USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
BAD: "vintage wine"
GOOD: "floor hiking dirt ocean"
(pick your own words, even longer is better)
FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
BACKGROUND:
Weakness in Passphrase Choice in WPA Interface
By Glenn Fleishman
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
<http://wifinetnews.com/archives/002452.html>
...
The offline PSK dictionary attack
...
Just about any 8-character string a user may select will be in the
dictionary. As the standard states, passphrases longer than 20 characters
are needed to start deterring attacks. This is considerably longer than
most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks.
...
Using Random values for the PSK
The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
number for human entry; 20 character passphrases are considered too long
for entry. Given the nature of the attack against the 4-Way Handshake, a
PSK with only 128 bits of security is really sufficient, and in fact
against current brute-strength attacks, 96 bits SHOULD be adequate. This is
still larger than a large passphrase ...
...
Summary
...
Pre-Shared Keying is provided in the standard to simplify deployments in
small, low risk, networks. The risk of using PSKs against internal attacks
is almost as bad as WEP. The risk of using passphrase based PSKs against
external attacks is greater than using WEP. Thus the only value PSK has is
if only truly random keys are used, or for deploy testing of basic WPA or
802.11i functions. PSK should ONLY be used if this is fully understood by
the deployers.
See also:
Passphrase Flaw Exposed in WPA Wireless Security
<http://www.technewsworld.com/story/32070.html>
Wi-Fi Protected Access. Security in pre-shared key mode
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
Steve Gibson (aka GRC) is a shameless snake oil salesman with no real
expertise in security (case in point:
<http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/>), and the
password generator on the GRC site is of dubious quality and value --
the things said about it are patent nonsense.
Use Password Safe instead, created by noted cryptographer Bruce
Schneier, and subjected to open source scrutiny.
Another good easy way to generate truly strong passwords (or
passphrases) for any platform is Diceware
<http://world.std.com/~reinhold/diceware.html>.
On Mon, 16 Jul 2007 20:29:51 -0500, Airman Thunderbird
<airman.basic@gmail.com> wrote in
<DKadnVcHq-cShgHbnZ2dnUVZ_gKdnZ2d@netdoor.com>:
>How about something like this:
>https://www.grc.com/passwords.htm
>
>John Navas wrote:
>> SUMMARY:
>>
>> WPA-PSK is vulnerable to offline attack.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
> John Navas wrote:
>
> > SUMMARY:
> >
> > WPA-PSK is vulnerable to offline attack.
>
> How about something like this:
> https://www.grc.com/passwords.htm
On Tue, 17 Jul 2007 10:11:12 +0200, hlexa@hotmail.com (Axel
Hammerschmidt) wrote in <1i1e44p.2336j81a0zegwN%hlexa@hotmail.com>:
>Airman Thunderbird <airman.basic@gmail.com> wrote:
>
>> John Navas wrote:
>>
>> > SUMMARY:
>> >
>> > WPA-PSK is vulnerable to offline attack.
>>
>> How about something like this:
>> https://www.grc.com/passwords.htm
>
>Very usefull.
Actually a very bad idea. See my prior response.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
I love the register, but bear in mind that its a newspaper. Not
everything in it is entirely correct, and just occasionally they do
journalistically overemphasise the actualite....
On Tue, 17 Jul 2007 14:49:44 GMT, in alt.internet.wireless , John
Navas <spamfilter1@navasgroup.com> wrote:
>On Tue, 17 Jul 2007 10:11:12 +0200, hlexa@hotmail.com (Axel
>Hammerschmidt) wrote in <1i1e44p.2336j81a0zegwN%hlexa@hotmail.com>:
>
>>Airman Thunderbird <airman.basic@gmail.com> wrote:
>>
>>> John Navas wrote:
>>>
>>> > SUMMARY:
>>> >
>>> > WPA-PSK is vulnerable to offline attack.
>>>
>>> How about something like this:
>>> https://www.grc.com/passwords.htm
>>
>>Very usefull.
>
>Actually a very bad idea. See my prior response.
Can I suggest that provide some evidence that the grc password
generator is bad? As opposed to trotting out the party Anti-Gibson
line, that is.
--
Mark McIntyre
On Wed, 18 Jul 2007 00:08:02 +0100, Mark McIntyre
<markmcintyre@spamcop.net> wrote in
<oqiq93l18t3svckmbaohm7pul18rl8lhib@4ax.com>:
>On Tue, 17 Jul 2007 14:49:44 GMT, in alt.internet.wireless , John
>Navas <spamfilter1@navasgroup.com> wrote:
>
>>On Tue, 17 Jul 2007 10:11:12 +0200, hlexa@hotmail.com (Axel
>>Hammerschmidt) wrote in <1i1e44p.2336j81a0zegwN%hlexa@hotmail.com>:
>>
>>>Airman Thunderbird <airman.basic@gmail.com> wrote:
>>>
>>>> John Navas wrote:
>>>>
>>>> > SUMMARY:
>>>> >
>>>> > WPA-PSK is vulnerable to offline attack.
>>>>
>>>> How about something like this:
>>>> https://www.grc.com/passwords.htm
>>>
>>>Very usefull.
>>
>>Actually a very bad idea. See my prior response.
>
>Can I suggest that provide some evidence that the grc password
>generator is bad? As opposed to trotting out the party Anti-Gibson
>line, that is.
