best practices to secure home's network

Yes. With WPA-PSK, the pass phrase is the decryption key. If the attacker can recover the WPA-PSK phrase, he can:

1. Impersonate an existing user.
2. Sniff all traffic and recover embarrassing documents and plain text passwords from other users.
3. Run the recovered WPA key on the capture log and recover the contents in unencrypted form.
4. Inject spoofed or counterfeit traffic.
5. Instigate denial of service attacks.
6. Bypass all the firewall rules (because he's on the LAN side of the firewall).
7. Provide business for network security consultants.

Note that with WPA-TKIP and WPA-RADIUS, the WPA encryption key is unique by the connection. There is no system wide common pass phrase. Therefore, the attacker would need to recover each key for each user individually. Since this is a temporary key that is rather long, changes often, and changes with each session, chances of recovering this key are minimal. Even if the key were recovered, it would not be useable for the aformented exploits.

You should read the references supplied by John Navas. There's quite a bit in there on how it all works and what can go wrong, go wrong...

Enough already! I read it the first time...

Assuming that an attacker does guess the WPA passphrase, however long or random it is, what does that get him? Will he then be able to decrypt all traffic to and from all clients on the wireless network?

One more time Navas, one more time, and pow! right in the killfile.

Well, yeah! I'm really getting quite hooked on using my laptop anywhere I feel like it.

I did that in the part you snipped.

I agree. The longer the better.

True, as the material you snipped makes clear.

If you're going to accuse me of starting Internet rumors, at least have the courtesy not to snip relevant materials from my post. ;)

Knock yourself out.

Guilty as charged. I'll put it back.

Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use. (...) The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ...

The way I read this is that the WPA-PSK pass phrase should be longer than 20 characters but such pass phases are designated by the author as "too long for entry" and "longer than most people will be willing to use".

With all due respect, this is not exactly what I would call a clear suggestion that over 20 characters is adequate WPA-PSK security and may be safely used. It also makes no mention that only WPA-PSK is vulnerable to such attacks and that other forms of WPA are acceptable. Methinks it would have been better if you clearly specified the limitations and alternatives to WPA-PSK. It's not like this is something totally new as the problem was first identified in Nov 2003.

Nor will "2. Disable Identifier Broadcasting". Unfortunately, these kinds of superstitions about wireless security are also propagated by the leading vendor of consumer hardware. From "Appendix B: Wireless Security" in the User Guide for the Linksys WRT54GS:

"The following is a complete list of security precautions to take (at "least steps 1 through 5 should be followed): "1. Change the default SSID. "2. Disable SSID Broadcast. "3. Change the default password for the Administrator account. "4. Enable MAC Address Filtering. "5. Change the SSID periodically. "6. Use the highest encryption algorithm possible. "7. Change the WEP encryption keys periodically.

Four placebos listed ahead of and designated as more essential than the real thing.

The answer to my question was in the WiFi Net News article :

"Thus even though each unicast pairing in the ESS has unique keys (PTK) there is nothing private about these keys to any other device in the ESS."

"Anyone with knowledge of the PSK can determine any PTK in the ESS through passive sniffing of the wireless network, listening for those all-important key exchange data frames."

You can use OpenVPN (available for Windows, Linux, Mac, Solaris, ... ) as logical AP, leaving WiFi just the low link layer connection. OpenVPN offers much more secure protection than conventional WiFi ones (WEP, WPA,...) - even Public Key Criptography if needed. -