Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Wireless Security Standard Has Old Problem?

Posted by simoniker on from the it's-always-something dept.

eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."

4 of 249 comments (clear)

  1. My Dog Has Fleas? by Trillan · · Score: 4, Interesting

    My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

    Or, of course, the infamous "password."

    1. Re:My Dog Has Fleas? by IM6100 · · Score: 4, Interesting

      Something that amused me recently was when I installed IRIX on a cool SGI box I bought at auction.

      It refused to let me use a password longer than 8 characters.

      I am talking about a release of IRIX that was pressed to CD in the year 2002.

      --
      A Good Intro to NetBS
  2. Re:At least use WEP! by Malor · · Score: 3, Interesting

    I f you have a Linux firewall, just add another network card and move the wireless traffic off onto its own segment. Tunnel the laptop to either the firewall or a desktop machine behind it; one easy way is by running squid on a Linux box, connecting to it with SSH, and routing local port 3128 to remote port 3128. Then configure IE to use 127.0.0.1:3128 as your proxy port. Disallow all traffic except SSH to your LInux server, make sure you run a firewall on your laptop, and disallow wireless administration of the access point. This should give you a fairly secure wireless network.

    If you need additional services, you can tunnel those too; ssh can do it for free via Cygwin, but it takes a little time to set up. (each port requires a separate ssh command; you can script them if you always need several). You can also use a payware program like SecureCRT to forward multiple ports with a nice GUI interface.

    With this kind of setup, WEP becomes essentially irrelevant. In fact, it may be a detriment, simply because you may get sloppy about not setting up your tunnels if you think maybe you're not being watched.

    You can also do IPSEC, which will work with anything and won't require specific tunneled ports, but that's a lot more complex. SSH is simple, fast, easy, and pretty secure.

  3. Re:one for the crypto/math freaks by PD · · Score: 4, Interesting

    It's actually a stupid idea.

    Your chance of winning the lottery is exactly the same if they change the winning numbers, or if they don't change them.

    Making users change passwords does the following:

    1) Annoys the users.
    2) Users are likely to pick easy passwords to remember, rather than memorizing a really good password just once. Or worse, they will write the password down.
    3) Does all that for no increase in security. Yay!

    --
    If tits were wings it'd be flying around.