Long story short I will be buying a new house here and plan to rent out a basement suite to help cover the mortgage. If you read my posts before you probably know I like to keep things as secure as possible like most people on Wilders.

I will be using WiFi with WPA2-CCMP with a very strong password as usual, now should I:

A) Using DD-WRT setup WLAN Partitioning to keep all devices separated so they can't "talk" to each other.

B) Set up a Virtual AP for the tenant (so it's completely separate).

C) Do both A + C

D) Pay to have another modem installed in the basement (it's cable internet so I have to get another jack wired in downstairs.

E) Something else?

A & B are the cheapest but would they be secure enough? If I did D I would have to leave internet up to the tenant and not supply it at all for them.

Any thoughts?

Without getting too technical your safest bet both technically and legally would be a separate modem. I say that because the individual renting would have an account in his own name, his ip, his own online identity. I assume the worst in people until they prove otherwise so I automatically think the person you rented the basement out to will look into child porn, pirate software & movies, and attempt to sniff the network. Or even reset the router when you are not there and expose your network… (All these possibilities listed have happened to me during my youth, rooming with 2 to 3 people)

So yes, you would mention the internet is separate and they would have to purchase a plan themselves. Lock your own router out of sight from them.

Thanks! That's what I was thinking. :thumb:

srry to burst your bubble but wifi w/ any encryption scheme is insecure as all hell.

best best is wpa2 w/ a 63 character password (good luck remembering that) this key can still be cracked, but it will take a hell of a long time to do it. even stuff like "2012NYGiantssuperbowlchamps" can be cracked fairly easily. 63 characters for max security

do NOT use wps on your AP, this is the "enter the code to connect w/o password" thing which is enabled by default by virtually everyone. and even if you are using WPS2, that WPS key can be cracked in about 4 hrs tops giving you full control of the AP

just run ethernet down there and throw them on a different subnet, or have them buy their own cable service

wifi sucks.

-{ Quote: "srry to burst your bubble but wifi w/ any encryption scheme is insecure as all hell.

" }-


If set up incorrectly yes, though if you do it right wifi encrpytion is plenty secure.

-{ Quote: "srry to burst your bubble but wifi w/ any encryption scheme is insecure as all hell.

best best is wpa2 w/ a 63 character password (good luck remembering that) this key can still be cracked, but it will take a hell of a long time to do it. even stuff like "2012NYGiantssuperbowlchamps" can be cracked fairly easily. 63 characters for max security

do NOT use wps on your AP, this is the "enter the code to connect w/o password" thing which is enabled by default by virtually everyone. and even if you are using WPS2, that WPS key can be cracked in about 4 hrs tops giving you full control of the AP

just run ethernet down there and throw them on a different subnet, or have them buy their own cable service

wifi sucks." }-

Not sure where you are getting your information from but it's very inaccurate. WiFi is plenty secure if you are using WPA or WPA2. All you need to use is a password that is ~14 chars. or longer and change the SSID. This makes all attacks impractical as you would actually have to run through either a dictionary attack (slow) or generate your own tables with that SSID to attack it (still slow).

The only true attack is WPS which is easily disabled.

I also happen to run my network in an enterprise configuration (as such every user has a different password and encryption key) and WPS cannot run in said configuration.

P.S. I'm one of the few people you have disabled WPS since it came out (from not trusting it).

Everyone forgot; --> USE THE MAC feature to lock the router down further so there can only be connection attempts by those on the 'Access List'. ;)

-{ Quote: "Everyone forgot; --> USE THE MAC feature to lock the router down further so there can only be connection attempts by those on the 'Access List'. ;)" }-

Forgot your sarcasm font:)

-{ Quote: "Not sure where you are getting your information from but it's very inaccurate. WiFi is plenty secure if you are using WPA or WPA2. All you need to use is a password that is ~14 chars. or longer and change the SSID. This makes all attacks impractical as you would actually have to run through either a dictionary attack (slow) or generate your own tables with that SSID to attack it (still slow).

The only true attack is WPS which is easily disabled.

I also happen to run my network in an enterprise configuration (as such every user has a different password and encryption key) and WPS cannot run in said configuration.

