Forgot your password?
typodupeerror
Wireless Networking Hardware

New Wireless Security Standard Has Old Problem? 249

Posted by simoniker
from the it's-always-something dept.
eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."
This discussion has been archived. No new comments can be posted.

New Wireless Security Standard Has Old Problem?

Comments Filter:
  • Oh, thanks. (Score:5, Funny)

    by Anonymous Coward on Wednesday November 05, 2003 @08:53PM (#7402630)
    Way to tell everybody my password.

    Man, now I have to change it.
    • by interiot (50685)
      One! (one)
      Two! (two)
      Three! (three)
      Four! (four)

      Five! (five)

      That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage.

    • Change it to:

      "Now I Have Fleas" dohh! sorry if I gave out your new password....
  • My Dog Has Fleas? (Score:5, Interesting)

    by Trillan (597339) on Wednesday November 05, 2003 @08:53PM (#7402631) Homepage Journal

    My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

    Or, of course, the infamous "password."

    • by Tumbleweed (3706) on Wednesday November 05, 2003 @08:55PM (#7402651)
      Yeah, but what if your does doesn't HAVE fleas? Or if you don't even have a dog? Then your security is based on nothing but LIES! And how secure can THAT be? Think before you ask these questions, Mitch.
    • What is this infamous "password?"

      Everyone's always talking about it, but noone will ever tell me!

    • I think this problem is present in *any* system that relies on user passwords. according to the article, each character in a password is equivalent to about 2.5 "bits" of encryption (since you can't use the entire ascii bitspace and some words/letters are more common, etc). this is a higher number than I saw referenced in one of bruce schneier's books (he said 1.3 bits of entropy per char I think.).

      so, if your 128 bit or 256 bit or bit security system is ultimately based from a human-rememberable (and thu
    • Re:My Dog Has Fleas? (Score:4, Interesting)

      by IM6100 (692796) <elben@mentar.org> on Wednesday November 05, 2003 @09:24PM (#7402868)
      Something that amused me recently was when I installed IRIX on a cool SGI box I bought at auction.

      It refused to let me use a password longer than 8 characters.

      I am talking about a release of IRIX that was pressed to CD in the year 2002.
      • Re:My Dog Has Fleas? (Score:3, Interesting)

        by Trillan (597339)

        Similiar problem with a Windows 2000 server using Services for Macintosh. Microsoft uses an old authentication model which doesn't support long passwords... unless you install Microsoft's client-side authentication model, which is too buggy to use (i.e. authentication windows pop up BELOW everything else).

        • Re:My Dog Has Fleas? (Score:3, Interesting)

          by weileong (241069)
          default Solaris8 won't take more than 8, either. neither will the older versions of MacOS X (Puma, Jaguar. Panther has this fixed, though).

          • when I read buried way down in the Solaris 9 12/02 release notes that they'd be FINALLY supporting md5 password crypts.

            And in typical Sun style, they created a new plugin architecture to support it. There are all of two useful plugins (the standard crypt is built into libc)... ::eye roll::
    • by stefanlasiewski (63134) * <slashdot@@@stefanco...com> on Wednesday November 05, 2003 @09:25PM (#7402882) Homepage Journal
      My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

      Well, not really.

      Using your child's name for a password is a million times more secure then posting it on Slashdot :)

