I am just now getting in to wireless networking and I have a question for Devin/Kevin or anyone who has the info. I have WPA-PSK on my network and I want to know can this be cracked. If you search google you will get a 100 different answers on how to secure a home wireless network. I would like to know what you guys use. I have a wireless 2Wire 1701 Gateway with 3 Windows XP machines with Airlink 101 MIMO cards. I am thinking of buying a Cisco 1100 series for my CWNP studies but I would like you in put on my current setup.
Tom Carpenter, One of the authors of the new CWSP book, sums it up nicely
Thanks that sums it up
Tom's article is absolutely correct. Use an EXTREMELY strong passphrase. There are large dictionary files available on the Internet that actually have every possible strong password combination up to 14 characters. Use a strong passphrase of at least 30 characters in my mind.
There are other steps you can also take to secure a home network. Follow this link to whitepaper on the topic:
Keep In mind that much more secure methods are required in the enterprise.
Thanks David, I was aware of all of them expect the key length on my WPA-PSK. I would like to thank you and hope that I can use your knowledge as a resource to become the best Wireless consultant in North Texas. I would greatly appericate any help you can give me to pass the CWNA CWSP and CWNE exams. I dont know if anyone has made this leap in one year but I would like to be the first.
I am highly skeptical that there are wordlists for cracking WPA-PSK that cover every possible passphrase up to 14 characters. Do the math just on letters (upper/lower) and numbers and you'll see that covering that many words is not realistic.
More importantly, cracking a mildly complex passphrase is unrealistic. You get about 35-50 passphrases covered per second with most computers. Now extrapolate that out to wordlists that have hundreds of millions or even billions of passphrases.
The bottom line is that unless you choose your passphrase in a very negligent manner (i.e., words in a dictionary, famous athletes, names of cities, etc.), you are safe with WPA-PSK.
I do have to compliment Mr. Coleman for touting his own white paper, however. :) (just messin' with ya, Dave)
I do have to compliment Mr. Coleman for touting his own white paper, however. (just messin' with ya, Dave)
I am all about shameless self-promotion. It comes from working ten years in marketing prior to the IT career. :-)
Regarding your skeptisim about the huge dictionary files:
You get about 35-50 passphrases covered per second with most computers.
To speed things up.... All it would take is to develop a utilty that looks at a hashed database much like ASLEAP does. I know five guys who could write a utilty like that in their sleep.
C'mon, Mr. Coleman. Rainbow crack is a nice little tool for MD5 hashes and the like but it has nothing to do with wireless. WPA-PSK logins are much more complex than the hashes they are talking about. You, of all people, should know that. Hell, I don't even see anything on there for MS-CHAP, which is what LEAP is based on.
My point is that you shouldn't be so alarmist when it comes to WPA-PSK. It is basically uncrackable if you avoid using common passwords (dictionary, famous people, cities, etc.).
p.s., you should remove your last post. It shows a basic lack of understanding on how WPA-PSK works.
1) Offline dictionary attacks are only as strong as the size of the dictionary file. If someone wants to build a HUGE dictionary file... WPA-PSK will be cracked... period.
2) In a SOHO environment... I agree, not much need for alarmism but a strong passphrase is needed regardless.
3) In the ENTERPRISE, the only time WPA-Personal should be implemented is with a VoIp phone because the solution provides a Fast Secure Roaming method. Until, real FSR methods find their way into the enterprise, WPA-PSK is usually your best security choice.
However... a VERY STRONG passphrase should be used. I would use a 64-character HEX passphrase in the Enterprise.
Even MORE IMPORTANT is policy. The passphrase is STATIC..... in the enterprise I would recommended that the end users NEVER know what the passphrase is and the sdministrator should manually configure the passphrase.