P.S. I'm one of the few people you have disabled WPS since it came out (from not trusting it)." }-

ROFL id have to disagree by a mile. changing the SSID doesn't have sht to do with anything. if im trying to break into an AP i could care less what you name the thing bc im connecting via mac address which your AP broadcasts publicly. and the ssid is totally irrelevant to everything

goog search noob http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx

-{ Quote: "The only true attack is WPS which is easily disabled. " }-
flat out false http://www.aircrack-ng.org/ even script kiddies can do it

-{ Quote: "Everyone forgot; --> USE THE MAC feature to lock the router down further so there can only be connection attempts by those on the 'Access List'. ;)" }-

yes that's the best you can do, still ways around this by recording client macs through various means and then just spoof it to crack everything

63bit keys are really the only way to go as brute force will take forever.

use hardwired connections, wifi sucks.

-{ Quote: "ROFL id have to disagree by a mile. changing the SSID doesn't have sht to do with anything. if im trying to break into an AP i could care less what you name the thing bc im connecting via mac address which your AP broadcasts publicly. and the ssid is totally irrelevant to everything

goog search noob http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx


flat out false http://www.aircrack-ng.org/ even script kiddies can do it" }-


What x942 said is accurate. I believe you may have some general misunderstandings of how wireless encryption works. Encryption algorithms aside most routers will use the SSID as a salt to compliment the hashed PSK. Changing the SSID to a unique name means it would be impractical to do rainbow tables against it.

I've yet to see a practical attack on WPA2 that doesn't involve a brute force attempt at a captured handshake. (individual router feature/exploits aside)

WPA2 with strong passphrase changed every 3-4weeks is plenty secure. If the user goes one step further and implements full 802.11x authentication methods then there is no current resource efficient way someone is getting into the network.

From an encryption standpoint wireless is very secure. The faults come from human error such as weak passphrases/falling victim to an evil twin.
Being realistic most wireless intrusions on home users are done by adversaries looking for quick internet access or launching points to perform illegal activities. Unless they are your neighbor, or you have the only wifi within a 100 mile radius, most attackers will 9.9/10 times not waste time trying to capture and crack your WPA/2 handshake if you utilize the encryption properly. They will usually run the handshake through a list of captured password databases and dictionary word lists. Some may even run the handshake against a cluster wordlist online. If you use strong passphrases these will turn up nothing and they will move on.

For targeted attacks, if using a PSK, a simple strong passphrase and expiration date of said phrase will mitigate the attack. Using authentication means will mitigate the evil twin/Deauth attacks.

[edit] Fixed some typos

-{ Quote: "ROFL id have to disagree by a mile. changing the SSID doesn't have sht to do with anything. if im trying to break into an AP i could care less what you name the thing bc im connecting via mac address which your AP broadcasts publicly. and the ssid is totally irrelevant to everything

goog search noob http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx


flat out false http://www.aircrack-ng.org/ even script kiddies can do it" }-

Since EncryptedBytes was kind enough to already point out the flaws in this post (thanks by the way) I am just simply going to say that you obviously have no idea what your talking about.

SSIDs are very important when it comes to WPA/WPA2 (as mentioned in the post above).

Maybe YOU should do some research:
https://en.wikipedia.org/wiki/WPA2#Security

From: Small Net Builder (http://www.smallnetbuilder.com/wireless/wireless-howto/30278-how-to-crack-wpa--wpa2)

-{ Quote: "The Wi-Fi Alliance, creators of WPA, were aware of this vulnerability and took precautions accordingly. Instead of concatenating the key in the IV (the weakness of WEP), WPA hashes they key using the wireless access point's SSID as a salt. The benefits of this are two-fold.

First, this prevents the statistical key grabbing techniques that broke WEP by transmitting the key as a hash (cyphertext). It also makes hash precomputation via a technique similar to Rainbow Tables more difficult because the SSID is used as a salt for the hash. WPA-PSK even imposes a eight character minimum on PSK passphrases, making bruteforce attacks less feasible." }-

There are only five known ways of attacking WPA/WPA2:
1) Bruteforce/dictionary attack
2) Rainbow Tables (only for known/common SSIDs)
3)WPS BruteForce (Not a WPA vulnerbility
4) TKIP vulnerability if QOS is enabled.
5) Evil AP

Attacks 3 and 5 are side channel attacks and don't exploit any vulnerably in WPA itself.
Attack 4 is a vulnerability against TKIP and ONLY works if QOS is enabled. Disabling QOS or using CCMP (AES) defeats this attack.

Before you call people out, try doing some research first.