 3 things in combo that were easy for them to remember.

For instance:
1. Say they live in Colo. Springs, CO 80907.
2. Their dogs name is Lady.
3. Their favorite place to go is Cotopaxi.
So the password would be:$CSC907$Lady$Cotopaxi$

That gives you an 22 figure password with a combination of numbers, caps, lowercase, and symbols.
--
Gadgets



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

1 recommendation

reply to Reno7

You can use Windows Connect Now [WCN] to save off the wireless profile on a flash drive. Users can then simply plug in the flash drive into their Win 7/Vista/XP computer and automatically load the profile.

»theillustratednetwork.mvps.org/L···nect_Now

If the client can not use WCN, ie. like a MAC or Linux client for example, the wireless key is in plain text in the \Smrtntky\Wsetting.txt file on the flash drive. Simply copy-n-paste to the client.

That can, as you noted, be a bit problematic with smart phones/iPods/etc...
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer



Reno7
Premium
join:2008-10-26
Keller, TX

Thanks, think I'll do both tips.


flyingroach

join:2003-12-04
Brooklyn, NY

1 recommendation

I vote for simple so "helpful" guests don't reset the router to "FIX" it.

Simple random SSID
For WPA2 key Use mom's cell # no dashes, something she can remember and she doesn't mind telling guests.

Change router default pwd and write wpakey to old luggage tag and tie or screw to the router so she can't forget.

Someone hacking her easy wpa2 pwd is the lowest computer risk she has. Even here in NYC with people stacked like wood very close to zero wpa2 keys get hacked. Hell idiot cable companies use wep which just uses wan mac address plus 14 zeros. Your moms cell # and wpa2 better than that. Ne sure to show her how to power cycle it.



bjf123
We Want... A Shrubbery
Premium
join:2000-02-11
Hamilton, OH
reply to Reno7

Ask her what her favorite movie, actor, actress, song, etc. is. Then make the WPA2 password "My favorite movie is gone with the wind". The odds of that getting hacked are pretty slim.
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly.


twizzler66

join:2011-06-25
Guelph, ON
reply to Reno7

I've seen WPA2 Personal hacked in less than 3 minutes using a PSP and rainbow tables, so unless you plan on running a RADIUS server, I wouldn't worry about it too much - using a password with more than 8 characters including special characters will be enough to deter the average hacker - if you are worried about more than that, WPA2 personal shouldn't be your solution for security....



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5


Random ASCII key example
I see this from the Renderlab site talking about WPA...

»www.renderlab.net/projects/WPA-tables/

quote:
Ass covering

The fact that we found a way to speed up WPA-PSK cracking does not mean that it is broken. Far from it. The exploit used by coWPAtty and other similar tools is one of dumb passphrases. The minimum number of characters for a WPA-PSK passphrase is 8. The maximum is 63. Very few users actually use more than about 20 characters. As well, they also choose known words and phrases, likely to be in a dictionary. This allows us to leverage a human element in obtaining the key.

To get decent protection from WPA-PSK, you should use a very long, very random, alphanumeric string longer than 20 characters. To protect yourself further, particularly against the WPA-PSK hashtables, you should use a SSID not on the top 1000 list. This will force the attacker to compute thier own list, rather than use one of the CoWF tables.

All that said, you should be using WPA2 with a radius server to get more reliable protection.

Given that I believe the use of WPA2-PSK [AES] with a truly long random ASCII key is safe for the home user without adding a radius server. Personally I use a 63-character random ASCII key like the screen shot to protect my two home WLANs...
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer


JJJohnson

join:2001-08-25
Fort Collins, CO

1 recommendation

reply to Reno7

Whatever you come up with, just write the thing down on an index card or something that they won't lose. Someone would have to break into the damned house to get it and probably couldn't care less about hacking into their freaking wireless network.



javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
reply to Reno7

I always tell people to use a phrase that they will remember: a line from a favorite book or poem, a scripture verse or famous quote. Then use the first letter of each word. Add a couple of capital letters and a number or two in strategic places.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20



Michael9009

join:2006-07-28
Toronto, ON
reply to Reno7

I use a 63-ASCII random characters password. These can be generated here:

»www.grc.com/passwords.htm

...or you can create one yourself.



