ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Poor Wi-Fi passwords 'invite attack'

Published: 07 Nov 2003 08:50 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A security expert has warned users of the latest wireless network security standard, Wi-Fi Protected Access, to pick good passwords or risk being compromised.

The Wi-Fi Protected Access (WPA) security specification sported by the latest wireless hardware includes a way for administrators -- whether in a small business or home -- to lock down their network using a single pass phrase. However, a poorly chosen code can still be attacked with brute force methods, such as a "dictionary attack," in which an attacker guesses at the password using a list of common words. That makes long random codes a key to security, Robert Moskowitz, senior technical director with ICSA Labs, said in a paper.

"The weakness is in poorly chosen keys and that's warned of in the standard," he said. "Most people use passphrases like RosesAreRed. But those things are in the dictionaries (used by attackers)."

While not a flaw in the standard, Moskowitz worries that users will not understand that their security entirely rests on the randomness of the password they chose for their network.

The WPA specification uses passwords to act as the keys that encrypt a network's communications. The specification allows for two types of key management: pre-shared keys, where everyone uses the same pass phrase, and managed keys, which use a server to assign a different key to each user.

Moskowitz's concerns are for home users and small offices that use the pre-shared key model. The choice of a simple key can lead to easily broken security.

Basically, an attacker could capture the initial data, or "handshake," between the wireless base station and a user's computer. The data can then be analysed and attacked, by trying different passwords, at a later time. Such a brute-force method can be very effective when the network uses an easily guessable password, Moskowitz said.

However, if the network uses a long random code to secure the network, brute force attacks are almost impossible, he said.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
85 out of 182 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

SAP FI/CO (AA, AM)

SAP FI/CO Principal Consultant

Senior Designer / Architect (Authorisations Technology), Financial, E.

Sentry Posts Blog

Virtual Teams: Small Business Innovati...

Virtual Teams: Small Business Innovation Author: Eric Everson, Founder – MyMobiSafe.com As the founder of MyMobiSafe.com, I’ve found that because of our presence in the industry... More

Post a comment

Mobile Security and Innovation: An Ope...

Mobile Security and Innovation: An Open Case Author: Eric Everson, Founder MyMobiSafe.com The times are changing in the mobile industry as “big wireless” in the US Markets are calling... More

Post a comment

Government launches new e-crime unit

Ok, so this is outside of my main area of focus of sustainable and green tech but I do track some security issues too. I was at a meeting last week with Microsoft's security advisor... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers