KenRadio Gives Bad WiFi Security Advice
On the Thursday 3 August 2006 episode of KenRadio’s World Tech Round Up, hosts Ken Rutkowski and Andy Abramson (yes, that Andy Abramson) started talking about WiFi and keeping people out. When they mentioned using WEP, I was a bit disappointed. WEP’s been broken for years. All one needs to do is have a look at a Google search for wep cracked and you can see there are plenty of ways to break it. I’ve personally seen it happen in as little as five minutes in a live demonstration using easily available tools.
The key question is: what are you protecting against. If your concern is “prevent your neighbor from using your WiFi,” then by all means continue touse WEP. However, if your neighbor wants to use your connection, he’ll be able to without too much trouble. I wouldn’t call that secure, nor would I even suggest that it is. Make sure nothing is connected to that access point that you actually care about if you use WEP (or leave it open). That includes wired machines as well since they are potentially vulnerable to attach.
The most “secure” thing to use on consumer-grade equipment is WPA-PSK (pre-shared key) with a random 63 character passphrase. The ultra paranoid can use a tool like GRC’s Ultra High Security Password Generator to generate these kinds of passwords. I can understand why you wouldn’t want to use those kinds of passphrases–they are a pain to type in. Imagine typing what looks like random gibberish on a WiFi-enabled mobile phone. But you only do it once, and there are ways of moving the passphrase around without having to type it.
While WPA is considered very secure, one thing that WPA is vulnerable to is brute force password attacks. This means don’t use a password a brute force password generator might guess. Perhpas a reasonable suggestion would be to use something like your previous street address. This should be long enough–of course the more characters that are in your passphrase, the better.
For a good schooling on Wireless Security with lots of detailed, yet understandable explanations, I wholeheartedly listening to episodes 10, 11, and 13 of the Security Now podcast. It specifically deconstructs various myths about WiFi security, including the use of WEP, SSID hiding, and MAC filtering.