      And with the Slasdot crowd, maybe someone really does have a kid named "j3Nn!f3r". What could be more secure then that? It's so secure that those poor kindergarteners can't even pronounce it!!!
      • 6cea e4ca 6713 721c 4cbf 71a4 e1aa 8972 0a03 f9d0 47a9 8f3c 9ead 8fb4 35d9 38c0 0406 1f02 0c46 878f 42f8 5ec1 77c5 1a99 f64b 5ad3 bb82 2c93 7870 a725 ba29 dd2b c470 0e70 3bf4 9c50 01a3 31cd c717 0b68 afe0 d479 62b2 46c0 a0c6 af61 c8e0 1915 01f4 8df8 be64 7401 4ed7 1459 766c d888 e772 f41b b310 e958 ebf6 87a1 c0e7 7a60 99d1 38ff d009 4c65 7a5f dbb0 f347 7a65 1f34 254c 8167 d103 4e34 9fc7 c97b 9ac0 0575 12a5 4f0d 9c87 5015 a647 ab9d 0ff6 f940 c1e7 1699 bfef 9827 b19f 9bc9 8391 3985 ed5e 275d f2c0 d3cd d489 13
    • by jamesh (87723) on Wednesday November 05, 2003 @09:30PM (#7402915)
      'My Dog Has Fleas' is indeed fantastic. I'm changing all my passwords to that right now. I encourage you all to do the same.
    • by Chops (168851) on Wednesday November 05, 2003 @10:57PM (#7403484)
      Once I noticed that an acquaintance of mine's Win2k machine had no password on the "Administrator" account. I began to lecture him on the dangers of SMB, C$, and such, and the fact that his machine was basically freely usable by anyone who had (a) the internet and (b) some semblance of clue and maliciousness.

      He laughed and said, "Yeah, but who would think that the administrator account wouldn't have a password?"

      I gave up and said no more.
      • He laughed and said, "Yeah, but who would think that the administrator account wouldn't have a password?"

        Maybe it sets off alarm bells if you type it in wrong the first time...

        -a
    • how about: love, god or sex? sound pretty secure to me!
  • by Dancin_Santa (265275) <DancinSanta@gmail.com> on Wednesday November 05, 2003 @08:55PM (#7402654) Journal
    If all it took were a dictionary attack to sniff a password, at least it took that much.

    This isn't some simple passthrough that can be gotten through by knowing a couple backdoor passwords, it's a real live algorithm.

    But in the end, it's up to the user to enter a password and as long as humans remain humans easy to remember passwords will always be chosen over #HrS2sWmNw/()LggDwMn.
    • yeah, but #HrS2sWmNw/()LggDwMn.
      is easier to crack than
      "I bought 2 bags of frozen peas at the store"
      which is much easier to remember
      • actually, your passphrase has much lower entropy than your random password. assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits. now consider the deterministic ordering of words in an english sentence, and you knock off a few more bits.

        but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per charact
        • by Anonymous Coward
          Where are you getting this stuff?!?

          assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits.

          10,000^10 ~ (2^13.3)^10 = 2^133 = 133 bits of encryption.

          but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per character. now 72^20 is a lot. that's about 26 bits.

          66 possibilities * 20 chars ~ (2^6)^20 = 2^1
    • In general, if someone has the ability to run a dictionary attack on a password, it's as good as giving them access. From personal experience as a sysadmin, 65%-75%(1) of all passwords can be found by a dictionary attack.

      (1) From running dictionary attacks against three sets of passwords.
      Computer science students: 75%
      Public forum #1: 65%
      Public forum #2: 75%
  • At least use WEP! (Score:5, Insightful)

    by jolyonr (560227) on Wednesday November 05, 2003 @08:56PM (#7402658) Homepage
    It doesn't matter how easy to break a new system is, it's better than having no security.

    I recently took my laptop on a trip across Toronto and in a couple of hours spotted around 60 wireless networks. Around 80% had NO encryption enabled at all. And yes, the most common SSIDs are 'default' and 'linksys'.

    So make a system more complex and people won't use it - which defeats the whole object of it.

    Jolyon
    • by Xerithane (13482)
      I recently took my laptop on a trip across Toronto and in a couple of hours spotted around 60 wireless networks. Around 80% had NO encryption enabled at all. And yes, the most common SSIDs are 'default' and 'linksys'.


      How many of those were open intentionally? Probably quite a few. I don't leave the default SSID on, just so they can get an idea where they are connecting to, but I leave my access point open. It's on a different network segment, and I figure if someone has an 802.11 card I'll help out wi
      • ...promote terrorism!

        Seriously though, is there any reprecussion if some stranger comes up, enters your WAP, and downloads kiddie porn or *gasp* illegal mp3's?

