Securing Wifi from sniffers/hackers

[Miramonti]

What's the best way to secure one's WPA2 Wifi?

I'm aware there are ways to sniff out SSID, hidden or not, to capture fairly efficiently WPA2 encryption keys, even get around MAC address filters, and steal someone's wifi.

Someone also told me that the longer the password is, the easier it is to figure out, and that MAC address filters aren't hard to get around either...true?

What are all of the proactive measures someone could take to secure their Wifi, short of turning it off?

 

[masteryoda34]

I was under the impression that WPA2 was impractical to crack, no ?

 

[Miramonti]

I was under the impression that WPA2 was impractical to crack, no ?

No.

 

[VinylxScratches]

Make the password complex.

 

[LiuKangBakinPie]

Kismet->Aircrack->Wireshark->Aircrack-ng->johnTheripper ->Nailed

Morale of the story. DO NOT USE WEAK PASS PHRASES. THE STRONGER THE PASSPHRASE THE SLIMMER THE CHANCES OF IT GETTING NAILED.

Names, words in a dictionary, place names etc etc do NOT USE. Generate a passphrase with random characters long as possible. It will take them years to crack!

 

[lxskllr]

WPA2 is difficult enough, even with a weak password, that it's unlikely anyone is going to try cracking it. There's too many WEP/unencrypted connections to be worth the bother. In any case, you got good info above, but I wouldn't bother using mac filtering, or hiding the ssid if you're using WPA2. Anyone that can crack that won't be deterred in the slightest, and it makes things harder for you.

 

[LiuKangBakinPie]

With a weak password it easy. Will take a hour or two to crack. With a strong one about 500 to 600 years

 

[masteryoda34]

Another approach would be to ensure that your sensitive data is only handled by services with their own appropriate security channels, IE SSL, SSH, etc. This may be impractical.

 

[wirednuts]

just be sure to encrypt your torrentz and use non standard ports to do the swapping. the cable companies wont get you

 

[Gamingphreek]

Kismet->Aircrack->Wireshark->Aircrack-ng->johnTheripper ->Nailed

Morale of the story. DO NOT USE WEAK PASS PHRASES. THE STRONGER THE PASSPHRASE THE SLIMMER THE CHANCES OF IT GETTING NAILED.

Names, words in a dictionary, place names etc etc do NOT USE. Generate a passphrase with random characters long as possible. It will take them years to crack!

That "hacking time line" makes no sense and illustrates that you are just throwing out random semi-relevant information.

AirCrack is for WEP/WPAx-PSK networks.
Kismet does the same thing as Wireshark - they are packet sniffers. Aircrack-ng is the same thing as Aircrack - they are packet capture utilities.
JohnTheRipper I guess is in the right place as you will eventually have to attack the encryption key.

All that aside, unless you can guess the password, WPA2-AES is virtually immune to a brute force attack. Rainbow Tables are the only things that have *theoretically* had *some* success against the AES256 encryption employed by WPA2 Personal.

OP, there are a couple things to keep in mind here:
1. What incentive is there to hack your wireless network in the first place? What does someone have to gain? As others said, there are plenty of WEP/Unsecured networks around. There is no point in attempting to hack a WPA2 wireless network unless there is a very specific reason to target you.

2. If someone is going to attempt to break into your WPA2 network, they are going to need a lot of time - Do you think you would notice? While gear absolutely exists and is readily available that allows someone to pick up a wireless network for over 1 mile away, it brings us back to the first question - What is so important on your personal network that someone chose you at a target?

3. A password with strong entropy (complexity) is unlikely to be brute forced. Rainbow Tables are only a theory and would still require enormous amounts of computing power.

4. If you are really concerned, the best thing you could do outside of enforcing a strong password is to change the password often. Even if someone did manage to break in, the encryption cypher would be different.

*Keep in mind that this only covers hacking the actual wireless network and not compromising a machine and then compromising the network from inside out*

Honestly, someone hacking your wireless network, should be the least of your worries....

-GP

Edit: Also as said above, not broadcasting the SSID and turning on MAC Filtering is worthless. Not broadcasting the SSID is just playing hiding and MAC Filtering can be circumvented easily by spoofing the MAC Address.

