ALERT: WPA-TKIP isn't secure - use WPA2 instead

On Sat, 10 Oct 2009 01:04:43 +0100, Mark McIntyre wrote in :

So the keys are still there on all client systems, and thus insecure.

Reply to
John Navas
Loading thread data ...

On Sat, 10 Oct 2009 08:44:57 -0400, Warren Oates wrote in :

Most (all?) security experts would strongly disagree. It's one of the most common methods of compromise.

Reply to
John Navas

On Sat, 10 Oct 2009 09:41:00 -0400, Christopher A. Lee wrote in :

I respectfully disagree. If passwords aren't changed regularly, then compromise is much more likely. Better to get rid of passwords altogether, and use some better means of authentication. That's assuming security is at all important. ;)

Reply to
John Navas

Why exactly, and "because everyone does it" is not an answer, nor is "recommended by security experts". I need a logical explanation for why "compromise is much more likely". Now I can understand one time passwords increase security, but if someone really wants to crack my password, changing it on a monthly basis will not really make it that much more difficult, they have a

*month* to crack it. I choose different random character passwords for each site and store them in an encrypted file. One of my pet peeves is that most sites don't tell you what the valid characters are for passwords.

Jerry

Reply to
Jerry Peters

For WPA, it's in IEEE Std. 802.11i-2004, Annex H.4.1 - A pass-phrase is a sequence of between 8 and 63 ASCII-encoded characters. The limit of 63 comes from the desire to distinguish between a pass-phrase and a PSK displayed as 64 hexadecimal characters. - Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), inclusive.

See an ASCII table at:

for what ASCII 32 to 126 allows. One catch. There are a few WPA clients that can't seem to deal with some symbols. I've blundered into problems with $ @ & and \\ on various routers, but not at the same time. It also seems to change with firmware version. My guess is that it seems to have something to do with HTML encoding.

Incidentally, it also offers: A pass-phrase typically has about 2.5 bits of security per character, so the pass-phrase mapping converts an n octet password into a key with about 2.5n + 12 bits of security. Hence, it provides a relatively low level of security, with keys generated from short passwords subject to dictionary attack. Use of the key hash is recommended only where it is impractical to make use of a stronger form of user authentication. A key generated from a pass-phrase of less than about 20 characters is unlikely to deter attacks.

Methinks that's where the 20 character min WPA key came from.

Reply to
Jeff Liebermann

On Sun, 11 Oct 2009 21:13:19 +0000 (UTC), Jerry Peters wrote in :

People tend to use the same password for more than one thing, and when one gets compromised, all are compromised, and the longer that compromised password is in use, the more likely the compromise. The better systems for regular changing prevent people from reusing passwords.

Actually a variable amount of time, 1/2 month on average. But the real issue is that they may well have much longer than that -- I've got a friend that's been using the same password for pretty much everything for several years.

If you choose them, then they aren't random. To ensure randomness, use a good generator.

How good is the encryption? There are many encryption systems with serious failings, WEP being a classic case in point.

I personally use Password Safe, free open source software created by noted cryptographer Bruce Schneier, where the encryption has been subjected to serious peer review.

I don't see that as a serious issue. I have the generator in Password Safe configured to generate easy to use passwords that are usable in any system. To (over)compensate for the somewhat lower character entropy of not using all possible characters (just dissimilar upper and lower letters and numeric digits), I use longer (12 random characters) passwords.

Reply to
John Navas

At one company I worked at we had 3 or 4 different logins; most people very carefully synchronized password expirations so that all passwords were the same. Especially true when some of the passwords are not used everyday, BTW.

That's why I use different passwords for each site, and also why I need to store them.

Yep, haven't changed the password on *my* machines in more than a decade, why would I?

The point is that they aren't words in a dictionary, they aren't anything related to me like birthday, phone number, licence plate number, pet names, etc.

Program called keepass. Should be good enough for my purposes.

But what happens if you randomizer generates all alpha characters and the site requires at least 2 numerics? It gets especially frustrating with poorly coded web-sites that lose all or part of the already entered info.

Jerry

Reply to
Jerry Peters

I was thinking more about various and sundry web sites for which I need a password. Unless the username is your email address they also rarely tell you the requirements for it, until you try to use a character like an underscore and get an error message. A really bad web site clears all of your entered data when it produces an error message too.

My WPA key is somewhere around 60 characters long, produced by random typing on the keyboard, then editting the result by changing some character to upper case & replacing others by special characters. If I need it, it's in a file & I can copy & paste it as needed.

Jerry

Reply to
Jerry Peters

Mainly, IMHO, because the longer a password remains unchanged, the more chance there is of more than one person knowing it (think shared accounts, people going on holiday and telling a workmate, support staff getting told to help solve a problem), not to mention someone observing it being typed.

I came across a site recently that _required_ /two/ non-alphanumeric characters. I ask you. These morons have clearly never heard of non-US keyboards.

Reply to
Mark McIntyre

Security and convenience are at opposite ends of a sliding scale. The more secure a system is the less convenient it is to use and vice versa. For most people the goal is to strike a balance somewhere in the middle. Of course, good algorithms and good design are needed for predictable results.

- Nate >>

Reply to
Nate Bargmann

On Wed, 14 Oct 2009 10:29:58 +0000 (UTC), Nate Bargmann wrote in :

Authentication systems exist that are both secure and convenient.

Case in point is the fingerprint reader, secure chip and ThinkVantage Client Security Solution on certain ThinkPad notebook/laptop computers.

Other good systems may be based on two-factor authentication and/or security tokens .

Reply to
John Navas

Nope. Security and simplicity are at opposite ends of the spectrum. Convenience does not necessary mean simplicity.

A really secure system tends to be complexicated, but that can be hidden under convenience devices, dongles, card readers, and procedures. For example, a good OTP (one time password) device, which displays a fairly simple numeric key, which is good for only 60 seconds, hides a substantial amount of complexity under the surface, and are very easy to use:

From a bit of experience, methinks the real problem with the hidden complexity is that there invariably needs to be a back door for when the user forgets their OTP device. That tends to be no better than the password only system. The best I can do is make sure that the back door only works on the protected console, and not remotely. As always, security is only as good as its weakest link.

One large medical office (former customer) that I worked with started with about 25 S-Key OTP generators. About 3 years later, almost all of them have been either misplaced, lost, accidentally destroyed, or mutilated beyond usability. Most doctors just leave them in their desk drawer or stuffed into their computahs and/or have a duplicate for use at home or on the road. So much for security.

That sounds good, but I'm not so sure. I have customers that don't seem to realize that a security breach will literally put them out of business. However, until they have a rude awakening, their security practices are almost totally based upon their convenience. Post-it notes with passwords inscribed are epidemic. When I try to get away from that, they don't want to spend the time, money, or effort necessary. The only ones with a clue are the medical offices, which have HIPAA to contend with.

Yep. Of course my question is "how good" do they need to be? Also, what do you mean by "predicatable"? I've seen incredibly insecure and sloppy systems work for fairly long periods of time. Eventually, someone publishes a really lame exploit leaving the experts to wonder how it could have survived like that for so long. Security is very difficult to predict.

Reply to
Jeff Liebermann

On Wed, 14 Oct 2009 08:45:08 -0700, Jeff Liebermann wrote in :

Many (most?) exploits are not even detected, and of those that are, many (most?) are covered up, so you can't reach a valid conclusion on that basis. Serious studies have concluded that the real size of the problem is vastly bigger than what gets reported.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.