With WPA3, Wi-Fi Security is About To Get a Lot Tougher

One of the biggest potential security vulnerabilities -- public Wi-Fi -- may soon get its fix. From a report: The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things.

One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated. Further reading: WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago

Freudian slip, anyone?

[davecb]

I'd hope security would get better, but maybe it does just get tougher (;-))

--dave
[English, ambiguity is your middle name]

Re:Freudian slip, anyone?

"The standard will replace WPA2, a near-two decades-old security protocol"

More ZDNet hyperbole. WPA2 was ratified 24 June 2004, which is roughly 13.5 years ago - nowhere close to two decades.

Re:Freudian slip, anyone?

Ha, I fooled you! My password is "abc12321cba" so there!

Re:Freudian slip, anyone?

[arglebargle_xiv]

And it's going to use:

a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems

which decrypts to:

a security suite created by a front for the NSA

I think I'll stay with KRACK-patched WPA2, thanks.

Re:Freudian slip, anyone?

[jrumney]

Given that it relies on a new "CNSA" encryption algorithm (C for Circumventable), I think WPA2 is going to be with us for a while longer.

Re:Freudian slip, anyone?

[KozmoStevnNaut]

For wifi, you can generate a QR code that will let devices easily connect. This lets you use a long randomly-generated passphrase, without the hassle of having to type it in manually.

It's extremely convenient if you have guests over.

Re:Freudian slip, anyone?

[KozmoStevnNaut]

Any newer Android phone will recognize QR codes in the camera app, but you don't take a picture. You let the app recognize the QR, which usually takes a second or two. If not, get the QR Droid app.

QR codes are everywhere, it's extremely unlikely that this is the first time they've had to use one.

Better, but not best.

[MachineShedFred]

Yes, this will prevent open-air sniffing of your packets.

VPN or HTTPS is still better, because after those packets arrive at the access point, they are unencrypted over whatever wire the AP is plugged into. WPA only covers the wireless link; HTTPS or VPN (or both!) encrypt much farther through the network, if not the whole way.

The first thing I do on an open WiFi network is connect to a VPN.

Re:Better, but not best.

[Hal_Porter]

It doesn't hurt to have multiple redundant levels of security. I.e. HTTPS over VPN over WPA3.

Re:Better, but not best.

[ledow]

Indeed. I used to VPN over my internal Wifi that only I knew the password for.

WEP was cracked? Didn't matter.
VPN software was cracked? Didn't matter.
WPA was cracked? Didn't matter.

So long as they aren't ALL cracked at the same time, you're safe. And there was no measurable latency or other additions, but full end-to-end verification and encryption, TWICE. I used to game CS over it.

Give yourself enough layers and you don't have a window where you're vulnerable to compromise, whereas everyone just reliant on "WPA2 being secure" does. This gives you time to update, replace hardware, change settings, test if you're vulnerable, etc.

Re:Better, but not best.

[sexconker]

A cert is just a password in a file. If you're using an external cert authority you have additional weaknesses with them and anyone up the chain (and governments).

A strong password is the best security option there is.

The only security benefit certs provide is revocation, but that can just as easily be implemented with passwords if you want. Just publish a list of hashes that are invalid. It can be a unique hash if you also publish a new salt alongside it, but it doesn't matter. (The username, hash, and salt are considered to be non-secret. If your encryption is strong and no one is using retarded passwords, it doesn't matter if those things are public.)

Expiration already is handled with passwords.

Re:Better, but not best.

[houghi]

One does not exclude the other.

Re:Better, but not best.

[VeryFluffyBunny]

Yes, this will prevent open-air sniffing of your packets.

Hey babe, you can sniff my packets anytime ;)

But seriously, yes, going on public WiFi without a VPN is like having casual sex without condoms: Sooner or later, you're gonna get infected with something nasty.

Re:Better, but not best.

[Njovich]

A properly setup VPN is better, yes. However, in the real world many people either can't or won't use a VPN. For those cases this would be a massive security improvement.

Re:Better, but not best.

[fisted]

A cert is just a password in a file.

That's bullshit. If a cert is "just a password in a file", how come I can (and have to) send you that file in order to authenticate against you? If I send you my password, I'm fucked; if I send you my cert, I'm not.

