USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
BAD: "vintage wine"
GOOD: "floor hiking dirt ocean"
(pick your own words, even longer is better)
FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
BACKGROUND:
Weakness in Passphrase Choice in WPA Interface
By Glenn Fleishman
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
<http://wifinetnews.com/archives/002452.html>
...
The offline PSK dictionary attack
...
Just about any 8-character string a user may select will be in the
dictionary. As the standard states, passphrases longer than 20 characters
are needed to start deterring attacks. This is considerably longer than
most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks.
...
Using Random values for the PSK
The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
number for human entry; 20 character passphrases are considered too long
for entry. Given the nature of the attack against the 4-Way Handshake, a
PSK with only 128 bits of security is really sufficient, and in fact
against current brute-strength attacks, 96 bits SHOULD be adequate. This is
still larger than a large passphrase ...
...
Summary
...
Pre-Shared Keying is provided in the standard to simplify deployments in
small, low risk, networks. The risk of using PSKs against internal attacks
is almost as bad as WEP. The risk of using passphrase based PSKs against
external attacks is greater than using WEP. Thus the only value PSK has is
if only truly random keys are used, or for deploy testing of basic WPA or
802.11i functions. PSK should ONLY be used if this is fully understood by
the deployers.
See also:
Passphrase Flaw Exposed in WPA Wireless Security
<http://www.technewsworld.com/story/32070.html>
Wi-Fi Protected Access. Security in pre-shared key mode
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
On Mon, 04 Dec 2006 23:59:11 -0600, Peabody
<waybackNO784SPAM44@yahoo.com> wrote in
<PU7dh.4286$BD5.3897@newsfe21.lga>:
>John Navas says...
>
> > Just about any 8-character string a user may select will
> > be in the dictionary. As the standard states,
> > passphrases longer than 20 characters are needed to
> > start deterring attacks. This is considerably longer
> > than most people will be willing to use.
>
>FWIW:
>
>I know some here are not thrilled with Steve Gibson, but he
>has a password generating function on his site that might
>be useful:
>
>HTTP://www.grc.com/passwords.htm
Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
oil salesman with no real expertise in security who has been discredited
numerous times (e.g., <http://www.grcsucks.com/>), and the password
generator on the GRC site is of dubious quality, value and real
security.
Instead use:
* Diceware words
* Good open source, peer-reviewed software like Password Safe,
originally created by noted cryptographer Bruce Schneier
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Wed, 6 Dec 2006 00:46:57 +0100, hlexa@hotmail.com (Axel
Hammerschmidt) wrote in <1hpwfep.12dmxu8zgvwn4N%hlexa@hotmail.com>:
>John Navas <spamfilter0@navasgroup.com> wrote:
>
>> Peabody <waybackNO784SPAM44@yahoo.com> wrote:
>
><snip>
>
>> >HTTP://www.grc.com/passwords.htm
>>
>> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
>> oil salesman...
>
>What do you think of Paris Hilton?
Slut? ;)
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Wed, 06 Dec 2006 11:31:42 +0000, Mark McIntyre
<markmcintyre@spamcop.net> wrote in
<1dadn25mi04frk1mfu84aeaf6n65psar55@4ax.com>:
>On Wed, 6 Dec 2006 00:46:57 +0100, in alt.internet.wireless ,
>hlexa@hotmail.com (Axel Hammerschmidt) wrote:
>
>>John Navas <spamfilter0@navasgroup.com> wrote:
>>
>>> Peabody <waybackNO784SPAM44@yahoo.com> wrote:
>>
>><snip>
>>
>>> >HTTP://www.grc.com/passwords.htm
>>>
>>> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
>>> oil salesman...
>
>So what? Snakeoil salesmen can still tell truths, you just have to be
>careful. ...
"Even a stopped clock is right twice a day?"
But of course not terribly useful. ;)
Especially in a critical area like security.
There's no way to be careful about the GRC
password generator other than not using it.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On 5-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
<SNIPPED>
> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
> oil salesman with no real expertise in security who has been discredited
> numerous times (e.g., <http://www.grcsucks.com/>), and the password
> generator on the GRC site is of dubious quality, value and real
> security.
