Advertisement
Promo

Security threats Toolkit

Poor Wi-Fi passwords 'invite attack'

Published: 07 Nov 2003 08:50 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A security expert has warned users of the latest wireless network security standard, Wi-Fi Protected Access, to pick good passwords or risk being compromised.

The Wi-Fi Protected Access (WPA) security specification sported by the latest wireless hardware includes a way for administrators -- whether in a small business or home -- to lock down their network using a single pass phrase. However, a poorly chosen code can still be attacked with brute force methods, such as a "dictionary attack," in which an attacker guesses at the password using a list of common words. That makes long random codes a key to security, Robert Moskowitz, senior technical director with ICSA Labs, said in a paper.

"The weakness is in poorly chosen keys and that's warned of in the standard," he said. "Most people use passphrases like RosesAreRed. But those things are in the dictionaries (used by attackers)."

While not a flaw in the standard, Moskowitz worries that users will not understand that their security entirely rests on the randomness of the password they chose for their network.

The WPA specification uses passwords to act as the keys that encrypt a network's communications. The specification allows for two types of key management: pre-shared keys, where everyone uses the same pass phrase, and managed keys, which use a server to assign a different key to each user.

Moskowitz's concerns are for home users and small offices that use the pre-shared key model. The choice of a simple key can lead to easily broken security.

Basically, an attacker could capture the initial data, or "handshake," between the wireless base station and a user's computer. The data can then be analysed and attacked, by trying different passwords, at a later time. Such a brute-force method can be very effective when the network uses an easily guessable password, Moskowitz said.

However, if the network uses a long random code to secure the network, brute force attacks are almost impossible, he said.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
87 out of 186 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:



Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters