28 should be fine as long as you didn't use something easily
guessed/cracked; e.g., "now is the time for all good".

On Mon, 20 Nov 2006 17:33:25 -0500, chicagofan <me7@privacy.net> wrote
in <V2q8h.49$vQ.35@newsfe03.lga>:

>Does this apply to WPA2 as well? Mine is 28... should I make it 32 or more?
>bj
>
>
>John Navas wrote:
>> SUMMARY:
>>
>> WPA-PSK is vulnerable to offline attack.
>>
>> TO AVOID THE PROBLEM:
>>
>> USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
>> BAD: "vintage wine"
>> GOOD: "floor hiking dirt ocean"
>> (pick your own words, even longer is better)
>> FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
>>
>> BACKGROUND:
>>
>> Weakness in Passphrase Choice in WPA Interface
>> By Glenn Fleishman
>> By Robert Moskowitz
>> Senior Technical Director
>> ICSA Labs, a division of TruSecure Corp
>> <http://wifinetnews.com/archives/002452.html>
>>
>> ...
>> The offline PSK dictionary attack
>> ...
>> Just about any 8-character string a user may select will be in the
>> dictionary. As the standard states, passphrases longer than 20 characters
>> are needed to start deterring attacks. This is considerably longer than
>> most people will be willing to use.
>>
>> This offline attack should be easier to execute than the WEP attacks.
>> ...
>> Using Random values for the PSK
>>
>> The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
>> number for human entry; 20 character passphrases are considered too long
>> for entry. Given the nature of the attack against the 4-Way Handshake, a
>> PSK with only 128 bits of security is really sufficient, and in fact
>> against current brute-strength attacks, 96 bits SHOULD be adequate. This is
>> still larger than a large passphrase ...
>> ...
>> Summary
>> ...
>> Pre-Shared Keying is provided in the standard to simplify deployments in
>> small, low risk, networks. The risk of using PSKs against internal attacks
>> is almost as bad as WEP. The risk of using passphrase based PSKs against
>> external attacks is greater than using WEP. Thus the only value PSK has is
>> if only truly random keys are used, or for deploy testing of basic WPA or
>> 802.11i functions. PSK should ONLY be used if this is fully understood by
>> the deployers.
>>
>> See also:
>> Passphrase Flaw Exposed in WPA Wireless Security
>> <http://www.technewsworld.com/story/32070.html>
>>
>> Wi-Fi Protected Access. Security in pre-shared key mode
>> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
>>
>> Cracking Wi-Fi Protected Access (WPA)
>> <http://www.ciscopress.com/articles/article.asp?p=369221>
>> <http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>
>>
>> WPA Cracker
>> <http://www.tinypeap.com/html/wpa_cracker.html>

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>