>
> Instead use:
> * Diceware words
> * Good open source, peer-reviewed software like Password Safe,
> originally created by noted cryptographer Bruce Schneier
Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2, how long
would it take a hacker to wirelessly hack into a network using the
passphrase listed by the previous poster? I believe the passphrase is:
On Wed, 6 Dec 2006 19:39:41 +0100, hlexa@hotmail.com (Axel
Hammerschmidt) wrote in <1hpxvt7.hdvep9xmc0s2N%hlexa@hotmail.com>:
>John Navas <spamfilter0@navasgroup.com> wrote:
>
><snip>
>
>> There's no way to be careful about the GRC
>> password generator other than not using it.
>
>This is bull shit.
Oh really?
Has it been independently certified? (No.)
Have you personally verified the code, and know for sure it hasn't been
hacked or otherwise compromised? (No.)
In other words, what I wrote is correct.
From a prior post:
------------------------------------------------------------------------
Because it's only as secure as the trustworthiness of the website, which
is completely unknown. Even if GRC is trustworthy (including every last
person with access, something impossible to ascertain), you have no way
of knowing if the site itself has been compromised. Notwithstanding
that, Steve uses lots of wild and misleading hyperbole (as usual):
"Ultra High Security"
"totally random"
"perfect and safe"
"Every one is completely random (maximum entropy) without any
pattern, and the cryptographically-strong pseudo random number
generator we use guarantees that no similar strings will ever be
produced again."
"Also, because this page will only allow itself to be displayed over
a snoop-proof and proxy-proof high-security SSL connection, and it is
marked as having expired back in 1999, this page which was custom
generated just now for you will not be cached or visible to anyone
else."
"... derived from the highest quality mathematical pseudo-random
algorithms known. In other words, these password strings are as
random as anything non-random can be."
"Since the passwords used to generate pre-shared keys are configured
into the network only once, and do not need to be entered by their
users every time, the best practice is to use the longest possible
password and never worry about your password security again."
These things are either unknowable or outright false, often
self-contradictory, so he's either a charlatan or an idiot, take your
pick.
That last part ("never worry about your password security again") sends
shudders down my spine.
-----------------------------------------------------------------------
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Wed, 06 Dec 2006 18:48:24 GMT, "Doug Jamal" <bishiv6AT@yahooDOT.com>
wrote in <YfEdh.8099$7T5.6185@tornado.tampabay.rr.com>:
>
>On 5-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
><SNIPPED>
>> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
>> oil salesman with no real expertise in security who has been discredited
>> numerous times (e.g., <http://www.grcsucks.com/>), and the password
>> generator on the GRC site is of dubious quality, value and real
>> security.
>>
>> Instead use:
>> * Diceware words
>> * Good open source, peer-reviewed software like Password Safe,
>> originally created by noted cryptographer Bruce Schneier
>
>Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2, how long
>would it take a hacker to wirelessly hack into a network using the
>passphrase listed by the previous poster? I believe the passphrase is:
>
>$lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
Mere seconds if the hacker has compromised the GRC site and obtained a
list of generated passwords.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
> On Wed, 6 Dec 2006 19:39:41 +0100, hlexa@hotmail.com (Axel
> Hammerschmidt) wrote in <1hpxvt7.hdvep9xmc0s2N%hlexa@hotmail.com>:
>
> >John Navas <spamfilter0@navasgroup.com> wrote:
> >
> ><snip>
> >
> >> There's no way to be careful about the GRC
> >> password generator other than not using it.
> >
> >This is bull shit.
>
> Oh really?
> Has it been independently certified? (No.)
> Have you personally verified the code, and know for sure it hasn't been
> hacked or otherwise compromised? (No.)
On 6-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
> On 5-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
> ><SNIPPED>
> >> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
> >> oil salesman with no real expertise in security who has been
> >> discredited
> >> numerous times (e.g., <http://www.grcsucks.com/>), and the password
> >> generator on the GRC site is of dubious quality, value and real
> >> security.
> >>
> >> Instead use:
> >> * Diceware words
> >> * Good open source, peer-reviewed software like Password Safe,
> >> originally created by noted cryptographer Bruce Schneier
> >
> >Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2, how
> >long
> >would it take a hacker to wirelessly hack into a network using the
> >passphrase listed by the previous poster? I believe the passphrase is:
> >
> >$lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
>
> Mere seconds if the hacker has compromised the GRC site and obtained a
> list of generated passwords.
