• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

How Secure is a 64 Character WPA Shared Key?

R

RhoXS

Senior member
When I switched from WEP to WPA TKIP+AES security a while back, I went prompt stupid, got lazy, and kept the same 26 character security key. Recently I began having second thoughts about how wise I was to maintain the same key.

We have a neighbor that has problems getting along with people and has demonstrated a capability to be malicious. He is retired, appears to be comfortably situated, has plenty time on his hands, and is easily smart enough to use his computer for activities that might not be in someone else's best interest. For various reasons, my wife and I have no expectations of ever being invited over for a drink with him and his wife. Although I have no reason to believe there is a problem, my wife and I are taking no chances and I just changed the key to 64 random characters.

How secure is WPA TKIP+AES? Is it practically possible, the NSA not withstanding, to crack WPA TKIP+AES security using a 64 random character key?
 
Realistically you are fine. Few simple things I always do when I can.

Pick a unique SSID.
Use AES/CCMP only.
Pick a key that uses some of all the available characters(Letters/Numbers/Special characters).
 
WPA TKIP+AES is vulnerable to a dictionary attack. I can run about 12000 keys per second in a rainbow table, if one already exists for your SSID.

Even if your network name is not a common one (think netgear, linksys, NET4433, etc) - with todays graphics cards and CPU power to spare - it won't be long.

As long as it isn't a dictionary word - you are OK. It took nearly a full week to get to 8 chars done alpha using only jtr. I got in 6 hours a random key with a specific SSID.

Another thing. You need to capture an actual authentication exchange to do anything at all. Its impossible if there is nobody currently using it. So don't use wireless devices 24/7 (less exposure to a deauth attack).

Regardless of your settings, it is possible to determine your SSID. MAC security can be spoofed too - it isn't encrypted in the 4 way handshake.

Follow W0ss' suggestions. LeTTers/Num8e4S/$pecia| Charac+ers

As for 64 character keys - even if its all lowercase - that is still out of reach. I think 10-12 chars is the upper limit to a pure brute attack anymore.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top