        -Eyston
        • as long as it is downloaded to their machine and not mine it is not my problem....honestly, and I am NOT ADVOCATING KIDDIE PORN, but is viewing it illegal or just producing it, selling or commercially distributing ?
      • by mcrbids (148650)
        I leave my access point open. It's on a different network segment, and I figure if someone has an 802.11 card I'll help out with their bandwidth. If it ever becomes a problem on my bandwidth, I'll just regulate that segment.

        A classic case of altruism meets real-world. Contributing your bandwidth is all fine and dandy until some jerk uses it to send bomb threats to the president. Or send all kinds of incriminating pseudo-spam that makes you look very bad.

        Perhaps a picture of some guy's backside [goatse.cx] with the w
        • by Xerithane (13482)
          And, looking at the email headers shows that it did, in fact, come from YOUR network segment...

          First, it's not anything related to nerdfarm. Second, what makes you think I don't have any security in place on top of that? Such as filtering port 25, and only allowing ssh and http, https?

          It's not altruism, it's just not being a dick.
      • I do that, too (hi neighbors who are sniffing my packets!), but I worry that my laptop is behind my firewall and that it's open to hacking... I really want a hardware firewall, but it wouldn't be feasible to sticking it on with doublesided tape to the back of my screen - kinda defeats the whole portability benefit.
        • Re:At least use WEP! (Score:3, Interesting)

          by Malor (3658)
          I f you have a Linux firewall, just add another network card and move the wireless traffic off onto its own segment. Tunnel the laptop to either the firewall or a desktop machine behind it; one easy way is by running squid on a Linux box, connecting to it with SSH, and routing local port 3128 to remote port 3128. Then configure IE to use 127.0.0.1:3128 as your proxy port. Disallow all traffic except SSH to your LInux server, make sure you run a firewall on your laptop, and disallow wireless administratio
    • Re:At least use WEP! (Score:5, Informative)

      by WuphonsReach (684551) on Wednesday November 05, 2003 @09:48PM (#7403028)
      We don't use WEP on our wireless net at the office. Too often, the interaction between the card and the access-point doesn't work well if WEP is enabled (different vendors for the two products).

      Instead, we've segregated all of the WAPs onto a dead-end network where the users have to VPN into our LAN through a border server. (Basically treating them as if they were outside the office and coming in from an external ISP.)

      Works pretty well, other then having to remember to VPN into the network. The traffic ends up encrypted (inside of the VPN tunnel), so it's not possible to sniff passwords.
    • by Rascasse (719300)
      Here in the cafes in Toronto where I use my iBook, WEP isn't enabled on the pay-as-you-go wireless Internet services. But that doesn't mean I'm vulnerable. I setup my Linux box at home to act as a VPN gateway and the first thing I do after connecting to the hotspot is connect to my VPN and do my Internet surfing indirectly from home.
    • Re:At least use WEP! (Score:2, Interesting)

      by Anonymous Coward
      I liken WEP to the Club. It's a deterrent. Most casual thiefs can defeat the Club. But why should they bother when 95% of cars don't have them? (Unless the car is a Lexus, but that's beside the point.)

      Most people who are just out casually wardriving are going to drive right by a locked network and hit one of the other 15 that are open.

      And if your firmware allows it...
      • Turn of SSID broadcasting (I have read some articles that say not to do this, but I've yet to find a good reason not to. But if shutt
    • Re:At least use WEP! (Score:3, Interesting)

      by j h woodyatt (13108)
      "At least use WEP?"

      That's not really great advice. If you can use WPA w/EAPOL, then use WPA w/EAPOL. If you can't be bothered to run an authorization server (or you don't know what that is), then use WPA w/PSK (pre-shared key).

      Robert Moskowitz is telling us that securing a network with a poorly-chosen shared secret is a bad idea, because dictionary attacks are easy to mount. If your WEP key is an ASCII string of characters spelling out the word "PEANUT" then you're just as vulnerable (if not more) than
  • by mackman (19286) on Wednesday November 05, 2003 @08:57PM (#7402663)
    The important thing here is that this allows for actual security for users smart enough to use good passwords. Even in hex users can enter dumb passwords ("AA AA AA AA AA...").
  • Big deal (Score:5, Informative)

    by WolfWithoutAClause (162946) on Wednesday November 05, 2003 @08:59PM (#7402677) Homepage
    Just about any protocol allows dictionary attacks. Whilst some techniques, like salt, help, ultimately they make the problem for the bad guys only slightly harder.

    Only long passwords and encouraging the users to use good quality passwords/phrases really helps.

    Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea; and even the user shouldn't know what it is (that way it can't get beaten out of them- black cosh crytography works pretty darn well.) These standards organisations aren't even trying.

    • Re:Big deal (Score:3, Insightful)

      by timeOday (582209)
      Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea... These standards organisations aren't even trying.
      Well, the second sentence in the article does say that the standard provides for each MAC address to be given a different key. In fact it's called a "Pairwise Master Key."
  • by hobbesmaster (592205) on Wednesday November 05, 2003 @09:06PM (#7402721)
    Hold it, someone correct me if I'm wrong, but doesn't this mean that instead of collecting thousands of weak packets in RFMon you just need to collect one packet from each network and brute force it?

    Which method is harder to crack? I'd take WEP. Simply because its takes longer to collect the necessary packets; especially on a smaller network. On a larger network it may work out to be better from a security standpoint for the cracker to start a brute force attack on the packet on a spare computer and let it sit for a few days instead of having him hide a pocket PC with a wifi card in range of the AP for a few days.
    • but doesn't this mean that instead of collecting thousands of weak packets in RFMon you just need to collect one packet from each network and brute force it?

      If I understand correctly, WEP is vulnerable to this as well. You can capture one packet, decode it against a given passphrase, and then see if the IP header on the decoded packet has a correct checksum. Rinse, lather, repeat.

      Lets just say that it takes a lot less time to find a set of weak ISV values.

      YLFI
      • That depends. If its an underutilized network, it would be more time efficient to dictionary attack it than airsnort it.

        Thats my experience anyways. If its a corporate wide network perhaps it could be owned far more easily by cracking WEP.
        • If its an underutilized network, it would be more time efficient to dictionary attack it than airsnort it.

          Heh, my experimental data might be hobbled by the fact that I wrote the cracker in Python while sitting utterly sleep deprived in a starbucks ;-)

          LearnToSpells link looks interesting - will have to check it out!

          YLFI
  • by frostman (302143) on Wednesday November 05, 2003 @09:07PM (#7402732) Homepage Journal
    I've just bought my first wireless kit (DLink 802.11b wireless router plus card for $60).

    I did some reading on WEP and it sounds pretty frightening. Today I'm going over to set up the same kit for a friend who's NOT a slashdot type. I'm pretty-well used to data protection issues, and I take reasonable precautions and would also not freak out if something Bad happened. But I'm wondering what I should tell my non-techie friend.

    Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

    That's certainly what the manufacturers would have us believe, and the low prices and ubiquitous Starbucks access points seem to be causing a lot of folks to adopt wireless, at least out here in silicon valley.

    Having read up on the security problems, I'm now hoping some of you can provide or point to real-world scenarios.

    Hope this isn't too off-topic...
    • Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

      He's save for about 6 million packets worth of traffic - a few hours. After that any kid with a laptop, a wireless card, and wepcrack 0wnz0rs his 455.

      paper here [rice.edu]
      • It takes far longer than that. Getting thousands of interesting packets takes weeks for a 256bit WEP network being used by only one person.

        And yes, this is from experience. I will neither confirm nor deny that I was given permission to try this...
    • by Dusty (10872) on Wednesday November 05, 2003 @09:19PM (#7402822) Homepage

      Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:-

      Security Practicum: Essential Home Wireless Security Practices [arstechnica.com]
    • Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

      Vulnerable enough that I won't use it at work without it being on the other side of our firewall and forcing the "Road-Warriors" to VPN into the network. I also have it setup (at work) so they can't access the Internet... only the VPN. Lot's of paranoia there, but why take chances?