Okay. Now, let's say the passphrase was created by the owner of the wireless
network and not by copying a generated passphrase from a website or even a
password generating app. Furthermore, let's say that the passphrase was not
written down anywhere or even saved anywhere on any electronic device and no
one else knows it. How long would it take for a hacker to wirelessly hack
into that network?
On Wed, 6 Dec 2006 21:44:50 +0100, hlexa@hotmail.com (Axel
Hammerschmidt) wrote in <1hpxz3n.9sq0s1b5k8p6N%hlexa@hotmail.com>:
>John Navas <spamfilter0@navasgroup.com> wrote:
>
>> On Wed, 6 Dec 2006 19:39:41 +0100, hlexa@hotmail.com (Axel
>> Hammerschmidt) wrote in <1hpxvt7.hdvep9xmc0s2N%hlexa@hotmail.com>:
>>
>> >John Navas <spamfilter0@navasgroup.com> wrote:
>> >
>> ><snip>
>> >
>> >> There's no way to be careful about the GRC
>> >> password generator other than not using it.
>> >
>> >This is bull shit.
>>
>> Oh really?
>> Has it been independently certified? (No.)
>> Have you personally verified the code, and know for sure it hasn't been
>> hacked or otherwise compromised? (No.)
>
>Has: "floor hiking dirt ocean"? (No).
Actually yes -- diceware words have been peer reviewed.
>> In other words, what I wrote is correct.
>
>In other words, bull shit.
You are obviously the best judge of your own posts.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Wed, 06 Dec 2006 21:18:06 GMT, "Doug Jamal" <bishiv6AT@yahooDOT.com>
wrote in <isGdh.8742$yj1.1195@tornado.tampabay.rr.com>:
>On 6-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
>
>> On 5-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
>> ><SNIPPED>
>> >> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake
>> >> oil salesman with no real expertise in security who has been
>> >> discredited
>> >> numerous times (e.g., <http://www.grcsucks.com/>), and the password
>> >> generator on the GRC site is of dubious quality, value and real
>> >> security.
>> >>
>> >> Instead use:
>> >> * Diceware words
>> >> * Good open source, peer-reviewed software like Password Safe,
>> >> originally created by noted cryptographer Bruce Schneier
>> >
>> >Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2, how
>> >long
>> >would it take a hacker to wirelessly hack into a network using the
>> >passphrase listed by the previous poster? I believe the passphrase is:
>> >
>> >$lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
>>
>> Mere seconds if the hacker has compromised the GRC site and obtained a
>> list of generated passwords.
>
>Okay. Now, let's say the passphrase was created by the owner of the wireless
>network and not by copying a generated passphrase from a website or even a
>password generating app. Furthermore, let's say that the passphrase was not
>written down anywhere or even saved anywhere on any electronic device and no
>one else knows it. How long would it take for a hacker to wirelessly hack
>into that network?
Too long to matter. Your point?
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On 6-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
> On 5-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
> >> ><SNIPPED>
> >> >> Really, really bad idea. Steve Gibson (aka GRC) is a shameless
> >> >> snake
> >> >> oil salesman with no real expertise in security who has been
> >> >> discredited
> >> >> numerous times (e.g., <http://www.grcsucks.com/>), and the password
> >> >> generator on the GRC site is of dubious quality, value and real
> >> >> security.
> >> >>
> >> >> Instead use:
> >> >> * Diceware words
> >> >> * Good open source, peer-reviewed software like Password Safe,
> >> >> originally created by noted cryptographer Bruce Schneier
> >> >
> >> >Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2,
> >> >how
> >> >long
> >> >would it take a hacker to wirelessly hack into a network using the
> >> >passphrase listed by the previous poster? I believe the passphrase is:
> >> >
> >> >$lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
> >>
> >> Mere seconds if the hacker has compromised the GRC site and obtained a
> >> list of generated passwords.
