What is your point? If you're suggesting the people should use more complex passwords, you're preaching to the choir.Originally Posted by splexin
WPA Wordlists: Why Do People Bother?
Quick question for everyone to ponder:
Why do we spend hours upon hours running our WPA networks through gigabytes of wordlists and hash files?
If the password for the network is really good enough, then we wouldn't have to worry about crackers and hackers at all!
I think the maximum character length of passwords should be extended, and maybe that would solve all of our worries and woes. . .
What is your point? If you're suggesting the people should use more complex passwords, you're preaching to the choir.
"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";
People won't listen to that. Either they know already and use strong passwords or they don't and won't change it either.
The issue is that people love the convenience and the longer and more cryptic a password the harder it is to remember. Don't expect the common home user to have a strong password on his WLAN nor to use WPA at all. Have seen that a couple of times even if the people are not stupid but also telling them the risks such a weak password/encryption bears they didn't really care.
Tiocfaidh ár lá
You need to look at whats most likely, is it more likely that 'most' people will choose an 8 character (the minimum for WPA/WPA2) password using only Alpha characters, that is most likely to be a word or name they will remember easily. Or scenario 2, is it more likely that 'most' people will choose a 64 character jumble of incoherant nonsense combining letters numbers and symbols that is difficult to remember, makes no sense in the real world, and has to be typed into each connecting client?
The biggest weakness is people, their lack of knowledge on the securities available to them, the lack of concern, and ultimately the lack of ability to consider 'what if....'
Using a large dictionary file to test your own network, allows us to try and remove the human element as much as possible, what I think looks like a complicated password, may be a common entry on many wordlists, testing is the best way to establish if this is the case.
Another thing to ponder is for how long? Im sure at the advent of WEP, with its 64 million possible keys (I think thats right, but please dont quote me) people were pretty damn sure that it was safe....well it was, for a bit !
Improvements are being made all the time on the cracking of WPA/WPA2, when WPA first showed its face im sure I heard quotes such as 'with all the computing power of NASA this thing couldnt be broken in years' .......well that was true, for a bit! but we now are seeing CUDA processing allowing ordinary home users to process HUGE dictionaries in hours, away form the actual network.
Imagine this, your network is protecting your business finance details, for example worth 1 million pounds, as a 'hacker' is it worth taking 5 minutes to capture the handshake on your WPA wifi, and then go home, and maybe leave a machine running for a couple of weeks breaking the key, so I can then return after a couple of weeks and easily connect? Well yes, it probably is. That is what is being protected against, the negatives have to outweigh the positives for the 'hacker'. If I can make my WPA key so complex that the intruder would have to allocate months/years of CPU time to the job of cracking the key, then I can safely say, they will look for another victim, or another route of attack.
Please use the edit function, when you want to add something to a post previously made.
Cause such things like attacks over the internet, SE and so on are not happening if the password is strong enough?
Tiocfaidh ár lá
I use a stupidly long computer generated random password. It's kept in a file on my computer and I cut and paste it into the laptop's wireless manager. Easy. I also put the username and password on the bottom of rack mounted networking gear, just in case I get hit by a bus.
Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69
No, WEP wasn't safe, ever. Right from when it was released, mathematical flaws were known and exploited in WEP. Cryptologists said from the start that it was a stinking pile of poo.
Actually, what happened with WEP should be told as a cautionary tale to anyone who thinks they can come up with a solid crypto system without paying attention to the math. In short, he people who designed WiFi thought they could come up with a crypto system by themselves. Unfortunately, they didn't know enough about crypto math, and designed several mathematical flaws into WEP.
WPA was known to be somewhat flawed from its introduction, and was released this way intentionally. This is because it was designed to be a stop-gap measure between WEP and WPA2/AES. WPA has a simpler design and was made to allow the manufacturers time to implement WPA2 in their hardware. There are known flaws within the math behind WPA, but it is still much stronger than WEP. If WEP is wet tissue, WPA is steel plate several hundredths of an inches thick.
WPA2 is strong, as long as the the user takes the minimal precaution of using a non-dictionary password. Going back to the previous tissue and steel analogy, WPA2 would be akin to body armor.
Unfortunately, in our world, users continue to be the weakest link. This is true in most security systems and predates computers.
Thorn
Stop the TSA now! Boycott the airlines.
My apologies, I will verify my 'facts' in future !
I think the point, going back to what the OP asked, is that the reason for testing with huge dictionaries, is to make sure that what a human 'thinks' is secure, in reality IS secure.
Cause we know MyL33tP@sswr0d really isn't and we sometimes need the ability to show it.
Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69
Posting Permissions