running Linux on odd devices is SOOO COOL!
Kurt Granroth
kurt+plug-discuss at granroth.com
Sat Nov 14 17:32:00 MST 2009
On 11/14/09 12:02 PM, Lisa Kachold wrote:
> The whole concept of "wireless encryption security" is somewhat moot
> with airdump-ng etc tools.
>
> WEP keys are really easy to break.
>
> WPA is also easily encroached - but harder with a truely unique secure
> key (which few people use)
>
> It just exists as part of the big "security" matrix to keep the honest
> people out. Crackers can get right in anyway!
>
> http://www.obnosis.com/Layer8Wireless.html
Okay, I have to take exception to how this is written. You are
comparing the security of WEP and WPA as if they are somehow equivalent
or equally "easy" to crack. That is just not true.
WEP is fundamentally broken. It can be reliably cracked in seconds, in
most cases. Its use is more of a "please don't use this network" flag
than any real attempt to keep people out.
WPA, on the other hand, is NOT broken. Only one variation of it is
crackable at all (PSK) and even then, the attack is a brute force
dictionary attack. By that argument, ALL password based encryption is
crackable.
Yes, you could successfully argue that since MOST home APs use PSK and
MOST probably just set the password to 'admin' or 'linksys' or some
other trivial name, that IN PRACTICE, it's not hard to crack most uses
of WPA.
But saying that "[c]rackers can get right in anyway" just isn't true.
All that is needed is a reasonably difficult password. Don't use a
dictionary word and make it decently long and it quickly becomes far too
difficult to crack to make it worth it for all but the most extreme
cases. It's either VERY expensive or takes YEARS.
I'm sure that you read this:
http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
It answers the question: "how much does it cost to crack a password?"
It assumes that you are using Amazon EC2 at $0.30 an hour. A twelve
character password using the full ASCII set would cost over $8 TRILLION
dollars to crack. Even much smaller passwords are still in the millions.
The password that I use on my WPA2-PSK AP is 20-odd chars long and spans
the ASCII range. Far from allowing crackers to "get right in", it's
nearly impossible for them to do so.
More information about the PLUG-discuss
mailing list