so of course i know WEP is complete crap, but i've been hearing that WPA is a bit better...my question is, how much? anybody have experience using (or cracking) it in the field?
posted by:
|
North Carolina
|
-
Re: WEP vs. WPA/WPA2
Wed, February 15, 2006 - 3:43 PMMy impression is that any form of WPA is better than its WEP equivalent. WEP you can typically break after you download about 2 GB of traffic, but WPA has fixed most of the biggest (known) problems. There are also some addons you can get from places like Cisco which look good, and can be combined with WPA via a RADIUS server or the like.
-
Re: WEP vs. WPA/WPA2
Wed, February 15, 2006 - 4:57 PMThe one weakness of WPA is that it is still subject to dictionary attacks (e.g. a hacker can try all the dictionary words and variants until one works), so you should make sure to pick a good password (i.e. obscure and non-guessable). If you do that, WPA is quite secure.
HTH
Dana -
-
Re: WEP vs. WPA/WPA2
Thu, February 16, 2006 - 7:20 AMawesome, thanks for the tips :) -
-
Re: WEP vs. WPA/WPA2
Wed, September 6, 2006 - 11:52 AMAt DefCon this year the guys from Chruch of WiFi were showing the gear needed for their dictionary attack. They have a huge dictionary file, that includes a lot of "strong" passwords and can crack WPA2 in less then 5 minutes in most cases. The "strong" passwords that are in their file mostly come from actual passwords used for porn sites. Granted that most malicious users will not go through the trouble when there are still tons of open networks, it still remains important to use the strongest passwords possible, and change them often. -
-
Re: WEP vs. WPA/WPA2
Wed, September 6, 2006 - 1:43 PM
> a huge dictionary file, that includes a lot of "strong" passwords and can crack WPA2 in less then 5 minutes in most cases
???
What's the technique behind this? I have always understood that a "strong" password is (in addition to meeting the organization's standards for password length, and for including characters from enough different "classes" (ucase/lcase/digits/punctuation/etc...), and for not including data that reflects the login-name or trivially-available RL data (birthday, spouses/kids names, etc)), essentially, a /unique/ (and hence not dictionary'able) one.
For example:
n0W-i5-teh-thym3-fir-aLl-bad-menZ-2-COM-t00-eht-AD-uv-ther-NME
Or, shorter (and hence easier to remember):
!_yer_Daddi0z-Pa55WyrD
Obviously, once something is posted on a public forum like Tribe, it's subject to being dictionary'ed... but (before this) I would be VERY surprised if something like these appeared in any dictionary!
- Steve
(wondering if, perchance, the "huge dictionary" was a handwave to cover some other technique(s) that they didn't want seen...)
-
-
Re: WEP vs. WPA/WPA2
Wed, September 6, 2006 - 4:40 PMthe dictionary file that they used was one that had a large amount of used passwords from porn sites. ones that included numbers and such. Not sure how they obtained it, but i do know that they break passwords fast. Take a look here www.churchofwifi.org/ once there seach for wpa2 and click on cowpatty 4.0 for more info. they don't give the info on their dictionary file, they spoke of it at defcon though -
-
Re: WEP vs. WPA/WPA2
Mon, September 11, 2006 - 11:16 PMWell, cryptography is not, and never can be, a replacement for common sense.
You can use techniques like filtering connections by MAC address to help with this sort of thing, but there is no substitute for training users, or for security in depth. A hardware token to generate passwords could be useful, too... they typically generate a 7-8 digit password with a lifetime of 1 minute, so at 50 login attempts per second, they could be sure of getting in eventually with an all-numeric attack -- but it would take them an average of 28 hours (or 280 if 8-digit), and the password that finally worked would never work again.
It would be nice, though, if more implementors would show some thought in setting things up. No WAP or similar device should ever need to allow many login attempts per second. Ten per minute per user should be plenty, and then going through that list of 5,000,000 passwords would take 347 days, and the 7-digit hardware token password twice that long. Maybe even have an option to lock the account after a given number of failed login attempts? These things aren't rocket science. -
-
Re: WEP vs. WPA/WPA2
Thu, September 14, 2006 - 2:45 PMAnd the user would be potentially blocked out while the device is being hammered by the attacker who is consuming the 10/min max. Or worse, totally blocked out after the account is locked.
Which means users calling tech support. Often.
