New Wireless Security Standard Has Old Problem?

eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."

My Dog Has Fleas?

[Trillan]

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Or, of course, the infamous "password."

Re:My Dog Has Fleas?

[IM6100]

Something that amused me recently was when I installed IRIX on a cool SGI box I bought at auction.

It refused to let me use a password longer than 8 characters.

I am talking about a release of IRIX that was pressed to CD in the year 2002.

Re:one for the crypto/math freaks

[PD]

It's actually a stupid idea.

Your chance of winning the lottery is exactly the same if they change the winning numbers, or if they don't change them.

Making users change passwords does the following:

1) Annoys the users.
2) Users are likely to pick easy passwords to remember, rather than memorizing a really good password just once. Or worse, they will write the password down.
3) Does all that for no increase in security. Yay!