Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: WPA Wordlists: Why Do People Bother?

  1. #1
    Just burned his ISO splexin's Avatar
    Join Date
    Feb 2009
    Posts
    12

    Default WPA Wordlists: Why Do People Bother?

    Quick question for everyone to ponder:

    Why do we spend hours upon hours running our WPA networks through gigabytes of wordlists and hash files?

    If the password for the network is really good enough, then we wouldn't have to worry about crackers and hackers at all!

    I think the maximum character length of passwords should be extended, and maybe that would solve all of our worries and woes. . .

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by splexin View Post
    Quick question for everyone to ponder:

    Why do we spend hours upon hours running our WPA networks through gigabytes of wordlists and hash files?

    If the password for the network is really good enough, then we wouldn't have to worry about crackers and hackers at all!

    I think the maximum character length of passwords should be extended, and maybe that would solve all of our worries and woes. . .
    What is your point? If you're suggesting the people should use more complex passwords, you're preaching to the choir.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    People won't listen to that. Either they know already and use strong passwords or they don't and won't change it either.

    The issue is that people love the convenience and the longer and more cryptic a password the harder it is to remember. Don't expect the common home user to have a strong password on his WLAN nor to use WPA at all. Have seen that a couple of times even if the people are not stupid but also telling them the risks such a weak password/encryption bears they didn't really care.
    Tiocfaidh ár lá

  4. #4
    Junior Member digitalfriction's Avatar
    Join Date
    Mar 2010
    Posts
    84

    Default

    You need to look at whats most likely, is it more likely that 'most' people will choose an 8 character (the minimum for WPA/WPA2) password using only Alpha characters, that is most likely to be a word or name they will remember easily. Or scenario 2, is it more likely that 'most' people will choose a 64 character jumble of incoherant nonsense combining letters numbers and symbols that is difficult to remember, makes no sense in the real world, and has to be typed into each connecting client?

    The biggest weakness is people, their lack of knowledge on the securities available to them, the lack of concern, and ultimately the lack of ability to consider 'what if....'

    Using a large dictionary file to test your own network, allows us to try and remove the human element as much as possible, what I think looks like a complicated password, may be a common entry on many wordlists, testing is the best way to establish if this is the case.

  5. #5
    Junior Member digitalfriction's Avatar
    Join Date
    Mar 2010
    Posts
    84

    Default

    Quote Originally Posted by splexin View Post
    If the password for the network is really good enough, then we wouldn't have to worry about crackers and hackers at all!
    Another thing to ponder is for how long? Im sure at the advent of WEP, with its 64 million possible keys (I think thats right, but please dont quote me) people were pretty damn sure that it was safe....well it was, for a bit !

    Improvements are being made all the time on the cracking of WPA/WPA2, when WPA first showed its face im sure I heard quotes such as 'with all the computing power of NASA this thing couldnt be broken in years' .......well that was true, for a bit! but we now are seeing CUDA processing allowing ordinary home users to process HUGE dictionaries in hours, away form the actual network.

    Imagine this, your network is protecting your business finance details, for example worth 1 million pounds, as a 'hacker' is it worth taking 5 minutes to capture the handshake on your WPA wifi, and then go home, and maybe leave a machine running for a couple of weeks breaking the key, so I can then return after a couple of weeks and easily connect? Well yes, it probably is. That is what is being protected against, the negatives have to outweigh the positives for the 'hacker'. If I can make my WPA key so complex that the intruder would have to allocate months/years of CPU time to the job of cracking the key, then I can safely say, they will look for another victim, or another route of attack.

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Please use the edit function, when you want to add something to a post previously made.

    Quote Originally Posted by splexin
    If the password for the network is really good enough, then we wouldn't have to worry about crackers and hackers at all!
    Cause such things like attacks over the internet, SE and so on are not happening if the password is strong enough?
    Tiocfaidh ár lá

  7. #7
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    I use a stupidly long computer generated random password. It's kept in a file on my computer and I cut and paste it into the laptop's wireless manager. Easy. I also put the username and password on the bottom of rack mounted networking gear, just in case I get hit by a bus.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  8. #8
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by digitalfriction View Post
    Another thing to ponder is for how long? Im sure at the advent of WEP, with its 64 million possible keys (I think thats right, but please dont quote me) people were pretty damn sure that it was safe....well it was, for a bit !
    No, WEP wasn't safe, ever. Right from when it was released, mathematical flaws were known and exploited in WEP. Cryptologists said from the start that it was a stinking pile of poo.

    Actually, what happened with WEP should be told as a cautionary tale to anyone who thinks they can come up with a solid crypto system without paying attention to the math. In short, he people who designed WiFi thought they could come up with a crypto system by themselves. Unfortunately, they didn't know enough about crypto math, and designed several mathematical flaws into WEP.

    Quote Originally Posted by digitalfriction View Post
    Improvements are being made all the time on the cracking of WPA/WPA2, when WPA first showed its face im sure I heard quotes such as 'with all the computing power of NASA this thing couldnt be broken in years' .......well that was true, for a bit! but we now are seeing CUDA processing allowing ordinary home users to process HUGE dictionaries in hours, away form the actual network.
    WPA was known to be somewhat flawed from its introduction, and was released this way intentionally. This is because it was designed to be a stop-gap measure between WEP and WPA2/AES. WPA has a simpler design and was made to allow the manufacturers time to implement WPA2 in their hardware. There are known flaws within the math behind WPA, but it is still much stronger than WEP. If WEP is wet tissue, WPA is steel plate several hundredths of an inches thick.

    WPA2 is strong, as long as the the user takes the minimal precaution of using a non-dictionary password. Going back to the previous tissue and steel analogy, WPA2 would be akin to body armor.

    Unfortunately, in our world, users continue to be the weakest link. This is true in most security systems and predates computers.
    Thorn
    Stop the TSA now! Boycott the airlines.

  9. #9
    Junior Member digitalfriction's Avatar
    Join Date
    Mar 2010
    Posts
    84

    Default

    Quote Originally Posted by Thorn View Post
    No, WEP wasn't safe, ever. Right from when it was released, mathematical flaws were known and exploited in WEP. Cryptologists said from the start that it was a stinking pile of poo.
    My apologies, I will verify my 'facts' in future !

    I think the point, going back to what the OP asked, is that the reason for testing with huge dictionaries, is to make sure that what a human 'thinks' is secure, in reality IS secure.

  10. #10
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by digitalfriction View Post
    My apologies, I will verify my 'facts' in future !

    I think the point, going back to what the OP asked, is that the reason for testing with huge dictionaries, is to make sure that what a human 'thinks' is secure, in reality IS secure.
    Cause we know MyL33tP@sswr0d really isn't and we sometimes need the ability to show it.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •