ALERT: WPA isn't necessarily secure

SUMMARY:

WPA-PSK is vulnerable to offline attack.

TO AVOID THE PROBLEM:

USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples: BAD: "vintage wine" GOOD: "floor hiking dirt ocean" (pick your own words, even longer is better) FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.

BACKGROUND:

Weakness in Passphrase Choice in WPA Interface By Glenn Fleishman By Robert Moskowitz Senior Technical Director ICSA Labs, a division of TruSecure Corp

... The offline PSK dictionary attack ... Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use.

This offline attack should be easier to execute than the WEP attacks. ... Using Random values for the PSK

The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ... ... Summary ... Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers.

See also: Passphrase Flaw Exposed in WPA Wireless Security

Wi-Fi Protected Access. Security in pre-shared key mode

Cracking Wi-Fi Protected Access (WPA)

WPA Cracker

Reply to
John Navas
Loading thread data ...

There's some discussion here, and a pretty cool password generator:

formatting link
I know that not everyone loves GRC, but I run a Mac anyway, so I don't care, and my router has all my ports stealthed.

Reply to
Warren Oates

On Mon, 16 Oct 2006 17:13:54 -0400, Warren Oates wrote in :

Count me among them -- Steve Gibson (aka GRC) is a shameless snake oil salesman with no real expertise in security, and the password generator on the GRC site is of dubious quality and value.

Use Password Safe instead, created by noted cryptographer Bruce Schneier, and subjected to open source scrutiny.

Reply to
John Navas

Looks good, but it's a Windows program. I've got XP running in a VM, but I really hate it.

Reply to
Warren Oates

Here are a couple of Mac utilities.

Reply to
Neill Massello

On Mon, 16 Oct 2006 19:37:39 -0600, snipped-for-privacy@newsguy.com (Neill Massello) wrote in :

Are they open source, peer reviewed, and/or independently certified? Apparently not, so you'd be taking a big risk.

Reply to
John Navas

On Mon, 16 Oct 2006 19:28:41 -0400, Warren Oates wrote in :

A good easy way to generate truly strong passwords (or passphrases) for any platform is Diceware .

Reply to
John Navas

Thanks, John, looks interesting.

Reply to
Warren Oates

The upside is that you usually only need to type a wifi password once per client machine. That fact alone means that the network key will be unlikely to ride around in the heads of your users. That's not a sure fire way to prevent them from letting others on the network, but every little bit helps. It is also much easier to do the handwave for new clients by saying "It's really complicated and I'll only have to do this once. Just let me see your laptop for a second."

That domain is parked. I'd like to look at such a tool if you have another link.

Reply to
mandtprice

snipped-for-privacy@gmail.com hath wroth:

CoWPAtty 4.0:

formatting link
formatting link
formatting link
formatting link

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.