      At home I use my dinky little Linksys WAP11 (using a

      • To answer your original question, for home networks I think it's secure enough. Of course it helps my setup that I live out in the middle of nowhere and don't have to worry about the guy in the apartment next door :)

        I should also point out however, that when I worked for a WISP, we were out doing site surveys one time. I happened to point a 24db directional antenna towards my house and was able to associate (granted I had the WEP settings and knew what the SSID was) from about 1/2mi away going through a l

        • I have an AP in my house, and I don't allow any traffic at all unless it's running under IPSec VPN.

          It's wide open, but firewalled off all by it's lonesome. No bother even doing WEP, IMHO.

          'Course, I'm way paranoid.

          I'm still waiting for a serious scientific review of WPA, though this actually makes me feel a bit better. It just means I'll share keys via disk or something that will hold a 256 byte mostly random key.

          Cheers,
          Greg
      • You know under Linux it's pretty trivial to change the MAC address of an Ethernet device, right?
        • You know under Linux it's pretty trivial to change the MAC address of an Ethernet device, right?

          Yes, it's fairly trivial in Windoze too. It doesn't _hurt_ to enable the MAC address protection though. And if they are stupid enough to hijack your MAC while you are using it (and to figure out the MAC they'd first have to break the WEP), you'd know pretty quickly that something was going on.

          Security in layers.... Unless you are going to buy a $550 Aironet 350 for your house (unlikely) you have to make do w

          • The way I do it is no WEP, no MAC address protection; but, the only thing open on the wireless LAN is SSH to one box. Then a VTUN tunnel using the SSH connection from my laptop.

            Lots of people can bounce onto the LAN and check it out, but there's nothing much there - nothing to ping, etc. Worked well so far (and I make sure to keep SSL/SSH up to date).
            • The way I do it is no WEP, no MAC address protection; but, the only thing open on the wireless LAN is SSH to one box. Then a VTUN tunnel using the SSH connection from my laptop.

              VTUN is a handy package. Used to use it at work before we went to FreeSwan.

              I could implement such a setup at my house if I wanted to, but the original poster was asking about a setup for a non-techie friend, whom I doubt has a Linux box handy. Given that, I think the best solution is what I outlined.

              I also forgot to include som

          • It doesn't _hurt_ to enable the MAC address protection though.

            It's next to useless. It doesn't hurt, but it doesn't help. If somebody's cracking your WEP key, MAC addressing isn't even going to slow them down.

            And if they are stupid enough to hijack your MAC while you are using it (and to figure out the MAC they'd first have to break the WEP),

            Not true. You can get the client MACs within seconds, without cracking anything.

            you'd know pretty quickly that something was going on.

            How?
    • by timeOday (582209) on Wednesday November 05, 2003 @09:24PM (#7402866)
      The threat is way overblown. I'm willing to bet that fewer than 1% of WEP-protected access points fall to cryptographic weakness (but my guesstimate will yield immediately to anybody with ACTUAL DATA that agrees or disagrees). Any sensitive data you send, you should be (and probably are) sending over ssl (when the little lock appears in your browser window), using ssh instead of telnet, etc. As for Starbucks access points, they're not protected by WEP anyways.

      Just enable the WEP, use secure applications for sensitive data, and quit worrying about it.

      • It's like trying to get accurate info about sucecssful hack attemts. Impossible.

        WEP hacks is even worse. Those that use WEP probably couldn't tell if they were hacked if BO was loaded on their machine, much less packet monitor and notice there was a new station on the network.

        WEP may not get hacked often, but frankly, I like deterministic approaches, rather than "no one will hack me, it's just too much work."

        I want to know, if I do things right, it's nearly impossible to hack me unless you're the NSA or
    • Don't worry, set him up, turn on wep, make some keys, and also use MAC filtering so only known stations can get in. To get around both those someone has to be fairly determined, just like someone determined to get in your house can probably do so, no matter what locks and alarms you install. That'll keep out the accidental neighbors and casual drive by scanners. Anything important like credit card numbers should be encrypted from browser to server with SSL anyway.