> >
> >Okay. Now, let's say the passphrase was created by the owner of the
> >wireless
> >network and not by copying a generated passphrase from a website or even
> >a
> >password generating app. Furthermore, let's say that the passphrase was
> >not
> >written down anywhere or even saved anywhere on any electronic device and
> >no
> >one else knows it. How long would it take for a hacker to wirelessly
> >hack
> >into that network?
>
> Too long to matter. Your point?
You often advocate the use of dice words as a passphrases to ward off WPA
attacks. Correct? The use of dice words are a great idea, in my opinion.
Still, the poster, as I understood it, was basically offering a different
means of creating passphrases using a passphrase generator and he mentioned
the one from the GRC website as an example. You proceeded to attack the
credibility of Steve Gibson as well as the passphrase generator used on the
GRC website. I've stated many times in the past that I prefer long nonsense
passphrases similar to the one that was posted in this thread. My Point?
Password generators are fine for people who prefer to use them, even the one
from the GRC website as long ad they are long and makes no sense. The
typical home wireless user is concerned with freeloading neighbors and
wardrivers. Unless Ithey have something specific and really important, the
casual hacker is not going to waste his or her time trying to crack my long
nonsense passphrase, whether it was generated using the GRC generator or not
when he or she can quickly and easily find an available OPEN wireless
networks. In reference to Steve Gibson, I know very little about the man and
the same goes for the people who run the website, www.grcsucks.com.
To reinforce what John is saying about "These things are either
unknowable or outright false, often self-contradictory, so he's
either a charlatan or an idiot, take your pick."
John Navas wrote:
> Because it's only as secure as the trustworthiness of the website, which
> is completely unknown. Even if GRC is trustworthy (including every last
> person with access, something impossible to ascertain), you have no way
> of knowing if the site itself has been compromised. Notwithstanding
> that, Steve uses lots of wild and misleading hyperbole (as usual):
>
> "Ultra High Security"
Perhaps if he used an IEEE definition of security metrics.
> "totally random"
If any hardware device generates it, its not random. An exception
would be using the noise pulses off of a backward biased Zener diode
as a code generator.
> "Every one is completely random (maximum entropy) without any
> pattern, and the cryptographically-strong pseudo random number
> generator we use guarantees that no similar strings will ever be
> produced again."
"pseudo random number" contradicts the above "totally random".
> "Also, because this page will only allow itself to be displayed over
> a snoop-proof and proxy-proof high-security SSL connection, and it is
> marked as having expired back in 1999, this page which was custom
> generated just now for you will not be cached or visible to anyone
> else."
Snoop proof, huh? And what if the caching program ignores expiration
dates?
> "... derived from the highest quality mathematical pseudo-random
> algorithms known. In other words, these password strings are as
> random as anything non-random can be."
Again..."random as anything non-random can be" is not totally random.
> never worry about your password security again."
> To reinforce what John is saying about "These things are either
> unknowable or outright false, often self-contradictory, so he's
> either a charlatan or an idiot, take your pick."
On Thu, 07 Dec 2006 00:29:17 GMT, "Doug Jamal" <bishiv6AT@yahooDOT.com>
wrote in <xfJdh.8260$7T5.5273@tornado.tampabay.rr.com>:
>> >> >Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2,
>> >> >how long
>> >> >would it take a hacker to wirelessly hack into a network using the
>> >> >passphrase listed by the previous poster? I believe the passphrase is:
>> >> >
>> >> >$lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
>> >>
>> >> Mere seconds if the hacker has compromised the GRC site and obtained a
>> >> list of generated passwords.
>> >
>> >Okay. Now, let's say the passphrase was created by the owner of the wireless
>> >network and not by copying a generated passphrase from a website or even a
>> >password generating app. Furthermore, let's say that the passphrase was not
>> >written down anywhere or even saved anywhere on any electronic device and no
>> >one else knows it. How long would it take for a hacker to wirelessly hack
>> >into that network?
>>
>> Too long to matter.
Also way longer than necessary, or advisable.
For a truly random password drawn from all 96 printable ASCII
characters, a length of 10 characters is more than sufficient to defeat
attacks in the foreseeable future.
With a more usable 64 character set, a length of 12 characters is more
than sufficient. (This is what I use.)
The use of significantly longer passwords tends to actually _decrease_
security -- see "Passwords Are Near the Breaking Point"
<http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf>:
Mitigating authentication weaknesses by increasing password length
and complexity will reduce security if passwords are pushed beyond
the peak of their effectiveness. They are approaching this point now.
