running Linux on odd devices is SOOO COOL!

Sat Nov 14 17:32:00 MST 2009

On 11/14/09 12:02 PM, Lisa Kachold wrote:
> The whole concept of "wireless encryption security" is somewhat moot
> with airdump-ng etc tools.
>
> WEP keys are really easy to break.
>
> WPA is also easily encroached - but harder with a truely unique secure
> key (which few people use)
>
> It just exists as part of the big "security" matrix to keep the honest
> people out.  Crackers can get right in anyway!
>
> http://www.obnosis.com/Layer8Wireless.html

Okay, I have to take exception to how this is written.  You are 
comparing the security of WEP and WPA as if they are somehow equivalent 
or equally "easy" to crack.  That is just not true.

WEP is fundamentally broken.  It can be reliably cracked in seconds, in 
most cases.  Its use is more of a "please don't use this network" flag 
than any real attempt to keep people out.

WPA, on the other hand, is NOT broken.  Only one variation of it is 
crackable at all (PSK) and even then, the attack is a brute force 
dictionary attack.  By that argument, ALL password based encryption is 
crackable.

Yes, you could successfully argue that since MOST home APs use PSK and 
MOST probably just set the password to 'admin' or 'linksys' or some 
other trivial name, that IN PRACTICE, it's not hard to crack most uses 
of WPA.

But saying that "[c]rackers can get right in anyway" just isn't true. 
All that is needed is a reasonably difficult password.  Don't use a 
dictionary word and make it decently long and it quickly becomes far too 
difficult to crack to make it worth it for all but the most extreme 
cases.  It's either VERY expensive or takes YEARS.

I'm sure that you read this:

http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html

It answers the question: "how much does it cost to crack a password?" 
It assumes that you are using Amazon EC2 at $0.30 an hour.  A twelve 
character password using the full ASCII set would cost over $8 TRILLION 
dollars to crack.  Even much smaller passwords are still in the millions.

The password that I use on my WPA2-PSK AP is 20-odd chars long and spans 
the ASCII range.  Far from allowing crackers to "get right in", it's 
nearly impossible for them to do so.