New Wireless Security Standard Has Old Problem?

eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."

Oh, thanks.

[Anonymous Coward]

Way to tell everybody my password.

Man, now I have to change it.

Re:My Dog Has Fleas?

[Tumbleweed]

Yeah, but what if your does doesn't HAVE fleas? Or if you don't even have a dog? Then your security is based on nothing but LIES! And how secure can THAT be? Think before you ask these questions, Mitch.

Re:My Dog Has Fleas?

[DeltaSigma]

What is this infamous "password?"

Everyone's always talking about it, but noone will ever tell me!

Re:My Dog Has Fleas?

[sweetooth]

That's because it's a "secret"

What's that?

[dswensen]

perform an offline dictionary attack

What, you sneak up behind the sysadmin and brain him with a copy of Webster's?

Re:My Dog Has Fleas?

[stefanlasiewski]

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Well, not really.

Using your child's name for a password is a million times more secure then posting it on Slashdot :)

And with the Slasdot crowd, maybe someone really does have a kid named "j3Nn!f3r". What could be more secure then that? It's so secure that those poor kindergarteners can't even pronounce it!!!

Re:My Dog Has Fleas?

[jamesh]

'My Dog Has Fleas' is indeed fantastic. I'm changing all my passwords to that right now. I encourage you all to do the same.

Re:Oh, thanks.

[interiot]

One! (one)
Two! (two)
Three! (three)
Four! (four)

Five! (five)

That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage.

Re:What's that?

[Anonymous Coward]

perform an offline dictionary attack

What, you sneak up behind the sysadmin and brain him with a copy of Webster's?

Better that than using the Oxford English Dictionary. Talk about your weapons of mass instruction.

Re:Some security is better than no security

[Anonymous Coward]

#HrS2sWmNw/()LggDwMn

That's not random!

Re:My Dog Has Fleas?

[Chops]

Once I noticed that an acquaintance of mine's Win2k machine had no password on the "Administrator" account. I began to lecture him on the dangers of SMB, C$, and such, and the fact that his machine was basically freely usable by anyone who had (a) the internet and (b) some semblance of clue and maliciousness.

He laughed and said, "Yeah, but who would think that the administrator account wouldn't have a password?"

I gave up and said no more.

how about my password?

[SHEENmaster]

6cea e4ca 6713 721c 4cbf 71a4 e1aa 8972 0a03 f9d0 47a9 8f3c 9ead 8fb4 35d9 38c0 0406 1f02 0c46 878f 42f8 5ec1 77c5 1a99 f64b 5ad3 bb82 2c93 7870 a725 ba29 dd2b c470 0e70 3bf4 9c50 01a3 31cd c717 0b68 afe0 d479 62b2 46c0 a0c6 af61 c8e0 1915 01f4 8df8 be64 7401 4ed7 1459 766c d888 e772 f41b b310 e958 ebf6 87a1 c0e7 7a60 99d1 38ff d009 4c65 7a5f dbb0 f347 7a65 1f34 254c 8167 d103 4e34 9fc7 c97b 9ac0 0575 12a5 4f0d 9c87 5015 a647 ab9d 0ff6 f940 c1e7 1699 bfef 9827 b19f 9bc9 8391 3985 ed5e 275d f2c0 d3cd d489 13d3 6d0c 9aba 85e2 221d 1990 2fc8 1584 f2cf f7a1 98de 819d 6d2f 954e 83f0 d4a6 b854 940b 6cec a490 f7ce f556 fff2 fc53 daee 7af2

By coincidence, I do plan to name my kids in hex. Leet-speak would make them look like wimps, while 6cea would certainly make my kid the coolest throughout school.

Re:Shorter Version of the Article

[Anonymous Coward]

If the protocol did not enable an offline attack, then you would be able to see the attacker attempting to guess the password with a live attack and then countermeasuers could be imposed.

Not a good idea. I got a car alarm that would warn me when my car was being stolen. One night I was at McDonalds and my keys start buzzing so I ran to the parking lot, got my ass kicked by the car jacker, then he took off in my car anyway.