Announcement

Collapse
No announcement yet.

WPA2 passwords now vulnerable

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    WPA2 passwords now vulnerable

    https://www.helpnetsecurity.com/2018...pa2-passwords/
    Luckily, protecting one’s WPA and WPA2 wireless networks against this attack is as easy as setting a complex, long and random password – and not using the one generated by the router.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Luckily, protecting one’s WPA and WPA2 wireless networks against this attack is as easy as setting a complex, long and random password
    My immediate thought was, how long? Searching didn't help, as results are drowned by last year's KRAC vulnerability. (I use a ~24 character passphrase at home.)

    Regards, John Little
    Regards, John Little

    Comment


      #3
      https://www.grc.com/passwords.htm

      Test your passwords here:
      https://www.grc.com/haystack.htm
      Last edited by GreyGeek; Aug 08, 2018, 08:18 PM.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Originally posted by jlittle View Post
        My immediate thought was, how long? Searching didn't help, as results are drowned by last year's KRAC vulnerability. (I use a ~24 character passphrase at home.)
        24 is plenty. I'd consider anything 15+ impractical to break (but 20+ if you wish to play real safe). This attack does not make cracking the PSK any easier, it still takes just as looooong to calculate a good PSK. This attack just provides an alternate (theoretically easier) method of getting a hash you can compare your calculations to.

        I say "theoretically easier", because this method doesn't require that there are clients connected to the network (that you can force to renegotiate to get the hash from a handshake), but it doesn't make a really big difference in the real world, where there commonly are clients connected to a network.

        So this doesn't really change the playing field, all the previous rules apply, use a strong PSK and even better if you change it every once in a while (this was true even before this attack was discovered as there previously existed different methods to get the hash).

        (And it's beyond me why some security experts still recommend and use high entropy (random) passwords in this day and age...for long passwords it's pretty meaningless. A complete non-random sentence with punctuation and some numbers (for example) is generally much safer than a completely random password which is one character shorter (length and a big character set is the key with long passwords...not randomness). Randomness doesn't really make a difference for a computer cracking it, but makes it harder to remember for a human.)
        Last edited by kubicle; Aug 09, 2018, 12:23 AM.

        Comment

        Working...
        X