Dan Goodin over at Ars Technica has an interesting and scary article about cracking his neighbors’ WiFi network passwords. Sadly, this turns out to be a lot easier than it should be. The general process is
- Capture the authentication handshake between the WiFi access point and a client. An attacker can force this handshake by sending a deauth frame.
- Upload the captured handshake to a service such as CrowdCracker, pay a nominal fee, and receive the cracked password in return.
All of this is pretty discouraging. What can you do to make your network secure? The answer, as it often is, is to choose sensible passwords. CrowdCracker and similar services work by trying an extensive dictionary of possible passwords against the captured authentication handshake. If you choose a well-known or even an obscure but known password, the attacker will have your password in a matter of minutes (see the article for details).
Goodin’s recommendation is one we’ve discussed many times at Irreal: choose a password of several words such as those generated by Diceware as I discussed here, here, here, and here. A password such as “quartz apple some perfume bring token” will not appear in any password dictionary, is relatively easy to remember, and has enough entropy to be effectively unbreakable. The links above show two computer programs to generate passwords such as this but all you really need is one or more dice as explained on the Diceware Site.
The other possibility is to use a password manager, such as 1password, that allows you to generate passwords that are too long and random to remember. Again, these will not appear in any dictionary so the attacker’s only recourse is brute force. With sufficiently long passwords this will, as a practical matter, be impossible.
Password security is under attack as never before so it’s more important than ever to Choose a strong, long, random password and never reuse it.