running Linux on odd devices is SOOO COOL!

Kurt Granroth kurt+plug-discuss at granroth.com
Sun Nov 15 09:40:05 MST 2009


On 11/15/09 5:57 AM, Lisa Kachold wrote:
> On Saturday, November 14, 2009, Kurt Granroth
> <kurt+plug-discuss at granroth.com>  wrote:
>> Lisa,
>>
>> I'll grant you the denial-of-service attack, but I'm still not finding
>> any evidence that WPA is fundamentally flawed (much less "easier to
>> crack... than WEP").
> You simply capture the auth with airocrack-ng.
> Even 20 characters can be decrypted eventually!  A dictionary attack
> is faster and a truely random passwrd delays the process and  none of
> this is any reason to not use security tools but the fact is the
> protocol has been broken! I know I put in a nomadix and cisco aironet
> with active directory and radius in 2003'
> radius is anice solution; we used them for our dialup with livingstons
> at Nike and various ISPs.

I guess I still disagree with your use of the word 'broken'.  By that 
definition, gpg is 'broken' as well as *any* encryption system that uses 
passwords.  Just because because you can brute force a crack doesn't 
mean that the protocol broken.

And as far as 'eventually' goes... according to the people at 
ElectricalAlchemy, a 12 character random password would take 28 TRILLION 
hours of computing power (defined as 'high-CPU on Amazon EC2').  Let's 
say that you can wrangle up 10,000 systems to work on this 
simultaneously.  It would still take over 300,000 YEARS to brute force it.

Looking at the curve, I would guess that a 20 character password would 
take well into the trillions of years (or likely more) to brute force. 
That's much older than the age of the universe!

I feel pretty safe with a protocol that would require long than the age 
of the universe to crack!  I would NOT consider that broken :-)


More information about the PLUG-discuss mailing list