It's patently bad, as anyone in security would tell you. We have no
idea how it actually works, who has access to the passwords, or who
might have hacked the website. Without peer review, it's the same as
unsafe sex. Worse, the statements on the website are patent baloney.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
In article <rfqq935suhvrj625a8qe8o425qr551l7t2@4ax.com>,
John Navas <spamfilter1@navasgroup.com> wrote:
> It's patently bad, as anyone in security would tell you. We have no
> idea how it actually works, who has access to the passwords, or who
> might have hacked the website. Without peer review, it's the same as
> unsafe sex. Worse, the statements on the website are patent baloney.
Unless I'm mistaken, WPA will only take an alphanumeric password up to
63 characters, right? This is trivial to generate on your own computer,
which is (hopefully) otherwise secured, using a decent "seed."
There's a lovely obscure and elegantly silly Bash shell script for this
in The Advanced Bash Scripting Guide, relies on this:
PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}"
<http://www.faqs.org/docs/abs/HTML/contributed-scripts.html#PW>
--
W. Oates
On Wed, 18 Jul 2007 01:19:56 GMT, in alt.internet.wireless , John
Navas <spamfilter1@navasgroup.com> wrote:
>On Wed, 18 Jul 2007 00:08:02 +0100, Mark McIntyre
>>Can I suggest that provide some evidence that the grc password
>>generator is bad? As opposed to trotting out the party Anti-Gibson
>>line, that is.
>
>It's patently bad, as anyone in security would tell you.
This is a repetition of what you said earlier, with an irrelevant
appeal to higher authority tacked on the end.
>We have no
>idea how it actually works, who has access to the passwords, or who
>might have hacked the website.
Fear Uncertainty and Doubt....
By the way, how much idea do you have about how the MOD's security
actually works, who has access to passwords, who might have hacked
their websites? Does that make their security 'patently bad'?
>Without peer review, it's the same as unsafe sex.
By this definition, any non-opensource security programme is useless
unsafe junk, including Cisco firewalls, all commercial AV systems and
the IDS used by Nasa. I don't buy that ludicrous argument.
>Worse, the statements on the website are patent baloney.
In other words, the anti-gibson bandwagon rolls on, unencumbered by
any need to provide evicence.
Let me be clear: I have no opinion to offer about Gibson's products as
I don't use and have not carried out a audit of the software. On the
other hand, I therefore don't feel qualified to spread unsubstantiated
rumour about their quality and fitness for purpose.
When someone produces actual evidence of serious flaws in the product
(as opposed to flaws in the marketing bullsh*t which frankly can be
found on far more prestigious websites than grc.com) then if they
publish it for review, I'll read and make up my own mind.
On Wed, 18 Jul 2007 23:50:35 +0100, Mark McIntyre
<markmcintyre@spamcop.net> wrote in
<el5t93126tbngvsbnpph6d33j72174mels@4ax.com>:
>On Wed, 18 Jul 2007 01:19:56 GMT, in alt.internet.wireless , John
>Navas <spamfilter1@navasgroup.com> wrote:
>>It's patently bad, as anyone in security would tell you.
>
>This is a repetition of what you said earlier, with an irrelevant
>appeal to higher authority tacked on the end.
Actually lots of confirmation on the Internet.
>>We have no
>>idea how it actually works, who has access to the passwords, or who
>>might have hacked the website.
>
>Fear Uncertainty and Doubt....
>
>By the way, how much idea do you have about how the MOD's security
>actually works, who has access to passwords, who might have hacked
>their websites? Does that make their security 'patently bad'?
More than you apparently think. ;)
>>Without peer review, it's the same as unsafe sex.
>
>By this definition, any non-opensource security programme is useless
>unsafe junk, including Cisco firewalls, all commercial AV systems and
>the IDS used by Nasa. I don't buy that ludicrous argument.
Pretty much, your opinion notwithstanding.
>>Worse, the statements on the website are patent baloney.
>
>In other words, the anti-gibson bandwagon rolls on, unencumbered by
>any need to provide evicence.
On the contrary -- been there, done that.
>Let me be clear: I have no opinion to offer about Gibson's products as
>I don't use and have not carried out a audit of the software. On the
>other hand, I therefore don't feel qualified to spread unsubstantiated
>rumour about their quality and fitness for purpose.
>
>When someone produces actual evidence of serious flaws in the product
>(as opposed to flaws in the marketing bullsh*t which frankly can be
>found on far more prestigious websites than grc.com) then if they
>publish it for review, I'll read and make up my own mind.
Again, been there, done that.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Thu, 16 Aug 2007 06:37:05 GMT, in alt.internet.wireless , John
Navas <spamfilter1@navasgroup.com> wrote:
>On Wed, 18 Jul 2007 23:50:35 +0100, Mark McIntyre
><markmcintyre@spamcop.net> wrote in
><el5t93126tbngvsbnpph6d33j72174mels@4ax.com>:
>
>>On Wed, 18 Jul 2007 01:19:56 GMT, in alt.internet.wireless , John
>>Navas <spamfilter1@navasgroup.com> wrote:
>
>>>It's patently bad, as anyone in security would tell you.
>>
>>This is a repetition of what you said earlier, with an irrelevant
>>appeal to higher authority tacked on the end.
>
>Actually lots of confirmation on the Internet.
No, lots of FUD on the internet.
>>By this definition, any non-opensource security programme is useless
>>unsafe junk, including Cisco firewalls, all commercial AV systems and
>>the IDS used by Nasa. I don't buy that ludicrous argument.
>
>Pretty much, your opinion notwithstanding.
Then frankly, you're an idiot. my opinion notwithstanding.
>>In other words, the anti-gibson bandwagon rolls on, unencumbered by
>>any need to provide evicence.
>
>On the contrary -- been there, done that.
Like I said, unencumbered by the need to provide evidence.
--
Mark McIntyre
ALERT: WPA isn't necessarily secure 
Linear Mode
