Question about WPA2-PSK

[pradeep1]

I have a Linksys WRT54G running my network in WPA2-PSK mode. The shared key is a strong password generated using Steve Gibson's online password generator. The encryption is 256 bit AES.

Now my question. Does this mean that all the data that goes between the router and my laptop is encrypted using 256 bit AES? No one can use a program to grab that data from the air and read it, right?

I assumed the answer to my question is yes, but I just wanted to make sure before I started like doing banking and other important stuff on my laptop at home.

Don't worry, I also know that I should not do anything secret on an open access point, like at Starbucks.

Thanks,

Pradeep

 

[jlazzaro]

correct, you are (relatively) safe.

 

[JackMDS]

Grabbing from the Air is possible No matter what.

However with good encryption whatever is grabbed would very hard to impossible to decipher.

WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html

 

[spyordie007]

It's still a good idea to periodically change the preshared key since it is subject to brute-force attacks. However as others have stated it's going to be very hard for someone to 'see' the traffic sent over the air so long as you keep that key secure.

 

[pradeep1]

How do you handle a situation where someone who is not a security minded person (my sister) wants to bring her laptop to my house and use my network to browse the net. Then I have to set up my super-secret PSK on her laptop. Now someone could swipe that key from her laptop, right? Or does XP have a way to make that key little bit difficult to steal?

 

[LuDaCriS66]

Originally posted by: pradeep1
How do you handle a situation where someone who is not a security minded person (my sister) wants to bring her laptop to my house and use my network to browse the net. Then I have to set up my super-secret PSK on her laptop. Now someone could swipe that key from her laptop, right? Or does XP have a way to make that key little bit difficult to steal?

It's actually extremely easy to recover the pass phrase on XP. There are utilities that will show every wireless pass phrase that has been saved on a computer with the snap of a finger.

I suppose if you were really worried about it, you could change it every once in a while.

 

[spyordie007]

XP SP2 (and Vista) do have a networking wizard that puts the configuration on a flask disk and configures an autoplay. I did this at my house to easily provision wireless access for machines (didnt feel like manually entering my 63 character PSK on multiple machines).

If this is something you want to try out just walk through the wireless setup wizard and it will walk you through creating the disk.

NOTE that a malicious user could easily get the key if you gave them access to that flash disk.

 

[LuDaCriS66]

as for the original question, banking sites and the like use SSL encryption. That info is safe even if you didn't have wireless encryption on. In general, if you use WPA2, you pretty much don't have anything to really worry about.

 

[RebateMonger]

What's your password? We'll tell you if it's any good or not.

As others have stated, WP2 is considered about as good as it gets as long as you have a good password. And, no, it's not a good idea to send confidential data at Starbucks. IF you are on an encrypted web site and IF it encrypts your Username/Password, then, yeah, SSL across WiFi is also considered safe. Or if you are first opening a VPN tunnel from Starbucks, that is fine, too.

 

[pradeep1]

Originally posted by: RebateMonger
What's your password? We'll tell you if it's any good or not.


Oh, okay, test these out and let me know what you find out:

My WinXP login password is:

15CE754373B05A21CE83DAD355B008E51C9559B9791118ACB7CBF74CE53076AB

My router password is:

w.-2p?3M;%ekhOXW.RPGPMPgWDL,-gM64OSaZiJ>#Lx6`o>HzKg #&vZUypZp}n

My WPA2 password is:

Q1s80pZqdQ7xvzSQvlVY7Todk6H9P0lXIDvIYL7b3U3sTr9jSxHjL9qyiPTQOFi

 

[kzrssk]

lol

 

[Oakenfold]

Originally posted by: pradeep1
Originally posted by: RebateMonger
What's your password? We'll tell you if it's any good or not.