>> Your point?
>You often advocate the use of dice words as a passphrases to ward off WPA
>attacks. Correct? The use of dice words are a great idea, in my opinion.
Correct. Dice are a simple, cheap hardware generator of very random
numbers, much better than the vast majority of computer algorithms, and
words are much easier to use than random passwords, and thus tend to
increase security.
>Still, the poster, as I understood it, was basically offering a different
>means of creating passphrases using a passphrase generator and he mentioned
>the one from the GRC website as an example. You proceeded to attack the
>credibility of Steve Gibson as well as the passphrase generator used on the
>GRC website.
Using a _good_ password generator is one thing;
using GRC is something else entirely.
>I've stated many times in the past that I prefer long nonsense
>passphrases similar to the one that was posted in this thread. My Point?
>Password generators are fine for people who prefer to use them, even the one
>from the GRC website as long ad they are long and makes no sense.
I strongly disagree. I've likewise stated many times in the past that
it's better to use a good open source, peer reviewed password generator
like Password Safe, originally created by noted cryptographer Bruce
Schneier, than to rely on a unvalidated shameless huckster and charlatan
like Steve Gibson, or on any web-based generator for that matter. Since
true security is free and easy, and since security is so important and
so often screwed up (as in the case of WEP), it makes no sense
whatsoever to take chances.
>The
>typical home wireless user is concerned with freeloading neighbors and
>wardrivers. Unless Ithey have something specific and really important, the
>casual hacker is not going to waste his or her time trying to crack my long
>nonsense passphrase, whether it was generated using the GRC generator or not
>when he or she can quickly and easily find an available OPEN wireless
>networks.
With all due respect, that's dangerously naive. Regardless, do whatever
you want for your own security, but don't presume to give out (bad)
advice when you admittedly know so little about the subject.
>n reference to Steve Gibson, I know very little about the man and
Then you should actually be recommending _against_ GRC, at least until
you can come up with something a lot more credible than Steve's
shameless and patently wrong self-promotion. It makes no sense
whatsoever to take security on faith.
>the same goes for the people who run the website, www.grcsucks.com.
Irrelevant. That's just a critique, not a competing resource, and
there's lots of confirmation of that critique, including my own.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Thu, 07 Dec 2006 11:50:14 -0600, Peabody
<waybackNO784SPAM44@yahoo.com> wrote in
<qvYdh.26484$f25.9301@newsfe17.lga>:
>decaturtxcowboy says...
>
> >> "totally random"
>
> > If any hardware device generates it, its not random. An
> > exception would be using the noise pulses off of a
> > backward biased Zener diode as a code generator.
>
>In one of his podcasts he said that he subscribes to a
>service provided by RSA Security, which I assume provides
>the values he uses in real time.
"And pigs have wings."
$5 says you can't find any such service from RSA.
>I'm the OP on the Gibson part of this, and I didn't intend
>to start a big argument. The idea was just to point out
>that you don't have to use recognizable words in the
>passphrase, or a passphrase that you can remember, but that
>instead it could be any sequence of printable characters.
>You can put that into a file which you burn to a CDR, and
>copy/paste from that to set up the other computers.
Bad idea, since the CD-R then becomes a security weakness.
If you must use a device, go with a USB drive instead, and
*securely* erase it afterward. Or at least a CD-RW,
*securely* erased, *not* just quick erased.
>Those who don't trust Gibson's phrases could re-arrange
>them,
Won't help. "Just say no." Use something else that's better.
>or just make one up,
Bad idea, since that greatly reduces key entropy.
>or maybe let your cat walk around
>on the keyboard and select any 63 characters he/she
>produces.
Hard to say if that would actually be good or bad.
What do you have against dice?
>In any event, 63 characters of un-intelligible
>non-rememberable garbage is gonna give you a pretty strong
>passphrase.
Not necessarily. Security is *HARD*, and not at all intuitive,
even to many experts.
>Well, unless the brute-force crack starts at or near the
>right place. I mean, the cracker could get lucky. But if
>he doesn't, then we could reserve a table at The Resaurant
>at the End of the Universe, and sip on some fine pinot noir
>until the crack completes. Ok, maybe not that long, but
>long enough.