But since your understanding of X.509 is obviously crappy, I'm not convinced you're convinced yet, so let me put this in simpler terms: If a cert is a password in a file, and a cert is a data structure built around a public key, then what is the public key? Also a password in a file?

The closest to a "password in a file" would be the private key, but even that isn't really a good comparison, because you never transmit your private key anywhere, ever. Plus, even shitty private keys (1024 bits) are way stronger, entropy-wise, than a password so there's that, too.

Last but not least, it's commonplace to encrypt your private key. With a passphrase. So *there*'s your password, not the keys and not at all the cert. Geez.

HTH

Re:Better, but not best.

[Strider-]

The first thing I do on an open WiFi network is connect to a VPN.

For better or worse, you do that on my network, you're going to to get QoS'd to hell. Not because I'm against VPNs, but just due to the nature of the QoS I'm running. At my choke point, I'm running weighted fair queuing. There are something like 2000 queues, and packets get dumped in a queue based on a hash of the source/destination ip and port number combos. Since all your traffic is goign through the VPN, it's all going through a single connection, and thus winds up in a single queue, while my https request winds up in 5 or 10 queues simultaneously. Of course, I'm doing this because I have 70 to 100 people hanging off a 3.3Mbps satellite link, but that's the way it goes.

VPNs are great and all, but you need to understand the ramifications and limitations.

Re:Better, but not best.

[Anubis+IV]

While all of that is good, nothing beats a wired Ethernet connection. That's why I always connect via Ethernet to wireless routers I bring with me that I've configured to act as bridges for the public WiFi hotspots I visit. I get the low latency and security of a wired connection while also gaining the benefits of wireless. It's the best of both worlds.

Note that I said "routers", plural. For maximum convenience, I've purchased separate wireless routers for each public hotspot I visit, that way I don't have to waste any time reconfiguring them each time I visit a different hotspot. I just pull out the appropriate one, plug it into my UPS, and away I go with simple but secure Internet surfing. And adding VPN to the mix is as easy as using Ethernet to connect a VPN-serving router to the bridge-mode router, then using a cellular hotspot to connect to the VPN. You still get all the benefits of both a wired connection and VPN while being able to enjoy Internet access anywhere you can find a public hotspot. As a nice bonus, you only ever need one VPN-serving router and one cellular hotspot in total, rather than one device per hotspot as was the case with my bridge-mode routers, so it saves on costs.

Some might try to suggest that even with those savings it still costs more than it's worth, but I don't think you can put a price on the level of convenience, security, and speed that I enjoy thanks to this setup.

Re:Better, but not best.

[Strider-]

But seriously, yes, going on public WiFi without a VPN is like having casual sex without condoms: Sooner or later, you're gonna get infected with something nasty.

People keep saying this, but it's simply not true. Anything of any import, even damned cat videos, are secured by https these days. If someone sniffs your packets, all they see is cyphertext, basically indistinguishable from line noise. If they try to inject something your browser should be throwing up a big SSL violation warning. Besides, even if the wifi is secure, is the AP? The router? the next hop after that? Once it gets off the air, it's in the clear anyway.

Re: Better, but not best.

[Strider-]

3.3 shared by 50+ people. ;)

That said, it's in the ass end of nowhere east of Seattle, in some of the most rugged terrain you've ever seen. Bringing in fixed wireless would require probably close to a million bucks just to construct (plus an act of congress, no joke), and fiber would be akin to laying an oceanic cable, through a lake. So satellite it is.

Re:Better, but not best.

[Zaelath]

And this is why people who understand PKI make the big bucks...

Re:Better, but not best.

[FuzzyDaddy2]

If you're running a VPN over a satellite link, you've broken your TCP acceleration and are going to get very slow TCP connections in any event.

Re: Better, but not best.

[tepples]

Microwaves are fixed wireless. Thus it "would require probably close to a million bucks just to construct (plus an act of congress, no joke)".

Re:Better, but not best.

[fisted]

That you think two different strings of texts are different

That you think two different strings are not different is, frankly, retarded.

and one has magical powers is cute.

I'm not saying one has magical powers, I'm just pointing out that there's a substantial difference between password-based authentication and X.509-based authentication. Anyway, I'm not going to explain it again since it's obviously over your head.

Re:Better, but not best.

[Anubis+IV]

Sorry, I couldn’t hear you over the sound of my UPS beeping at me as I enjoy my convenient, wired connection at a local wireless hotspot. Were you saying something that clearly missed the point of what I was saying? Because I think you were.