      Now, if a bank or hospital was going to ins
  • 1..2..3. Hey that is the same combination I use on my luggage!
  • My Dog Has Fleas (Score:2, Interesting)

    by Anonymous Coward
    ...my wireless router has a first name
    it's l-i-n-k-s-y-s

    my router has a SSID
    it's l-i-n-k-s-y-s

    RE: password security -- what about the old technique of using an acronym for something that wouldn't be hit by a dictionary attack? Um, like:

    My Dog Has Fleas And Your Mom Does Too would create a password of "mdhfaymdt" ? Secure enough...and probably not in someone's best interest to share with anyone else.
    • Re:My Dog Has Fleas (Score:5, Informative)

      by shird (566377) on Wednesday November 05, 2003 @09:27PM (#7402892) Homepage Journal
      Actually, a dictionary attack is inlikely to break 'My Dog has Fleas' because it is composed of multiple words, is fairly long, and has mixed case. Dictionary attacks typically involve just one or possibly two words strung together. Anymore and it becomes pretty impratical.

      The only pratical way to find that password is through brute force. In this scenario, the longer the password and more possible different characters (ie lowercase and uppercase, and spaces) makes it more difficult. Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.
  • by TechyImmigrant (175943) * on Wednesday November 05, 2003 @09:15PM (#7402799) Journal
    The idea here (I know, I was there when we voted it into the standard) is that the PBKDF2 is computationally significant.

    Thus when you perform your offline dictionary attack, for each lookup in the dictionary, you must perform 4096 HMAC_SHA1s and this might take some time if you are looking up a large number of dictionary entries.

    The basic conflict is the wide disparity between the power of processors in low end 802.11 transceivers and high end computers. The time to compute the 4096 HMAC-SHA1s is significant on say a slow ARM7TDMI and the 4096 value is a compromise to limit the delay in computing this. This delay affects the time from pressing return on the keyboard, to the time the PTK can be known and communications can begin.

    However the attacker can apply his cluster of 3GHz PCs, or his FPGA HMAC_SHA1 parallel processor, or his supercomputer array, and make the speed of dictionary lookups relatively insignificant compared against the strength of the passwords being used.

    The wise people asked for a much higher number than 4096. Some implementation types beat it down to 4096, and here we are..

  • 256bit PSK is used directly as the PMK. When the PSK is a passphrase, the PMK is derived from the passphrase as follows:

    PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

    ---------
    Now I see where the problem is. Easily solvable...

    alias passphrase = write "enter you MSG" \
    read $MSG \
    echo "$MSG" | rot13 | rot13 |mail -s Passphrase luzer@name.com

    That wasn't so hard now was it?

    wget -qO - kungfunix.net/fatality|sed -n '1!G;h;$p'
  • by f1f2f3 (66764) on Wednesday November 05, 2003 @09:17PM (#7402810)
    "Poorly choosen passwords lead to insecurity."

    Well, duh. I didn't need three pages of dense, TLA-obscured claptrap to tell me that.
    • No, its worse than that.

      It is the fact that an OFFLINE dictionary attack is possible. If the protocol did not enable an offline attack, then you would be able to see the attacker attempting to guess the password with a live attack and then countermeasuers could be imposed.
    • Anything out of context sounds stupid, dude. In this case, WPA has been advertised as a very secure method of wireless encryption at the link layer that replaces a flawed an cracked method.

      WPA, in fact, relies on properly chosen passwords, which is a non-obvious problem given the hashing involved.
  • After reading the article (gasp!), this guy is saying that if you (the user) choose a passphrase that is susceptible to a dictionary attack, your passphrase could be compromised by someone using a dictionary attack. No kidding? I would have thought that choosing a passphrase of common words would make it HARDER for a brute-force program using a dictionary of common words to crack! Slow news day, or what?

    He also points out that WPA is perfectly secure with a good shared key (such as generating 256 bits of r
    • You're missing the point here: you're sophisticated and understand that poor password choice produces high risk.

      Since WPA is susceptible to dictionary attacks, wouldn't you build an interface that would reject poor passwords? Or would you advertise WPA as a way to enter simple passwords? You're smart: you'd build an interface that had crack behind it and a good dictionary, or at least required 20 digits and some punctuation.