That's dangerously naive.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Thu, 07 Dec 2006 16:29:38 GMT, in alt.internet.wireless ,
decaturtxcowboy <nope_none_@nowayspam.com> wrote:
>To reinforce what John is saying about "These things are either
>unknowable or outright false, often self-contradictory,
So? Its Marketing Blurb, not a white paper presented to the latest
DefCon meeting. Read the salespitch for /any/ security s/w lately?
Noticed any wild hyperbole in ISP's salespitch, or operating system
makers' latest offerings ? No? Considered getting a brain transplant?
>so he's
>either a charlatan or an idiot, take your pick."
John is a past master at spreading his very own FUD, so this is quite
a funny quote.
Its scary how many people believe all the FUD they read on the web,
and even more scary how few people bother to carry out any independent
assessment.
--
Mark McIntyre
On Wed, 06 Dec 2006 21:18:06 GMT, in alt.internet.wireless , "Doug
Jamal" <bishiv6AT@yahooDOT.com> wrote:
>
>On 6-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
>
>>
>> Mere seconds if the hacker has compromised the GRC site and obtained a
>> list of generated passwords.
Irrelevant and axiomatic. Any password is insecure once its source is
compromised. Even John's.
>Okay. Now, let's say the passphrase was created by the owner of the wireless
>network and not by copying a generated passphrase from a website or even a
>password generating app. Furthermore, let's say that the passphrase was not
>written down anywhere or even saved anywhere on any electronic device and no
>one else knows it. How long would it take for a hacker to wirelessly hack
>into that network?
On Thu, 07 Dec 2006 23:18:27 +0000, Mark McIntyre
<markmcintyre@spamcop.net> wrote in
<728hn2l1onlbp420p6m49soi0t1nd8brk3@4ax.com>:
>On Thu, 07 Dec 2006 16:29:38 GMT, in alt.internet.wireless ,
>decaturtxcowboy <nope_none_@nowayspam.com> wrote:
>
>>To reinforce what John is saying about "These things are either
>>unknowable or outright false, often self-contradictory,
>
>So? Its Marketing Blurb, not a white paper presented to the latest
>DefCon meeting. Read the salespitch for /any/ security s/w lately?
>Noticed any wild hyperbole in ISP's salespitch, or operating system
>makers' latest offerings ? No? Considered getting a brain transplant?
>
>>so he's
>>either a charlatan or an idiot, take your pick."
>
>John is a past master at spreading his very own FUD, so this is quite
>a funny quote.
>
>Its scary how many people believe all the FUD they read on the web,
>and even more scary how few people bother to carry out any independent
>assessment.
Including you. ;)
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Thu, 07 Dec 2006 23:20:28 +0000, Mark McIntyre
<markmcintyre@spamcop.net> wrote in
<sb8hn2p0cod205f690u2dvusk1v0gkp8sj@4ax.com>:
>On Wed, 06 Dec 2006 21:18:06 GMT, in alt.internet.wireless , "Doug
>Jamal" <bishiv6AT@yahooDOT.com> wrote:
>
>>
>>On 6-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
>>
>>> Mere seconds if the hacker has compromised the GRC site and obtained a
>>> list of generated passwords.
>
>Irrelevant and axiomatic.
Actually quite relevant.
>Any password is insecure once its source is
>compromised. Even John's.
Mine can't be compromised. Feel free to prove me wrong, if you can.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On 7-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
> Despite your disdain for Steve Gipson, using WPA-PSK (AES) or WPA2,
> >> >> >how long
> >> >> >would it take a hacker to wirelessly hack into a network using the
> >> >> >passphrase listed by the previous poster? I believe the passphrase
> >> >> >is:
> >> >> >
> >> >> >$lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
> >> >>
> >> >> Mere seconds if the hacker has compromised the GRC site and obtained
> >> >> a
> >> >> list of generated passwords.
> >> >
> >> >Okay. Now, let's say the passphrase was created by the owner of the
> >> >wireless
> >> >network and not by copying a generated passphrase from a website or
> >> >even a
> >> >password generating app. Furthermore, let's say that the passphrase
> >> >was not
> >> >written down anywhere or even saved anywhere on any electronic device
> >> >and no
> >> >one else knows it. How long would it take for a hacker to wirelessly
> >> >hack
> >> >into that network?