Re:Better, but not best.

[MikeBabcock]

A cert is nothing like a password in a file. You should learn what RSA is.

Re:Better, but not best.

[sexconker]

A cert represents a secret.
A password is a secret.

When someone downloads your cert they can verify that it was signed with a secret key.
When you use a password in most systems, they're doing the same check in a slightly different way. They take the password you sent and verify that it's the correct secret by pushing it through a hashing algorithm and verifying the result matches the established, good value.

With a third party certificate authority, that initial establishment of the good value is skipped because you're trusting the CA who issued the cert to have done some validation on who the fuck you are. (Hint: They never, ever do. Even EV certs are a joke.)

Just because the terms "password" and "cert" are used doesn't mean they're fundamentally different. They're both built upon a single core concept, a secret.

Re:Better, but not best.

[sexconker]

Nope, I actually understand it quite well. Certs represent nothing more than a secret. A "valid" cert is simply one that is signed with a secret.

You don't have to transmit that secret to verify it, but you don't have to do that for passwords, either. raymorris covered it quite well.

Re:Better, but not best.

[sexconker]

A cert is nothing like a password in a file. You should learn what RSA is.

I know about RSA.

A properly signed cert represents a secret, the private key. Nothing more. You don't know how that private key was obtained. Was it trivial to crack / reused from a decade old cert? Was it leaked/stolen? When you have a CA in the mix you add all the possibilities for the CA to be fucking useless, be subverted by the government, etc.

A password is a secret. A private key is a secret. There's no fundamental difference between the two. Just as there's no fundamental difference between a password and a "2 factor authentication" time-based key generating program. That program is just a hash function with a clock and a seed. The seed is just another secret (often stored with and verified by a third party).

The classic security paradigm is "something you know, something you have, and something you are". On the internet, all we have is "something you know". Even biometrics are just a secret passed along by a trusted bit of hardware. They've been trying for decades to get rid of the password, but it remains the core fundamental aspect of digital security because it's the only workable one in the digital realm.

I dare you to explain how a cert is fundamentally different from a password.
Detail the difference between / impacts of knowing a password and knowing a private key.
Detail the difference between / impacts of not knowing a password and not knowing a private key.

Re: Better, but not best.

[Brockmire]

What? Fuck no. For starters, DNS requests.

Re:Better, but not best.

[fisted]

A cert represents a secret.
A password is a secret.

There you have the fundamental difference #1. Although I wouldn't exactly say the cert represents the secret. It's a data structure around a non-secret that was signed by a secret.

They take the password you sent and verify that it's the correct secret by pushing it through a hashing algorithm and verifying the result matches the established, good value.

Yes. Do you not see how in this case you're transmitting the secret while in a certificate case you're not transmitting the secret?

(Hint: They never, ever do. Even EV certs are a joke.)

That's just not true.

Just because the terms "password" and "cert" are used doesn't mean they're fundamentally different. They're both built upon a single core concept, a secret.

Just because two things are built upon a similar concept doesn't mean they're the same. A lot of things are built upon the concept of a secret and have nothing to do whatsoever with a password. For example, cheating on your wife etc.

Eh?

[ledow]

"One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated"

Sure. But your computer will still not know that the CoffeeShop SSID that they're connecting to was the one the shop set up, though, will they? There's no exclusivity for SSIDs and if there was, it'd be a denial-of-service opportunity.

Once connected, and a secret shared, yes. But with no password the initial connection is still giving people a chance to shove you on THEIR connection rather than the one you think, and then you can be WPA3-authenticated to them rather than what you thought without having a clue.

Re:Eh?

[ArtemaOne]

That's an interesting thought. You can fit a mobile wi-fi hotspot into a pocket. Give it the same name as the shop and you'll get half the people logging into yours for sure.

Re:Eh?

[VeryFluffyBunny]

But your computer will still not know that the CoffeeShop SSID that they're connecting to was the one the shop set up, though, will they?

Yes, this. Public Wifi needs something like unique domain names with signed certificates from an independent authority so that people know what they're connecting to and can be warned if it's insecure and therefore unsafe.

Re:Eh?

[spire3661]

Thats why you use VPN when connecting to a strange AP.

Re:Eh?

[Njovich]

Very little is known about WPA3, so it's hard to say if it will do anything about SSID spoofing.