      Since the marketing folks and interface designers are encouraging the use of simpl
  • by dswensen (252552) * on Wednesday November 05, 2003 @09:22PM (#7402844) Homepage
    perform an offline dictionary attack

    What, you sneak up behind the sysadmin and brain him with a copy of Webster's?
    • by Anonymous Coward

      perform an offline dictionary attack

      What, you sneak up behind the sysadmin and brain him with a copy of Webster's?

      Better that than using the Oxford English Dictionary. Talk about your weapons of mass instruction.

  • hexdump -e "\"%04x%04x\n\"" -n 8 /dev/random

    Pre shared key auth/keying is a bad idea. Public key based authentication with random session keys via integration with RADIUS or Kerberos is much more secure (and should be supported by any WPA capable AP)
  • by uucpbrain (541924) on Wednesday November 05, 2003 @09:27PM (#7402893)
    Speaking as a cryptographer and longtime security geek, this weakness is about as damning as... using a 128 bit cipher that only gives 120 bits of protection. Look at the big picture. Most people don't even use WEP, let alone limit access by MAC address. The average user is SO oblivious to security, sharing passwords, opening .EXE attachments... I'd hate to recall how many times I found things like .rhosts files with '++' in them among career Unix programmers who must have known better. WEP was a semi-broken protocol, TACACS+ was a totally broken protocol, there was no way one could use them without compromising security. Just as nobody can use a number of commercial software products without compromising security.

    WPA, on the other hand, is a very well-designed protocol. It is only as weak as its users are careless. And one need not choose "h^Ne#b8SV@,4g%yP" as a password to avoid this attack, any semi-uncommon phrase of 4 or 5 words will do.

    I will deal with this problem by threatening users with a nasty note in their personnel file if they choose a sh*t passphrase -- and terminate their wireless access. And yes, I will try cracking the passwords myself, just as I have done with operating system passwords for several years.

    I sure wish all my security problems were so simple! At least WPA *can* be secure, unlike the steaming heap of offal that most folks call a desktop operating system.
    • Sure, but do you see the problem here on the UI side? That's what my post and Robert's paper is about. The UI implementation of WPA for consumers encourages and allows poor password selection. It doesn't have to.
    • One thing I'm curious about, is that nobody seems to be talking about the installed base of WEP-only wifi equipment already out there (which, as is evidenced by all the almost-as-excited-as-during-the-bubble-days VCs, is quite a large one). I've not heard of any plans by anyone to retrofit WPA onto existing WEP-only equipment (about the only one I know of is Apple's recent software update, but that's only for users of a subset of their installed base (those with the original Airport system aren't included)
  • by frovingslosh (582462) on Wednesday November 05, 2003 @09:30PM (#7402911)
    WPA itself remains robust and secure

    Boy, some peole just want to find things to complain about. I just read another "you have to protect us from ourselves" article today [theonion.com], perhaps this should have been included in their list. Personally, I think if people want to hurt themsleves this way they should be allowed to do so. If they do it as part of their job then better qualified technical people should take their place.

  • Presentation - Tim Moore, Doug Whiting, Jesse Walker - doc 02/545r0 - Mapping Password to PSK
    Standardize a method to generate a 256 bit PSK from an ASCII password.
    PSK = PBKDF2(password, ssid, ssidlen, 4096, 256)

    Jesse: Only do this if you have to. Security is bad.
    Tim: Use hard to guess passwords. Also change SSID from default.
    Jesse: I would suggest that every AP ship with a different SSID.
    Comment: This forces the administrator to set them to a common value in order to roam.

    Comment: Why so big (4096)
    Doug:
  • When I try to enable WPA (Enterprise) with the latest Airport software it tells me, (a) it is not compatible with my 802.11b card, (b) it is not compatible with MAC address access lists, and, (c) it is not compatible with WDS. WDS is where you can chain Airport connectivity over the air, which I use, and (b) only occurs under WPA Enterprise as opposed to personal. I can see (a) being rationalized under needing better hardware for better encryption, and I was going to upgrade regardless, but (b) and (c)?
  • Maybe a year ago I read this great guide on choosing a password that went through all the mathematics of how long it would take to break a password with just regular words, one with mixed case letters, one with irregularly placed characters, etc. It gave some good practical advice for coming up with memorable passwords that were secure. Can anyone direct me to this document? I've tried googling but I haven't had any luck. Don't remember much more about it. Thanks!
  • by Valar (167606) on Wednesday November 05, 2003 @10:00PM (#7403103)
    Many institutions unwittingly standardize on weak passwords. For example, a certain EE department at a certain university (that I might attend), has a password convention of six characters, letters and numbers, but no two letters or numbers are allowed next to each other. So all the passwords are number, letter, number, letter, etc or letter, number, letter, number. They don't even require mixed case letters.
  • Kerberos (Score:3, Interesting)