Thane_Bitter
Inquire within
Premium
join:2005-01-20
Reviews:
·Bell Sympatico
reply to twizzler66

said by twizzler66:

I've seen WPA2 Personal hacked in less than 3 minutes using a PSP and rainbow tables,

You of course really mean cracked. WPA2 isn't encryption, it is the name of a document that outlines several different encryption schemes, in short it means the users used TKIP (a flawed bastard child of WEP) or CCMP (AES).

But you have pointed out a real problem with security, PEOPLE!
Most people are too damn lazy to use a reasonable sized, random passkey, and change the SSID to something unique (thus NOT likely to be found in a pre-compiled list). Often they are the same sort of person that also writes their password and other important information on a Post-it note and the leaves it on the desk in plain sight. Uses pet names, nicknames, anniversaries, birthdays, etc. and other socially accessibly information to "secure" their lives.

Not much can be done about rainbow tables except by having hardware use random SSIDs out the box, also manufactures could implement forced length and complexity when entering or assigning keys but this requires coders and testing, and that means less profit.

As for WPS it is a back door around security, the Wi-Fi Alliance just marketed it as a way to "ease the task of setting up and configuring security on wireless local area networks".

Works both ways, for the consumer AND hacker - nice job Wi-Fi Alliance!


freddymac2

join:2009-09-22
way out west
reply to Reno7

SoonerAl has it right ... both posts

Use a 30+ char WPA passphrase of random characters: alpha, upper case, lower case, numerics and specials. absolutely no dictionary words nor proper names.
WPA has been cracked ONLY when users have simple dictionary words.

And, put the passphrase onto a USB memstick device which guests can load onto their PC when they visit.

Security and "make it easy" are non-orthagonal concepts.



psafux
Premium,VIP
join:2005-11-10
kudos:2
reply to Reno7

Secure it correctly or don't do it at all. Keep a copy of the security settings so you can tell your mother or her guests when they call because they can't get connected and she has forgotten the code.

It's easy to pick a secure and memorable password. They are not mutually exclusive.



clarknova

join:2010-02-23
Grande Prairie, AB
kudos:7
Reviews:
·TekSavvy DSL

1 recommendation

reply to Reno7

Password padding is a simple way to extend the length of a password while making it only slightly more difficult to remember than a short password.

»www.grc.com/haystack.htm
--
db



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

1 edit

1 recommendation

reply to Reno7

Remember step one of Security is physical access

if they can touch your router then consider it hacked (they could just push the reset button and wipe the wifi key), then leave it wide open and go stealing your internet access

personally I use a 63 character random ASCII key (ya its a pain but I've typed it into my ipod touch before)

then store it on a flashdrive as a textfile and hide the flashdrive



DelmarPip
Premium
join:2011-10-15
Brownsville, TX
reply to Reno7

hey reno dont use any security at all just use that thingy that only allows the macs you set up to be able to use the wifi and forget about security its just a waste of time anyways

but this is just my advice you dont have to do this do what you wanna do cuz to be honest i turn off the wifi at night



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

2 recommendations

said by DelmarPip:

hey reno dont use any security at all just use that thingy that only allows the macs you set up to be able to use the wifi and forget about security its just a waste of time anyways

but this is just my advice you dont have to do this do what you wanna do cuz to be honest i turn off the wifi at night

Surely your kidding...
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer


bjf123
We Want... A Shrubbery
Premium
join:2000-02-11
Hamilton, OH

said by SoonerAl:

Surely your kidding...

He's probably not, and don't call him Surely.
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly.

thataboi

join:2004-03-09
Springfield, OR

1 recommendation

reply to Reno7

I use keypass to generate strong passwords like 256bit or more for all kinds of things on the net, then I store them inside a encrypted keypass data file on a usb stick. Store serial keys in there too. Now you only need to remember one password. Firefox has a master password feature as well like this. Only problem is if your operating system crashed no recovery. If you use it along side keypass program you won't have to worry about that. Also you can load it independently from usb and everything if you are like a guest on another computer. It's Kind of like Truecrypt. Store passwords on usb stick encrypted then get another USB stick to backup that main USB you use all the time. If it ever gets damaged, lost, stolen, dies on ya you have a backup. Then you are set. Oh and you can also burn those keypass, truecrypt encrypted data container files on a CD.