Re:Eh?

[Kjella]

Allowing a random coffee shop to be your ISP is never going to be high security. But I think "Hey wait, why are there two CoffeeShop SSIDs?" is probably going to be an improvement. That could actually be a router feature, like if it detects another access point trying to send with the same SSID it'd send the manager some kind of alert. I think you'd pretty soon discover who's doing it...

Re:Eh?

[beanpoppa]

It's called Rogue AP detection, and most (if not all) enterprise wireless systems already do this. But, it requires set up, monitoring, and then an action plan in place for what to do when an rogue AP is detected. Resources and skills typically missing from your CoffeeShop staff.

Re:Eh?

Google "Wifi Pineapple." These things have been around for a decade or so.

Re: Eh?

[jabuzz]

What I want is active rogue AP defense. That is rather than just alerting one to the fact the rogue AP exists, is that it starts sending deauthentication frames to anything associated with an AP pretending to be one of mine. That way the f@#kers are stopped dead in their tracks.

Re:Eh?

> Public Wifi needs something like unique domain names with signed certificates from an independent authority...

a) You already get this with EAP-TLS. All WPA2 needed (modulo KRACK) was for supplicants to make it easy to not give a fuck about validating the presented TLS cert

b) If you protect the link between the wireless client and the AP, you're at parity with wired Ethernet for security. For the most part people really don't need better than that. (Never forget the thousands of miles of "wiring" between the AP you're connecting to and the server you're communicating with.)

Re:Eh?

[grasshoppa]

Or, you know....you could just connect to a vpn when on a public hotspot.

Needs certification too

There needs to also be some kind of certificate system added for open networks. Starbucks ought to be able to register their network with a CA, so that itâ(TM)s possible to verify that that open network with the SSID âoeStarbucksâ is not a phishing network.

Re:Needs certification too

[ledow]

Don't give them ideas.

Because then some naming authority will get involved and you'll have the domain-name debacle all over again about "who owns the name Starbucks for Wifi worldwide".

Re:Needs certification too

Don't give them ideas.

Because then some naming authority will get involved and you'll have the domain-name debacle all over again about "who owns the name Starbucks for Wifi worldwide".

Uh... what makes you think it wouldn't be the exact same PKI that we already use for HTTPS, except the certs would be issued separately for HTTPS and WIFI. Want a public wifi cert? Then you'd self-sign or use Let's Encrypt, and you'd put a QR code of the cert on your menu.

Re:Needs certification too

[squiggleslash]

Why not just using the existing one? Or even the existing infrastructure? If the SSID is called open.starbucks.com, the protocol could involve the same kind of certificate as you'd use to sign a website https // open.starbucks.com

All that's needed is the protocol. The who-owns-what bit's already done.

Re:Needs certification too

[sexconker]

We'll build our own internet. With blackjack, and hookers.

Re:Needs certification too

[CastrTroy]

All they really need is a public key posted on the wall (in the form of a 2D barcode) to provide a key to authorize that you are actually connecting to the correct access point. Or they could have an LCD screen that changes the key every 24 hours to allow for rotating keys to keep them more secure and stop people from just switching out the piece of paper.

Re:Needs certification too

[fisted]

...which could get tricky when it comes to checking whether the presented certificate has been revoked or not, because you're going to have to assume the certificate hasn't, in order to get the Internet access you need to actually check; and you're going to have to do that through my rogue AP.

It would seem safe at the first glance because both CRLs and OCSP responses are (mostly) signed by the issuing CA, but I could at least deny you access to either, so you can never know for sure.

OSCP-stapling the AP certificate could however work. Unless I'm overlooking someting, which I probably do. Anyway, you see, it gets hairy real fast.

Re:Needs certification too

[beelsebob]

It also doesn't work well in terms of interaction models. No one in practice is going to go and scan the barcode on the wall to verify that their connection is secure. It's just not convenient enough.

Re:Needs certification too

[Areyoukiddingme]

There needs to also be some kind of certificate system added for open networks. Starbucks ought to be able to register their network with a CA, so that itâ(TM)s possible to verify that that open network with the SSID âoeStarbucksâ is not a phishing network.

Who cares if it's a "phishing network" as long as it reaches the public Internet? They can watch my SSH and TLS streams all they like (just like the NSA does). I don't care. I don't give a damn what open network I connect to, in Starbucks or anywhere else. The wireless part of the link is just one of many many parts of the link, all of which are vulnerable to eavesdropping. The TLS Everywhere initiative exists for a reason.