> >>
> >> Too long to matter.
>
> Also way longer than necessary, or advisable.
>
> For a truly random password drawn from all 96 printable ASCII
> characters, a length of 10 characters is more than sufficient to defeat
> attacks in the foreseeable future.
>
> With a more usable 64 character set, a length of 12 characters is more
> than sufficient. (This is what I use.)
>
> The use of significantly longer passwords tends to actually _decrease_
> security -- see "Passwords Are Near the Breaking Point"
> <http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf>:
>
> Mitigating authentication weaknesses by increasing password length
> and complexity will reduce security if passwords are pushed beyond
> the peak of their effectiveness. They are approaching this point now.
>
> >> Your point?
>
> >You often advocate the use of dice words as a passphrases to ward off WPA
> >attacks. Correct? The use of dice words are a great idea, in my
> >opinion.
>
> Correct. Dice are a simple, cheap hardware generator of very random
> numbers, much better than the vast majority of computer algorithms, and
> words are much easier to use than random passwords, and thus tend to
> increase security.
>
> >Still, the poster, as I understood it, was basically offering a different
> >means of creating passphrases using a passphrase generator and he
> >mentioned
> >the one from the GRC website as an example. You proceeded to attack the
> >credibility of Steve Gibson as well as the passphrase generator used on
> >the
> >GRC website.
>
> Using a _good_ password generator is one thing;
> using GRC is something else entirely.
>
> >I've stated many times in the past that I prefer long nonsense
> >passphrases similar to the one that was posted in this thread. My Point?
> >Password generators are fine for people who prefer to use them, even the
> >one
> >from the GRC website as long ad they are long and makes no sense.
>
> I strongly disagree. I've likewise stated many times in the past that
> it's better to use a good open source, peer reviewed password generator
> like Password Safe, originally created by noted cryptographer Bruce
> Schneier, than to rely on a unvalidated shameless huckster and charlatan
> like Steve Gibson, or on any web-based generator for that matter. Since
> true security is free and easy, and since security is so important and
> so often screwed up (as in the case of WEP), it makes no sense
> whatsoever to take chances.
>
> >The
> >typical home wireless user is concerned with freeloading neighbors and
> >wardrivers. Unless Ithey have something specific and really important,
> >the
> >casual hacker is not going to waste his or her time trying to crack my
> >long
> >nonsense passphrase, whether it was generated using the GRC generator or
> >not
> >when he or she can quickly and easily find an available OPEN wireless
> >networks.
>
> With all due respect, that's dangerously naive. Regardless, do whatever
> you want for your own security, but don't presume to give out (bad)
> advice when you admittedly know so little about the subject.
>
> >n reference to Steve Gibson, I know very little about the man and
>
> Then you should actually be recommending _against_ GRC, at least until
> you can come up with something a lot more credible than Steve's
> shameless and patently wrong self-promotion. It makes no sense
> whatsoever to take security on faith.
>
> >the same goes for the people who run the website, www.grcsucks.com.
>
> Irrelevant. That's just a critique, not a competing resource, and
> there's lots of confirmation of that critique, including my own.
Your reply was well written and your point is well received. Take care.
On Fri, 08 Dec 2006 02:21:12 GMT, "Doug Jamal" <bishiv6AT@yahooDOT.com>
wrote in <s_3eh.9484$7T5.6837@tornado.tampabay.rr.com>:
>Your reply was well written and your point is well received. Take care.
I sincerely thank you for your gracious response. To be clear,
notwithstanding our different perspectives, I sincerely respect your
point of view.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On 7-Dec-2006, John Navas <spamfilter0@navasgroup.com> wrote:
> >Your reply was well written and your point is well received. Take care.
>
> I sincerely thank you for your gracious response. To be clear,
> notwithstanding our different perspectives, I sincerely respect your
> point of view.
Is this insecurity within WPA related to algebraic attacks at all? If
it is there is a couple good thesis written on similar + prevention
methods for A5/1 & 2.
H
ALERT: WPA isn't necessarily secure 
Linear Mode