    by GreenKiwi (221281) on Wednesday November 05, 2003 @11:01PM (#7403501)
    Why don't these companies start implementing Kerberos? Or something similar. My understanding is that no passwords are ever sent out over the network.

    http://web.mit.edu/kerberos/www/
  • I still don't understand why we need to have crypto standardized in the wireless protocol itself. If you are actually concerned about security, why not:

    1. Use IPSec, or
    2. Restrict the access point so that no connections can be made anywhere except to a VPN server

    I'm currently planning something along the lines of (2) at home. I plan to use the hostap driver for Linux and firewall the wireless interface off from everything except for a single port which goes through to a VPN server. In order to talk to

    • That is exactly what I did to relative success...until I created another VPN connection to my office, which happily returned a public address on a network seemingly devoid of any firewall protection whatsoever. "Hello, you've got DoS!" Can't name names, but their acronym rearraged sounds like "I SUCK."
  • How is this worse? (Score:4, Insightful)

    by Halo- (175936) on Wednesday November 05, 2003 @11:23PM (#7403631)
    Okay, so users might pick a password which is less than 20 characters and is dictionary based. Guess what? They always will... Security is a balancing act. If you make security too cumbersome, then users will find a shortcut and abuse it, making it worse than no security. If the spec enforced something like: "passphrases must be at least 128 hex characters" you'd end up with a bunch of passwords which were all "AAAAA..." (or something similiar)

    The simple truth is people are lazy. How many passwords do you have? And how many password guarded accounts? I bet even the most diligent of us out there only have a small number of "good" passwords which we use for damn near everything and never rotate.

    The problem with WEP was flawed crypto. No matter how good my password was, someone could crack it with unacceptable ease. At least with this new scheme those of us with "good" passwords have a chance.

  • by Brad Mace (624801) on Thursday November 06, 2003 @12:48AM (#7404072) Homepage
    If you're smart when you set up your access point, and turn on WEP, 99.9% of people that might hack your network are going to go find an easier target. The typical figure I've heard is 24 hours or more to get enough traffic to break the encryption. Unless someone knows you have something they want, they're not going to bother.

    Home users are going to generate less traffic than businesses, and so it will take even longer to get enough traffic. Unless you happen to notice a van parked outside your house for a couple days, or find yourself staring down the barrel of a pringles can, you can relax.

    1. Turn off SSID broadcasting
    2. use a unique SSID
    3. For God's sake, change the admin password
    4. Turn on WEP
    5. Use MAC address filtering
    Congratulations, you're now more trouble than you're worth.
  • Not a big deal (Score:3, Insightful)

    by mcrbids (148650) on Thursday November 06, 2003 @03:57AM (#7404976) Journal
    Guys, wifi is limited in scope to that which is not more than a few hundred yards from the access point. The password doesn't have to stop everybody, just everybody not too far away.

    That limits the damage scope of a malicious party to that within a half a mile of their present location.

    The *same* limitations of passwords on the public Internet, however, are much more likely to be damaging. Let me give an example...

    How many people use email with pop3 over the Internet? Not only are these accounts typically set up with crummy passwords (like "Robert" - their middle name, or "120871" - their b/day) but then the passwords are sent, several times/day in plaintext!

    And yet, with all of these big, huge, security no-nos, pop3 reigns supreme as the standard for email receipt on the 'net, and seldom is there actually a problem.

    So, to whit, we have an issue like "A credit card can be used to bypass the locks on many doorknobs" and it makes front page at /.?

"Nuclear war would really set back cable." - Ted Turner

Working...