Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Apr 2013 23:45:52 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Home WiFi Router with pfSense or m0n0wall?
Message-ID:  <20130424234552.420e116d@gumby.homeunix.com>
In-Reply-To: <kl9ej0$f2b$1@ger.gmane.org>
References:  <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com> <kl0qu9$ovo$1@ger.gmane.org> <CAHieY7SSbO+wt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com> <kl3vao$hbt$1@ger.gmane.org> <20130423010407.25a73c92@gumby.homeunix.com> <CAHieY7SSzuJBt6frT7QoU=EzZDA=9Fc=H-xDHYtH3PejTi5QzQ@mail.gmail.com> <kl9ej0$f2b$1@ger.gmane.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, 24 Apr 2013 16:16:32 -0400
Michael Powell wrote:

> Alejandro Imass wrote:
> 
> [snip]
> >>> Most consider the answer to use WPA2, which I do use too. Many
> >>> think it is 'virtually' unbreakable, but this really is not true;
> >>> it just takes longer. I've done WPA2 keys in as little as 2-3
> >>> hours before.
> >>
> >> Are you saying that any WPA2 key can be cracked or or you simply
> >> referring to weak keys?
> > 
> > I would also like to specifically if it's for weak keys or are all
> > WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise
> > as weak also. Could anyone expand on how weak is WPA2 and WPA2
> > Enterprise or is this related to weak PSKs only??
> > 
> 
> I'm just a lowly sysadmin and not any kind of crypto expert.  The
> problem is time and horsepower. While a ridiculously easy key of say
> 4 characters that is not salted may be doable on a PC, once you start
> to get to 8-9 characters or more the time it takes begins to get huge
> fast. It's a matter of can you tie up the resource long enough to
> wait it out. 

Right, but if you were to strip-mine the earth's crust and turn all the
silicon into GPU cores you still wouldn't even come close to
brute-forcing AES256 before the sun turns into a red-giant.

If you're saying that WPA is inadequate because weak keys can be
bruteforced then the answer is don't use a weak key. If someone breaks
such a key then that's pilot error, not an inherent weakness in WPA.

Use a key with 100-256 bits of entropy.

> What I do at home is concatenate 2 ham radio call signs of friends
> that I can remember. Then I sha256 that and select from the end
> backwards 15 characters. 

60 bits tops - assuming that there was 60 bit of entropy in the hashed
data. My key is only twice as long, but about
40,000,000,000,000,000,000,000,000,000 times better at resisting a brute
force attack.

>  This won't actually defeat the inherent
> weakness of using a pre- shared key, but it will take longer for a
> simple brute force. You should also throw in additional characters
> from your character set beyond just alpha/numerics.

That's good advice for natural language pass phrases where there is
only  about 1 bit of entropy per character. IMO it's easier to type a
high entropy password using only characters that wont need shifting on
any device i.e. random lower-case letters. 







Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20130424234552.420e116d>