WPA real life security ?

Hi!

This is my first post about WLAN and I'm not sure if this is the correct group. Is it ?

OK, to the topic: A guy claims that "any kid, who masters linux, can crack WEP and WPA" (translated by me to english).

I know WEP can be cracked in minutes, but WPA ? If WPA-PSK is used, with a non-trivial passphrase, can it be easily cracked ? In real life, not in theory ?

AFAIK, WPA-PSK with a good pass provids very good security, so that guys claim confuses me :-)

Regards, David Balazic

Reply to
david.balazic
Loading thread data ...
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

You are correct. That guy is misinformed.

Reply to
John Navas

Incorrect. No need to master linux.

Just download a live CD with all the tools pre-loaded and follow the online tutorial.

No

Ask him to point a linux master at your network and see how they get on...

Reply to
David Taylor

You mean : - he can crack it in his lifetime or - he could crack it in 100 billion years, if he lived that long ?

Later he also said interesting things like : - by hammering udp port 27xxx on some LinkSys systems with older firmware, they would eventualy "crack" and send out all the settings and codes !?? - it is supposedly possible to get on the WLAN for a second, before the AP "notices" that you don't belong there, and in that short time you "can get in"

(i think he talks mostly about firmware bugs, but that does not mean it shouldn't be taken seriously)

Regards, David

Reply to
david.balazic

Because WPA-PSK has some weaknesses, you should follow these guidelines to be truly secure:

a.. Pick your key carefully: Don't use words that can be found in the dictionary or common names, even if you change O's to zeroes, and I's to ones. Try to use a combination of nonsense sounds, digits and punctuation. b.. Make sure your key is at least 20 characters long (not including blank space). c.. If you give anyone else access to your wireless network, change your key after they are gone. The key you gave them stays on their computer - and could be retrieved by a hacker. d.. To be as safe as possible, change your key every few months. e.. Enable AES encryption if your equipment supports it. TKIP encryption does not provide as strong protection from eavesdroppers.

Reply to
tim

How long can the key be? I just checked and at the moment mine's 62 characters long.

I make my keys by opening up a text editor and more or less randomly banging on the keyboard, making sure to hit the shift key from time to time and to get some special characters thrown in too.

Reply to
Bert Hyman
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

That's overkill. If you're going to use random characters, 12 is sufficient. With more than 20 characters, actual words are safe to use.

TKIP is not encryption -- it's Temporal Key Integrity Protocol. Standard WPA encryption is by 128-bit RC4, which is still considered quite secure.

Reply to
John Navas

That's almost the max. (Not all implementation can be that long.)

With random characters, 12 are sufficient.

I use the password generator in Password Safe, which is highly regarded.

Reply to
John Navas

well its only logic make sure its at least 20 characters long , so you make a key anything from 20 to the exceeding number if you wish.But its suggesting just do one with 20 and if you want to do a different one make sure it starts from 20 characters long.

Reply to
tim

From what I've seen, the maximum is 63 characters. I suppose the minimum length would be 0 but I suspect most people would go for the max.

Reply to
johnny

But does the standard specify a maximum length? A minimum length?

Reply to
Bert Hyman

I seriously doubt that. Most people use short passwords, and going much longer than 20 characters doesn't add much if anything to security.

Reply to
John Navas

[snip]

If you're not using words/phrases as your key, just a sequence of random letters and numbers, then more than 20 characters will greatly increase key strength, surely?

Reply to
__spc__

More characters will indeed increase key strength, but diminishing returns sets in.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.