As a pc tech I can tell you that Security comes first. As long as you apply the basic rules. Things like Update OS, Virus Software, Encrypt your data, backup your data, you will be ready if and when something happens. Live by these rules religiously.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Reno7

Why am I the only one noticing what a cheap bastad hes being by sluffing off his old router on his mother. When I give relatives products its the good stuff. (If its not good enough for me, its not good enough for family).

I would get a wifi router or another AP or something with a built in guest wifi (or multiple essids etc). That way your mother can have her connection set and written down somewhere but doesnt have to remember a damn thing. Same with guess essid and password. Then ensure that the AP or the actual router have a way of isolating the guests to the internet only.

Oh wait, I have a netgear RT314, IM going to give it to Sooner Al, as a gift to a senior. ;-P
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to DelmarPip

said by DelmarPip:

hey reno dont use any security at all just use that thingy that only allows the macs you set up to be able to use the wifi and forget about security its just a waste of time anyways

but this is just my advice you dont have to do this do what you wanna do cuz to be honest i turn off the wifi at night

Hey Delmar, I thought South Padre Island was a name of a prison?

Seriously, other than conserving power, hate to break the bad news but most hacking is done during the day. Furthermore, mac addresses can be spoofed very easily by 12 year olds and they are not enycrypted. mac addresses = no security.
If you need a simple analogy, think of it as having a porch light on next to an unlocked door. Wow, turning off the porch light will miraculously deter crime. In other words it has no effect on the security of the door. LOCK THE EFFING DOOR PIP!!!! forget about turning the light off. LOL
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

I would only use MAC security for bridges, ie just to help ensure that only the 2 bridges were talking, I wouldn't depend on it to keep people out thats what WPA2 is for



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to Anav

For me if I were to give a relitive a wifi router I wouldn't give one of the ones I use not for being cheap just because I don't think any of them would want to learn to use cisco IOS to configure it.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Why would anyone in their right mind want to learn cisco IOS. The ADSM gui is just fine and a picture is worth a thousand cli commands.



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

You can get more accurate and better configs by knowing what your doing.

All the config's I've seen from that tool are bloated and over all crappy.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Well thats funny because the commands on the run config are the same whether or not you create them via the gui or cli commands. Thus I cannot credit your comments with any validity. What I think your referring to is the fact that they handle nat differently on 8.43 and beyond and it seems to confuse the crap out of so called self proclaimed cisco experts more used to previous versions.



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5
reply to Anav

said by Anav:

Oh wait, I have a netgear RT314, IM going to give it to Sooner Al, as a gift to a senior. ;-P

Ha Ha...

Just wait till the AARP police get hold of you...
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to Anav

In the past I've had ADSM generate a config and then on review of that config I tossed it and made my own, mine had lower CPU and MEM usage and better performance.

those easy configs tend to have extra crap that someone with real knowledge wouldn't bother with (like sometimes settings for features your not even using on the given router, or ACL's that can be simpilified to do the same with fewer lines)

sorry if you've not come across good cisco techs in the past that could actually improve crappy auto configs.


twixt

join:2004-06-27
North Vancouver, BC

3 edits

1 recommendation

reply to Reno7

said by Reno7:

Next weekend I'm going to setup WiFi at my mothers house. I'm going to upgrade to a higher end router and giver her my old router and use WPA2 Personal.

Myself, I've always used a randomly generated 63 ascii character password (which the only negative is typing that sucker into a cell or something where you can stick it on a text pad and paste it in).

My mother has a lot of family and close friend visitors with a few that occasionally stay the night. They are going to be using the WiFi.

So, I'm trying to figure out exactly what to do for a password. I'm not around to watch her network, so I want something secure, but I also need something that's easy for 'guests' to type in.

Any thoughts? Like maybe some kind of sentence or phrase that's easy to type? Thanks!

-

Hi, Reno. Currently, the most secure reasonably-easy-to-remember password/passphrase design involves the use of a three-to-five-word assembly of unrelated words - with the words concatenated together.

Have your mom pick three words at random that she can remember. String the words together in a random order. That becomes the password/passphrase.

-

Important things NOT to do:

1. The dog is not one of the words.

2. Her street is not one of the words.

3. Husband's name is not one of the words.

4. Mother's maiden name is not one of the words.

4. You get the idea from the above - the words are *not* ones that are readily deducible by strangers using publicly available information. Non, nil, nix, nicht, nein, etc., etc., etc...

-

Example:

1. A vacation destination your Mom found memorable (IOW, the one that comes to mind first when she thinks about it)

2. Something about her best elementary school friend that immediately comes to mind when she thinks of that person.

3. The name of the spice she uses to make her favorite dish.

Have her string the words together in a pattern that she remembers. Whatever order comes to mind for her first.

-

Suggestions for improved security:

1. At least one of the words should be in a language which is unrelated to the others. Such as, one word in Hungarian and the rest in Spanish (if she is a native Spanish speaker).

2. Use other examples than the ones I suggest above. Those were just ideas to get you thinking on the pathway to getting random unrelated words that are easy to remember.

Doing the above will end up with a passphrase that is resistant to dictionary attacks - and is complex enough that it resists brute-force cracking methods - while remaining easy to remember.

-

Once you have this, write a document that contains all the Router information:

1. SSID

2. Admin Password

3. User Password

4. WLAN Authentication/Encryption Scheme (WPA2/AES only)

4. WLAN Passphrase

PRINT THE DOCUMENT. ERASE THE DOCFILE. Defrag the machine to overwrite the docfile such that it cannot be recovered.

Keep the Document in a safe place - NOT related to the Computer. With her other important documents is logical - that way it will be remembered if/when she forgets the passphrase.

Note: Keeping stuff like passphrases on USB keys is unreliable. If you do so - in order to have a backup of her document - have a paper backup as well.

-

Physical Security considerations:

1. The Router itself must be physically located where it cannot be tampered with unobserved. A room that can be locked is best. This is especially necessary with computer-savvy teenagers - who will simply reset the router and use it unsecured if they have physical access to the unit.

2. Do not expect your mom to be savvy about risks regarding friends-of-friends. Make her aware that the Router password is the electronic equivalent of her front door house key. This does NOT get released into the hands of people your mom does not personally know and trust.

3. Teach your mom how to disable the radio on her Router (or at least how to turn the Router off). Get a promise from her that she will disable the radio (or turn the Router off) the moment she discovers someone untrustworthy has had access to either the router or her machine(s). She is also to promise she will contact you to have the WLAN passphrase regenerated and redocumented if it is compromised.

-

Final comments:

1. There is way too much info from so-called "experts" in Security that is folklore, fantasy and fiction. Resist the idea that "security" is utterly compromised if your passphrase is not incomprehensible gibberish containing characters that you can't even type on a keyboard. This is nonsense.

2. Any good router that will do WPA2/AES is all that is required to be secure. However, it is important to be able to DISABLE all other transport schemas (such as WPA/TKIP, WEP or WPS) - since these can be compromised in seconds to minutes.

Note: Currently, only WPA2/AES is secure and as such, this is the only scheme that can be permitted to be used. If anybody whines because their favourite toy won't connect that way, tough. Get new toys. Do not allow your mom to compromise the security on her system to accommodate any friend, relative or such. There is no replacement for the ability to say NO - and the backbone to stick to that.

3. The longer a passphrase exists without being changed, the higher the probability that info will get into the hands of someone it should not. Changing the passphrase after "the family and kids" have visited for 2 weeks - and left to go back wherever they came from - is a really good idea.

4. Security is not compatible with complacency. Security is not convenient. Breaking security is supposed to be hard. If friends and/or family get annoyed with the above requirements - it indicates they don't take their own security seriously. As a result, they won't take your mom's security seriously either. Thus, she needs to be mindful that if they aren't trustworthy - it is appropriate that she deny access to her network.

Hope this helps.