Legal implications

[Ed+Avis]

I believe that in some countries like Germany it is illegal to run an open wireless network. (Crazy but true!) Would this proposed new standard address that, since the network would now be encrypted and no longer 'open'? Or does the law define an open network as one where users don't have to register for a username first? In that case, open Wifi would sadly remain illegal in Germany.

Re:Legal implications

[DrStrangluv]

I don't believe it would. The network would still be "Open" in the sense that anyone can connect and use it without authorization.

Re:Legal implications

[ArtemaOne]

Authoritarians got to authoritarianate

Re:Legal implications

[fisted]

I believe that [...] (Crazy but true!)

Yeah, it is actually crazy (and apparently sadly true) that you believe this kind of bullshit.

Oh wait, you were saying the thing you believe is actually true, not the fact that you believe it? Then why start with "I believe" and not "it is a fact"? Oh yeah, because it's just a belief after all--so don't fucking call it true. Because it's not.

Love,
a triggered German

Re:Legal implications

[Ed+Avis]

This article summarizes the situation: http://www.spiegel.de/internat... So it's not a crime to operate an open Wifi network, but the network operator becomes liable for anything a user does. (Whereas the postal service, for example, is not liable for slanderous letters that may be posted.)

Re:Legal implications

Here in the US, your IP address is considered positive identification and proof beyond a reasonable doubt of activity, so if someone's open Wi-Fi is used for illegal business, the owner faces criminal and civil charges for it. This was a very common occurrence when the *AAs were doing their crackdowns on piracy around ten years ago.

Re:Legal implications

[fisted]

Yes, open wifi operators used to be potentially liable.

Re:Legal implications

[Ed+Avis]

That's great news, thanks for the update. I found when in Germany recently that wireless network operators still seemed to want you to register and provide a password, but that may be a holdover from the old situation, or just the German love of registering things.

Re:Legal implications

[KozmoStevnNaut]

That does not hold up in court, an IP address does not uniquely identify a person.

Re:Legal implications

[KozmoStevnNaut]

My impression is that Germans in general are extremely wary of registration and very privacy-conscious, especially those with family in the former DDR.

It's a stark contrast to Denmark, where we have a shared 2-factor login system for all public services, and to uniquely identify yourself for online banking and other secured services, as well as a unique social security number (CPR -- Central Person Register). All correspondence with public services (and a number of private services, too) goes to an encrypted personal mailbox and all relevant information for banks, hospitals and so on is available through the CPR number. My girlfriend (who's German) is still a bit uncomfortable at this semi-open sharing of information.

In Germany, there is none of that. Everything is still handled over the phone or in person, all mailed correspondence is snail mail, and it takes forever to get even basic things sorted out.

I understand their hesitance (and I think we Danes are way too trusting of each other), but it quickly becomes extremely aggravating to deal with.

Re:Legal implications

[Ed+Avis]

I still remember being asked for my passport to go ice skating.

Finally!

[sims+2]

We should be on WPA4 or 5 by now or moved on to another 3 letter security like WTF.

I wonder what caused the 13 year wait?

Re:Finally!

[freeze128]

WPA2 was good enough. For most things, it still is.

Re:Finally!

I worked for a place that used WTF as the acronym for "waterfall." We had an acronym database somewhere, the entry in it was:

WTF: Waterfall. WTF did you think it stood for?

Re:Finally!

[AvitarX]

Isn't their a replay attack disclosed now, I would hope WPA3 has something to mitigate that.

My understanding is that only non standard behavior on clients can protect against the replay attack.

https://techcrunch.com/2017/10...

Re:Finally!

[KozmoStevnNaut]

Yeah, the KRACK Attack (love that name).

Most major vendors have patched their software and devices by now, but that still leaves a bunch of legacy devices in harm's way.

As always, don't trust wireless with sensitive data, use additional encryption everywhere you can, and you really should use a VPN when using wifi.

Re:That's nice but...

[CaptainDork]

Coffee shops should drop TCP/IP and use their own, branded, in-house up-sell sugar packets.

Re:That's nice but...

[AvitarX]

I think that's literally what they are addressing in the summary.

WPA3 will allow password less connections to be encrypted.

