dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
53
twizzler66
join:2011-06-25
Guelph, ON

twizzler66 to Reno7

Member

to Reno7

Re: WPA2 password advice - for my mom

I've seen WPA2 Personal hacked in less than 3 minutes using a PSP and rainbow tables, so unless you plan on running a RADIUS server, I wouldn't worry about it too much - using a password with more than 8 characters including special characters will be enough to deter the average hacker - if you are worried about more than that, WPA2 personal shouldn't be your solution for security....

SoonerAl
MVM
join:2002-07-23
Norman, OK

SoonerAl

MVM


Random ASCII key example
I see this from the Renderlab site talking about WPA...

»www.renderlab.net/projec ··· -tables/
quote:
Ass covering

The fact that we found a way to speed up WPA-PSK cracking does not mean that it is broken. Far from it. The exploit used by coWPAtty and other similar tools is one of dumb passphrases. The minimum number of characters for a WPA-PSK passphrase is 8. The maximum is 63. Very few users actually use more than about 20 characters. As well, they also choose known words and phrases, likely to be in a dictionary. This allows us to leverage a human element in obtaining the key.

To get decent protection from WPA-PSK, you should use a very long, very random, alphanumeric string longer than 20 characters. To protect yourself further, particularly against the WPA-PSK hashtables, you should use a SSID not on the top 1000 list. This will force the attacker to compute thier own list, rather than use one of the CoWF tables.

All that said, you should be using WPA2 with a radius server to get more reliable protection.

Given that I believe the use of WPA2-PSK [AES] with a truly long random ASCII key is safe for the home user without adding a radius server. Personally I use a 63-character random ASCII key like the screen shot to protect my two home WLANs...

Thane_Bitter
Inquire within
Premium Member
join:2005-01-20

Thane_Bitter to twizzler66

Premium Member

to twizzler66
said by twizzler66:

I've seen WPA2 Personal hacked in less than 3 minutes using a PSP and rainbow tables,

You of course really mean cracked. WPA2 isn't encryption, it is the name of a document that outlines several different encryption schemes, in short it means the users used TKIP (a flawed bastard child of WEP) or CCMP (AES).

But you have pointed out a real problem with security, PEOPLE!
Most people are too damn lazy to use a reasonable sized, random passkey, and change the SSID to something unique (thus NOT likely to be found in a pre-compiled list). Often they are the same sort of person that also writes their password and other important information on a Post-it note and the leaves it on the desk in plain sight. Uses pet names, nicknames, anniversaries, birthdays, etc. and other socially accessibly information to "secure" their lives.

Not much can be done about rainbow tables except by having hardware use random SSIDs out the box, also manufactures could implement forced length and complexity when entering or assigning keys but this requires coders and testing, and that means less profit.

As for WPS it is a back door around security, the Wi-Fi Alliance just marketed it as a way to "ease the task of setting up and configuring security on wireless local area networks".

Works both ways, for the consumer AND hacker - nice job Wi-Fi Alliance!