Oh, okay, test these out and let me know what you find out:

My WinXP login password is:

15CE754373B05A21CE83DAD355B008E51C9559B9791118ACB7CBF74CE53076AB

My router password is:

w.-2p?3M;%ekhOXW.RPGPMPgWDL,-gM64OSaZiJ>#Lx6`o>HzKg #&vZUypZp}n

My WPA2 password is:

Q1s80pZqdQ7xvzSQvlVY7Todk6H9P0lXIDvIYL7b3U3sTr9jSxHjL9qyiPTQOFi

<---- Makes notes to recommend during the next IS/IT audit to increase the average user password for windows to a minimum of 40+ characters.


Seriously though, if I understand what is being stated here is that if a client machine is believed to be at a high risk for being compromised then changing the PSK frequently is recommended.

 

[pradeep1]

Originally posted by: Oakenfold
<div class="FTQUOTE"><begin quote>Originally posted by: pradeep1
Originally posted by: RebateMonger
What's your password? We'll tell you if it's any good or not.


Oh, okay, test these out and let me know what you find out:

My WinXP login password is:

15CE754373B05A21CE83DAD355B008E51C9559B9791118ACB7CBF74CE53076AB

My router password is:

w.-2p?3M;%ekhOXW.RPGPMPgWDL,-gM64OSaZiJ>#Lx6`o>HzKg #&vZUypZp}n

My WPA2 password is:

Q1s80pZqdQ7xvzSQvlVY7Todk6H9P0lXIDvIYL7b3U3sTr9jSxHjL9qyiPTQOFi
</end quote></div>


<---- Makes notes to recommend during the next IS/IT audit to increase the average user password for windows to a minimum of 40+ characters.


Seriously though, if I understand what is being stated here is that if a client machine is believed to be at a high risk for being compromised then changing the PSK frequently is recommended.

The only one laptops connecting to my network would not be under high risk of being compromised since they are mostly used inside of the house.

I think a sufficiently random 63 character PSK should offer me plenty of safety.

 

[JackMDS]

Well if you are so concern spend additional $30 (or $10 on a good sale) buy a second Router ((better spending than paying for Xanex to reduce anxiety) and set a Segregated Network. http://www.ezlan.net/shield.html

Keep the first Wireless level open for friend guest etc.

Put your computer and Wireless behind the second Router give then a Million characters Password and do not tell it to any ""Grifter"" like Rebate Monger.:beer:

 

[pradeep1]

Very interesting...I need to learn about this.

Pradeep

 

[lumbus]

Cracking_WEP_and_WPA_Wireless_Networks

 

[RebateMonger]

Originally posted by: Oakenfold
<---- Makes notes to recommend during the next IS/IT audit to increase the average user password for windows to a minimum of 40+ characters.

The other option is to set a password policy that forces Users to change their password every five minutes. That's what I do.

Originally posted by: JackMDS
Put your computer and Wireless behind the second Router give then a Million characters Password and do not tell it to any ""Grifter"" like Rebate Monger.

Hey, I resemble that remark! (Thanks to Curly of the Three Stooges for that line.)

 

[pradeep1]

<div class="FTQUOTE"><begin quote>Originally posted by: lumbus
Cracking_WEP_and_WPA_Wireless_Networks</end quote></div>

Quotes from that article:

"A WPA key can be made good enough to make cracking it unfeasible."

" A robust dictionary attack will take care of a lot of consumer passwords."

"The most important part of brute forcing a WPA password is a good dictionary."


So, if you use a sufficiently random/complex password like my example above:

Q1s80pZqdQ7xvzSQvlVY7Todk6H9P0lXIDvIYL7b3U3sTr9jSxHjL9qyiPTQOFi

there is no way it can be brute forced cracked in any time soon.

 

[nweaver]

indeed, as pardeep1 mentioned, it's not going to brute force a key like that anytime soon.

Not to mention (as also mentioned above) banking is all SSL, so it goes from your browser and gets encrypted, to your network card, where it is encrypted again....not a huge chance of cracking that with brute force.

The worst is when you do logins in plaintext before hitting SSL, such as most SOHO router web interfaces.