Most vendors implement features balacing the cost against support. i.e.: how can we implement X that will not cause a rise in support calls. -
-
Re: WEP vs. WPA/WPA2
Thu, September 14, 2006 - 3:09 PMThat is always the fine line to walk isn't it? The line between a very secure network and user friendlyness and accessability. Its always a question that is of great importance, what is the worst that can happen if we leave this a little less secure so that we have to answer less support calls? And there really is no easy answer to that one. -
-
This is the maximum depth. Additional responses will not be threaded.
Re: WEP vs. WPA/WPA2
Fri, September 15, 2006 - 9:40 AM
<nod>
So much of the Internet & internet protocols arose out of academia, where "free sharing of information" is not only the "norm" -- it's a professional standard, and NOT to share is UNprofessional. Yes, yes, I *do* know what the "D" in "DARPA" stands for. Nevertheless, I stand by the position that the /academic/ standards of openness (rather than the military standards of security) dominated the early internet.
My big progblem with this is that it seems to me trivially obvious that, when someone's hammering away (10 login attempts / minute vs. a single account (or, more subtly, 10 login attempts / minute FROM a certain IP (what if the're trying multiple accounts simultaneously, to avoid hitting 10/ min vs ONE acct?)...)), it may be appropriate to lock that account & log both the attempts and the lock-action... but it's NOT appropriate to stop there! And, it seems to me, so VERY many shops DO (by default) stop there. If I've logged certain knowlege, or even a very strong indication, that someone is trying to hack my system, I want that system to be SCREAMING for my attention!
That way, when the support call(s) hit, "Hi, I'm Joe Smith, I can't login with my usual login "joes," now what do I do?" I can be ready with a solution (drill a pinhole in a firewall, enable the login for a specific IP, etc...) Yeah, it's more work... but that (IMHO) is www-security theze daze... o_O
- Steve
-
-
Re: WEP vs. WPA/WPA2
Fri, September 15, 2006 - 11:05 AMYes, and now that raises the bar to organization with actual support desks.
What about smaller companies? What about home users? To them, the equipment "just broke." The support calls I was referencing are those going to the equipement vendors. NOT a site specific organization. Because, really, where is the support line for an AP sitting on top of a DSL modem in the corner of an apartment?
We are well past the standards being defined by academia. Its business interestes for quite some time now. To them, it has to do with the minimum then can implement, that keeps support costs down, and doesn't garner them negative publicity. I wouldn't be surprised to see that a standard portion of a design doc template for these companies included a section on impact to the support center.
-
-
-
-
-
-
-
-
-
-
Re: WEP vs. WPA/WPA2
Wed, September 6, 2006 - 9:36 PMTry LEAP or PEAP. I've used both with Cisco equipment. Or just Tunnel all your connections. -
-
Re: WEP vs. WPA/WPA2
Sat, September 16, 2006 - 3:41 AMI'm with X, why not tie log-ins to MAC addresses instead of relying on passwords? Most home users would not know this and it might be a learnig curve, but why not? On most real professional networks, they don't rely on this weak form, WEP, of security, anyways.
-
-
Unsu...
Re: WEP vs. WPA/WPA2
Sat, September 16, 2006 - 2:13 PMAnyone can sniff/fake a wireless MAC address. This is espically true for air interfaces like 802.11a/b/g. -
-
Re: WEP vs. WPA/WPA2
Fri, September 29, 2006 - 4:46 PM
> Anyone can sniff/fake a wireless MAC address.
And then there's replacing failed h/w, upgrading to better h/w, etc.
When you use hardware-based security, most implementations IME get lazy in ways that are a ROYAL PITA when replacing h/w...
- Steve S.
-
-
-
Re: WEP vs. WPA/WPA2
Fri, September 29, 2006 - 8:47 AMLEAP/PEAP are authentication, not encryption. doesn't keep someone from sniffing your traffic or pretending to be you.
WEP and WPA are considered weak. WPA2 with a proper password is not easy to crack.
Still, my preference is to just use wide open wireless networks, and a secure VPN to anything important. -
-
Re: WEP vs. WPA/WPA2
Fri, September 29, 2006 - 8:49 AM(clarification, they do protect someone from pretending to be you when authenticating to your server, but if an intruder can still see all your network traffic they can use your identity in other ways.)
-
Re: WEP vs. WPA/WPA2
Fri, September 29, 2006 - 9:56 AMyou are correct, its not easy, here is the church of wifi's info, they don't get real specific though, www.churchofwifi.org/Project_Display.asp
at defcon they demonstrated using a modded wrt54 and it cracked it pretty fast
-
-
