WPA vs WEP?

I know that WPA is more secure.

However, I have an old Intel card on a laptop that doesn't support WPA. My daughter is coming to live with me and she has a 3 - 4 year old Thinkpad that has wireless built in - I'm concerned that it too wont support WPA. I know that her laptop only supports wireless B.

I know that I could purchase a new PMCIA card to replace my old Intel card. But then, it might also be necessary to purchase one for her Thinkpad. This could get expensive and complicated.

I have everything else nailed down - SSID, MAC addresses limited etc. What is the real risk of just going with 128 WEP? I'm not using file and printer sharing. My desktop (the only machine I'm really concerned about), is wired to the router.

Thanks for your thoughts on this.

Louise

Reply to
louise
Loading thread data ...

WEP can be cracked in a matter of minutes if you're lucky, if not, a little longer.

Avoiding the MAC address filter is even easier, it requires that just one packet be sniffed and spoofed and you can't encrypt that so that's a no brainer to defeat.

SSID broadcast is easier still, just run kismet or a similar tool and it'll be there.

David.

Reply to
David Taylor
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

It is *if* (and only if) you set a secure pass phrase.

Strongly suggest replacement with a card that does, which isn't terribly expensive. Windows XP SP2 (which should run just fine on that old ThinkPad, as it does on mine) supports WPA.

Those things won't really help.

Real and substantial.

Reply to
John Navas

On Fri, 03 Mar 2006 09:39:42 GMT, David Taylor blurted:

This statement pops up over & over again, and it is simply untrue. Yes, in a lab or class, it's possible to crack a WEP key if it's short enough; but in the wild, with a reasonably complex secret (16 characters or so) it is extremely hard/time-consuming to do this. So hard, in fact, that WEP is very reasonable security for home use - unless you send nuclar launch codes to your mother-in-law.

This canard about cracking any WEP key in minutes is the kind of scare-mongering that makes the profession of infosec much harder than it has to be, yet it continues to be passed along as *fact* by people who have taken a two day elite wireless hacking course. Give them two laptops and an unknown WEP protected network and they'll sit there for hours or days (if they're persistant) before they admit that cracking WEP is just a tad harder than it looks.

My $.02 Tom

Spamming this account signifies your unqualified consent to a free security audit

Reply to
spammersarevermin

Sorry, you're wrong, this is WEP we're talking about not WPA, there is no such thing as a stronger WEP key simply due to a passphrase length because...there's really no such thing as a passphrase! All those passphrase generators do is create the appropriate number of digits to enter into the key field.

More wrong information. My quickest so far is 7 minutes 55 seconds. A colleague captured data from a US airline terminal and then got the key while on the plane.

WEP is weak, *can* be cracked in minutes (not guaranteed but can) there is no further discussion necessary. If you're not sure about this then you need to read (and try) more.

Is it still suitable for home? Sure, it'll stop those casually connecting, it'll deter those that are intent on snooping, it won't deter those who are next door (or in range) and have nothing better to do than try. They have all the time in the world and usually the age range associated with that time.

David.

Reply to
David Taylor

As with all such debates, both sides are wrong and right. WEP /is/ weak and can be cracked relatively easily due to how the algo works and how the data is transmitted. However its still the case that in practice someone would have to sit outside your house for quite a while. This is because they need /traffic/ to crack the key. 99% of the time, a home PC isn't generating traffic. This is very different to a commercial pc such as at an airline desk, where a whole bunch of PCs using the same code, are all continually in use generating buckets of data.

See above

Well, actually there is. Sure, its weak. I'd never recommend it if you have an alternative. But its better than nothing. Without WEP, you are an open door. With it, onlly someone determined will bother.

I completely agree. Mark McIntyre

Reply to
Mark McIntyre

Yes and no :) Yes it requires a PC to be associated, so then send deauth, capture the arp and do an arp injection. Doesn't take long and as I said, I don't see the threat from the person parked outside but rather the bored teenager with nothing better to do that can do it from their bedroom. They have plenty of time.

But that home PC only has to be associated and then deauth'd.

Anyway, the precise detail is irrelevant. We agree on the usage so no point arguing. :)

I just dislike the posts that discuss "stronger" WEP keys - no such thing so, moving swifly on...

David.

Reply to
David Taylor

On Sun, 05 Mar 2006 07:03:29 GMT, David Taylor blurted:

Like I said, FUD. I'm not going to waste my time arguing this with you. It's too bad you can't come by and try to crack my WEP setup. That's WEP. You won't be able to do it. Guaranteed.

Best, Tom

Spamming this account signifies your unqualified consent to a free security audit

Reply to
spammersarevermin

Foolish words... Mark McIntyre

Reply to
Mark McIntyre

Then lets not argue, instead how about you offer up to the newsgroup (and beyond) how your WEP set up is uncrackable... you have offered a guarantee remember.

David.

Reply to
David Taylor
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

It's actually easy for a cracker to force enough traffic to crack the key.

Reply to
John Navas
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

Want to bet? How much?

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.