I assume it will give you a key, and then as soon as you connect your computer can verify with a cert authority to verify that it's a good key (similar to https).

If it is unsigned you'll get a warning (similar to https)

And then once you connect the key can be saved and you'll be immune from future hijacking (similar to ssh).

This is a big obvious feature I could never figure out why it wasn't in WiFi standards from the start (open encrypted networks).

WiMax

I'd love to see something like WiMax come back with open support so anyone can run something with longer range. It sucks that wifi has such a short range, but LTE can go so far, costing you a fortune per gig. It would be nice to have something that anyone can setup that covers longer distance, even if it's at a reduced speed.

Re: WiMax

[Voyager529]

Wi-Fi's shorter range isn't necessarily a bug; it's usually a feature. Go to a high rise apartment building and *try* to use 2.4ghz Wi-Fi. Good luck with that. There's literally a hundred routers in range, all trying to talk over each other. 5ghz is at least somewhat better, half because of the higher channel quantity, but half because of the shorter range and reduced wall penetration.
If wimax took off at a consumer level, it would be great for rural areas, but suburban and urban areas would find it useless.

Re: WiMax

[Brockmire]

Distance is a function of power and frequency. Wimax would NOT be easier to deal with for just a few clients, you need many to get the benefits. Also, it's not designed for co-location/interference with other equipment you don't have timing control over. 802.11 outdoor gear has had long distance timing for 40km+ for a decade and a half. If you want to be super cheap about it, check ubnt gear.

Cool, but

Backport for the WRT54GL when?

They said "Tougher", not better.

[aberglas]

The article said Tougher, not Better.

PKI infrastructure required for every home wifi or Windows 15 will not connect. That's pretty tough.

That said, are people sure than "unsecured" WiFi is not encrypted today? Would fail against man-in-the-middle but not against evesdropping.

What happens when the password is written on the wall of the coffee shop? Can anyone with that password break encryption for others? Can anyone with that password be a man-in-the-middle?

Server Name Indication

[tepples]

Anything of any import, even damned cat videos, are secured by https these days. If someone sniffs your packets, all they see is cyphertext

The ClientHello message that opens a TLS session contains the destination hostname in cleartext, so that the server can tell which name-based virtual host's certificate to present.

Re: Server Name Indication

[tepples]

I take SNI as a given because since April 2014, every web browser that receives security updates uses SNI. The last widely used web browsers that didn't were Android Browser on Android 2.x and Internet Explorer on Windows XP.

Re:Kerberos 1980s, CHAP (1996) or digest 1997 pass

[fisted]

Since at least the 1980s (Kerberos) and dial-up modems used CHAP in 1996, you can authenticate via a password without transmitting the password.

Yes, true. (Although it's 2018 and I have yet to see an ISP that wouldn't use PAP)

There are even better algorithms that use passwords, without transmitting or storing them on the server. For example, the server can store a salted bcrypt of the password. Upon login, the server generates a random number (the challenge) and sends that to the client, along with the salt the server has chosen for this user. The client then computes and sends:

H(H(Hs(password, salt)), challenge) xor Hs(password, salt)

The server can verify that without having the password transmitted, or stored on the server.

Interesting, although the last authentication protocol I've heard to have that property (MS-CHAP, not that I knew many authentication protocols) was broken.

You would be correct to say that *sending plaintext passwords over the network (1970s style)* is much less secure than public keys.

Yes, however it's not like "sending plaintext passwords over the network" wasn't a common thing in 2018.

You can certainly use passwords without sending them over the network, though - that issue has been solved for decades.

Yes. You've just explained one and referred to another. You got your point across, no need to be redundant.

> Plus, even shitty private keys (1024 bits) are way stronger, entropy-wise, than a password so there's that, too.

Much like a LONG password (pass sentence).

Well, who uses a LONG pass sentence? It has to be pretty long if you limit yourself to actual words and want to compete with 1024bits of random data, which means 128 bytes from an alphabet the size of 256.

And it's not even like I would deny that the private key is like a password in a file.

The statement I was refuting is that the *certificate* is like a password in a file, because it's clearly not, and that point still stands.

Re:Kerberos 1980s, CHAP (1996) or digest 1997 pass

[MikeBabcock]

I'm always surprised Kerberos didn't get used for WPA.
Radius servers with WPA2-Enterprise is interestingly far more secure than the WPA2 most people use at home.