 

[chuck2002]

Password complexity is trumped by password length.
the following passphrase is exponentially more secure than the one below it:
I like bubba gum shrimp

I1ik3bu44@

Simply for the fact that the length requires exponentially more computing time per character the longer your password is. Passphrases are easier to type, remember and are just better.

 

[Gamingphreek]

Password complexity is trumped by password length.
the following passphrase is exponentially more secure than the one below it:
I like bubba gum shrimp

I1ik3bu44@

Simply for the fact that the length requires exponentially more computing time per character the longer your password is. Passphrases are easier to type, remember and are just better.

While length is pretty easy to increase, the character set is the real driving factor. If you stick to normal sentences like the one above, there are not nearly as many possibilities as one that includes punctuation.

For example, if we assume we are only using upper and lower case letters, that gives us 52 possible letters to choose from plus a space. Thus, your example:
I like bubba gump shrimp = 25^53 = 1.23e74

If we use the entire available ASCII character set:
1L!k3P@$sw0rdS = 14^127 = 3.61e145

14 characters generates a password roughly 2.93e71 times more complex. Limiting a program (ie: Setting the dictionary) to limit to standard pass phrases should be one of the first steps when trying to brute force a password.

(Of course, you could always include punctuation in your passphrase which will beef up the complexity.)

One other important point to note about the use of passphrases is that they are more vulnerable to social engineering attacks. A person that "happens" to glance over your shoulder will definitely remember a phrase, whereas they are unlikely to remember something like my password.

-GP

Edit: Also, you are incorrect about the password complexity if we are assuming the hacker narrows the dictionary to start.

I like bubba gump shrimp = 25^53 = 1.23e74
I1ik3bu44@ = 10^127 = 1.0e127

 

[Slugbait]

[/hand representing plane flying over my head]

The longer the password is, the longer (not harder) it takes to crack. To make it harder (and even longer) to crack, mix in special characters, numbers and random upper/lower-case alphas.

Yes, spoofing a MAC address is easy to get around.

Social engineering has long been one of the primary ways to get somebody's password or passphrase, as well as guessing or brute force. Just use something obscure, don't blab about it, and you'll be fine. For example, let's take "password": %pAs5w3rD! would be pretty difficult to break.

 

[Dravic]

What's the best way to secure one's WPA2 Wifi?

I'm aware there are ways to sniff out SSID, hidden or not, to capture fairly efficiently WPA2 encryption keys, even get around MAC address filters, and steal someone's wifi.

Someone also told me that the longer the password is, the easier it is to figure out, and that MAC address filters aren't hard to get around either...true?

What are all of the proactive measures someone could take to secure their Wifi, short of turning it off?

Hidden SSIDs are bad because they can cause the devices to broadcast that are looking for the hidden SSID.

WPA/2 was cracked due to poor implementation of the cipher. Long (20 chars plus) pass phrases all but eliminate the weakness. You friend is incorrect.

length trumps complexity simply because it increases the the amount of choices to pick from.

20 chars > 14 chars > 6 char

20 chars with specials > 20 char simple sentence type pass phrase.

As someone else stated your time will be better spent making sure all important information is using secure transport protocols (ssh/scp, SSL/TLS, sftp, etc...) . Always assume someone is looking at your data once it leaves your network.

 

[Venom20]

This might be a stupid question (because I'm ignorant on the details) but wouldn't you need to know a correct MAC address in order to spoof one to bypass MAC filtering? Can that list be grabbed?

 

[ZYFER]

This might be a stupid question (because I'm ignorant on the details) but wouldn't you need to know a correct MAC address in order to spoof one to bypass MAC filtering? Can that list be grabbed?

Your MAC address gets broadcasted. Anyone who is intent on cracking your encryption, will already have that.

 

[Lemon law]

I place some of my faith in my rural location and a not very good wifi antenna. Any one close enough to evedrop, will find they are trespassing on my private property guarded by Smith and Wesson and barking dogs. That and the fact that my nearest public road is too far away to reveal to passerby's cars that there is even a wifi network in my house. Short range is an advantage.

