Monday, February 21, 2011

NY TImes Wrong about WPA Cracking

NY TImes Wrong about WPA Cracking

This New York Times article has a major inaccuracy related to WPA/WPA2 key cracking: The article is a welcome rundown on the security issues involved in using home and hotspot Wi-Fi networks, along with changes happening at major Web sites in moving to always-encrypted sessions.

The reporter quotes a sysadmin and security videocaster pointing out that essentially all WEP-protected networks are crackable. This is true. WEP is straightforward to crack; it's just a matter of time, and often not very much time.

But the reporter misses the boat when she writes:

A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.

That's extremely misleading and mostly inaccurate. The distinction she fails to make, which will confuse all readers, is that there are weak and strong WPA/WPA2 passwords. I've been tracking this subject for years, as regular readers, know, and that distinction is key, if you'll pardon the pun.

If you pick a WPA key of 10 characters are more, preferably not including a word found in dictionaries of dominant Roman-character languages, you are nearly certainly protected against cracking. Pick a short phrase of 8 or fewer characters, no matter how random, and you can be cracked by a determined party, possibly in as few as minutes for a short or dictionary-word key.

WPA/WPA2 can only currently be cracked via brute force. The article should have just said more accurately, "it's best to use a WPA password instead, making sure to create one that's 10 or more characters long." Instead, it's spreading a mistaken impression.

Later in the article, sense reasserts when the writer says to change your SSID (the network name is part of how the key is derived for a WPA/WPA2 Personal), and "choos[e] a lengthy and complicated alphanumeric password." It doesn't have to be very long or very complicated. "Abra23dabra" would be a perfectly fantastic WPA/WPA2 password.



WPA Cracked? Unlikely, Despite Headlines