Really, how safe and secure is my wireless network?
June 22, 2010 5:16 AM   Subscribe

How safe and secure is my wireless network's WPA2-PSK key?

I think I'm doing better than most when it comes to my computer and my network security. Today I'd like to ask how secure my wireless network is.

At home and at work, I have wireless networks. They each have a 64 character, hexadecimal key that has been generated by one of those fancy generators you can find on the internet. I'm running WPA2-PSK with AES encryption. The SSIDs are NOT hidden.

Now I've just gotten done watching some videos on YouTube about how to crack WPA2-PSK networks. In each of those examples, the PSK was something pretty simple. For instance, one was [ Password ]. And it was cracked using dictionary type of processing power.

Since my PSK is a random, long (maximum length) hexadecimal key, aren't I much, much better off than those examples. You can't find my key in a dictionary, that's for sure. It would seem it would take years to be able to crack that key.

Am I correct on this?
posted by Jackie_Treehorn to Computers & Internet (17 answers total) 1 user marked this as a favorite
I don't know. What is it?

But seriously, your password is obviously stronger than using a shorter "actual word" password. I doubt it would literally take years to crack if someone really, really wanted to, but I wouldn't think it's something to be concerned about.
posted by Kimothy at 5:23 AM on June 22, 2010

"So, like virtually all security modalities, the weakness comes down to the passphrase. WPA-PSK is particularly susceptible to dictionary attacks against weak passphrases. "

If you're using a randomly generated password, it sounds like you're pretty good.
posted by sharkfu at 5:39 AM on June 22, 2010

Best answer: This should give you some comfort:

"Update :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts :

8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Audit."
posted by sharkfu at 5:42 AM on June 22, 2010

When you say your key is hexadecimal, do you mean that you only use characters [0-9][a-f]? If so, don't do that. The key can use almost the entire Ascii set, including upper/lower, digits, spaces, and punctuation. If you limit yourself to only [0-9][a-f] then you leave yourself vulnerable to rainbow table cracking.
posted by Rhomboid at 6:01 AM on June 22, 2010

There are about 1.15 x 10^77 possible hexadecimal strings of length 64. We're going to assume that an attacker would need to check about half of these before finding your key. Assuming they're doing this on a supercomputer (10^15 checks per second), it'll only take about 1.8 x 10^54 years. But actually the real bottleneck is your router, which will melt first.

That's why they won't do it that way, instead they'll break into your house and get your network key off of your computer. Or install a keylogger. Or send you some malware which will get your network key from your computer. And so on.
posted by anaelith at 6:16 AM on June 22, 2010

Response by poster: Rhomboid,

My password is for example:

posted by Jackie_Treehorn at 6:18 AM on June 22, 2010

This doesn't answer the original question, but should anyone ever need a random password of any length, be sure to visit Steve Gibson's password generator, where you'll get passwords that are about as random as you're going to get using a computer.
posted by Wild_Eep at 6:47 AM on June 22, 2010 [3 favorites]

I don't think you have anything to worry about. There are really two different kinds of situations you might need to protect against... the first is strangers leeching your bandwidth. Could be neighbors or war-drivers, anybody looking for free web access. Usually any kind of security is enough to stop these guys; they'll look for the low-hanging fruit and move on until they find something open and unsecured.

The second is if you have sensitive data stored on your network that you need to keep out of the hands of people who are intentionally targeting you. Corporate spies working for the competition, that sort of thing. The password you're using is more than enough to stop most of these people, unless we're talking about a high-profile Fortune 500 corporate network or something, where your enemies are willing to spare no expense to get the data they want. In those circumstances you need to be worrying about a lot more than wifi passwords; you need serious network architecture and IT staff monitoring it 24/7. I'm guessing that since you're asking MeFi instead of your networking manager, this isn't your situation. And therefore, you have nothing to worry about.
posted by The Winsome Parker Lewis at 7:16 AM on June 22, 2010

And remember that you can also do MAC address filtering. While not entirely undefeatable, it's another layer of security definitely worth considering.
posted by papafrita at 8:06 AM on June 22, 2010
posted by low affect at 8:12 AM on June 22, 2010

Saving some sort of significant technical innovation or flaw in the crypto implementation, you're fine, for all practical purposes.

P.S. - SSID hiding and MAC filtering are trivial to circumvent. Not worth the hassle.
posted by kjs3 at 8:18 AM on June 22, 2010

From a broader perspective, if you have a serious interest in security, then you need to NOT use wireless. Wireless is convenient, yes, but it also allows anyone sitting nearby to sniff your bizness.

Your connection is secure today. But who knows what tomorrow will bring? Just because only the NSA could crack your key today doesn't mean that your neighbor's 12 year-old won't be able to crack it tomorrow with a homegrown beowulf cluster, the infinite free time of the young and enthusiastic, and a sweet new tool that some clever person invents.

Cat5 is ugly and somewhat awkward, but it's secure. (And as a bonus, it's faster.)
posted by ErikaB at 10:06 AM on June 22, 2010 [1 favorite]


Great. For the record that is not hexidecimal.

Wireless is convenient, yes, but it also allows anyone sitting nearby to sniff your bizness.

Only if you decide to let them. You can use https, or you can re-flash your router with a firmware that includes an OpenVPN client (e.g. DD-WRT) and set up an encrypted tunnel between the client and the router such that an eavesdropper can not tell what you're doing.

your neighbor's 12 year-old won't be able to crack it tomorrow with a homegrown beowulf cluster

There would have to be a significant change in technology to go from the current state of 'millions of CPU years' to that, and it would be major news if that happened.
posted by Rhomboid at 10:36 AM on June 22, 2010

And just to put some numbers to it, assuming a password of length 63 from the entire ascii printable set would be 9563 or about 4 * 10124 combinations. Taking the above quoted 600 keys per second, that comes to about 10114 years on average to crack. Even if you had a computer a million times faster than current technology and you had a million of them, that's still 10102 years. I haven't run the numbers but I'm pretty sure that from Landauer's principle you can show that there isn't even enough energy in the entire universe to perform such a calculation.
posted by Rhomboid at 10:55 AM on June 22, 2010 [1 favorite]

IANAC, but it seems like the WPA2 protocol hashes the user-input keyphrase down to a 256-bit key.

So it seems like a savvy attacker would try to guess the underlying 256-bit key (around 1.15 * 1077 possible combinations) rather than the keyphrase (4 * 10124 combinations).

So yeah, still definitely secure, still not crackable for several centuries even naively assuming that Moore's law continues at its current pace (quantum computing or, more likely, a now-unknown protocol flaw may make it crackable alarmingly sooner), but the underlying crypto implementation seems to indicate that there is no additional security to be had if you make your keyphrase longer than 39 perfectly random characters (assuming you're choosing from the 95 printable ASCII characters).
posted by Dimpy at 3:04 PM on June 22, 2010

There would have to be a significant change in technology to go from the current state of 'millions of CPU years' to that, and it would be major news if that happened.

Let's meet back in this thread when it happens. Moore's law, and all!

Recall that WPA2-PSK is only the latest in a long series of security protocols, all of which were eventually cracked. It's a war of escalation; your only hope is to either keep running faster than The Other Guy, or to opt out (e.g. by using a wired connection).
posted by ErikaB at 11:12 AM on June 23, 2010

SSL is also one of a "long series of security protocols" and yet I don't see anyone clamoring to exclaim that you shouldn't access your banking site using it because someone might one day find a weakness there. So is RSA/DSA, and yet nobody is screaming that we shouldn't sign or encrypt messages with GPG/PGP. If your contention is that the possibility of a security researcher finding a weakness in the future means that it is not safe today then you'd better just go live in a unibomber shed in the middle of nowhere because everything on the modern networked landscape is based on cryptographic algorithms. Saying that because WEP was shitty then WPA2 must also be shitty is like saying that because MD4 turned out to be crap means no one should use SHA-1.

And a wired connection does not opt you out of anything. If you have a cable internet connection then all the traffic for you and everyone else on your block is flowing through that cable, and the only thing stopping someone from eavesdropping on all of it is the firmware in the cable modem, and we all know no one would ever tamper with that. Or maybe I rent a server at the same datacenter as a site that you use frequently, and then I run a packet capture program in conjunction with an ARP spoofing algorithm to let me view traffic on the other ports of the switch that I'm connected to.
posted by Rhomboid at 12:22 PM on June 23, 2010

« Older Did I get all the files I need?   |   Augmenting Leather Soled Shoes with Rubber Pros... Newer »
This thread is closed to new comments.