But still, I still have a fairly strong 9 character password. I can always go back to hardwired if need be.

 

[Ayah]

Use this site to generate a password: https://www.grc.com/passwords.htm
Use 63 randomly printable ASCII characters.

i.e. nEp0{]673.MEiAZ_<bAz~SO,]^rSQVh!aDNhtGG9Joc~1zUqoG~Be-GdD##mQ3q

It'll probably make any brute-forcer cry many tears.

 

[seepy83]

I place some of my faith in my rural location and a not very good wifi antenna. Any one close enough to evedrop, will find they are trespassing on my private property guarded by Smith and Wesson and barking dogs. That and the fact that my nearest public road is too far away to reveal to passerby's cars that there is even a wifi network in my house. Short range is an advantage.

Google: pringles can antenna

Your remote location might not be as remote as you think it is.

 

[Lemon law]

Google: pringles can antenna

Your remote location might not be as remote as you think it is.

-----------------------------------------------------------------------------------------
Point granted and true, but I also hedge my bet with a totally signal opaque piece of metal between my router and the the public road.

 

[LiuKangBakinPie]

That "hacking time line" makes no sense and illustrates that you are just throwing out random semi-relevant information.

AirCrack is for WEP/WPAx-PSK networks.
Kismet does the same thing as Wireshark - they are packet sniffers. Aircrack-ng is the same thing as Aircrack - they are packet capture utilities.
JohnTheRipper I guess is in the right place as you will eventually have to attack the encryption key.

All that aside, unless you can guess the password, WPA2-AES is virtually immune to a brute force attack. Rainbow Tables are the only things that have *theoretically* had *some* success against the AES256 encryption employed by WPA2 Personal.

OP, there are a couple things to keep in mind here:
1. What incentive is there to hack your wireless network in the first place? What does someone have to gain? As others said, there are plenty of WEP/Unsecured networks around. There is no point in attempting to hack a WPA2 wireless network unless there is a very specific reason to target you.

2. If someone is going to attempt to break into your WPA2 network, they are going to need a lot of time - Do you think you would notice? While gear absolutely exists and is readily available that allows someone to pick up a wireless network for over 1 mile away, it brings us back to the first question - What is so important on your personal network that someone chose you at a target?

3. A password with strong entropy (complexity) is unlikely to be brute forced. Rainbow Tables are only a theory and would still require enormous amounts of computing power.

4. If you are really concerned, the best thing you could do outside of enforcing a strong password is to change the password often. Even if someone did manage to break in, the encryption cypher would be different.

*Keep in mind that this only covers hacking the actual wireless network and not compromising a machine and then compromising the network from inside out*

Honestly, someone hacking your wireless network, should be the least of your worries....

-GP

Edit: Also as said above, not broadcasting the SSID and turning on MAC Filtering is worthless. Not broadcasting the SSID is just playing hiding and MAC Filtering can be circumvented easily by spoofing the MAC Address.

you got no clue
SSID is the biggest myth in trying to secure a wireless.

 

[Slugbait]

you got no clue
SSID is the biggest myth in trying to secure a wireless.

More precisely, Gamingphreek is absolutely correct. Not broadcasting the SSID is worthless when trying to secure a wireless network. Those who want inside should have to tools to see the hidden SSID anyway...if they don't, they're not even "skilled" enough to crack WAP.

 

[Gamingphreek]

you got no clue
SSID is the biggest myth in trying to secure a wireless.

What in the world are you arguing? SSID is the biggest myth? No, SSID is a real term, not a myth (lol?).

As Slugbait said, not broadcasting the SSID and using MAC Filtering does virtually nothing for you except delay an attacker and make your life harder when people want to connect to your network.

-GP

 

[stlcardinals]

For example, let's take "password": &#37;pAs5w3rD! would be pretty difficult to break.

Yes, but using obvious l33tsp3@k character replacement makes it easier to crack.

 

[Gamingphreek]

Yes, but using obvious l33tsp3@k character replacement makes it easier to crack.

No it doesn't. That's the reason behind convoluting names like that - it increases the number of possibilities per character from x^26 to x^[However many characters are in the character set you are using]