What wireless protocol to use with router ?

Hi

When trying to set up my wireless LAN connection, I see that the router options are:

WPA2
WPA2-PSK
Mixed WPA2/WPA
Mixed WPA2/WPA-PSK

What's the best option to use security wise and why? Any downside to any of these options?

Thanks.

 

What router do you have? Usually when WPA2 is compared to WPA2-PSK (Pre-Shared Key) the former is used with a RADIUS server, but support for RADIUS isn't usually found on home gear.

WPA2 (CCMP/AES) is more secure than WPA (TKIP), so mixed mode would be less secure than pure WPA2 (assuming of course that all your clients support WPA2).

 

I use WPA2-PSK with a 18 digit key consisting of random numbers and letters both upper and lower case. I used a random key generator, wrote the key down on a paper, and put it in the router box after I configured it the first time. Have fun cracking that along with spoofing the MAC address of white listed NICs.

 

I use WPA2-PSK. My opinion is that the best choice you can do is to get a router with a button for switching on/off the wireless network. Wireless does not have to be on all the times, for security and energy saving. Also check the routers that give the possibility for more than one wireless network...like a wireless for your guests and your own. Also use a key with lower, upper case and special symbols.

 

If you have the option the most secure is WPA2-AES with a random alphanumeric password of at least 20 characters

 

WPA2 if your other devices support it.

 

Here is an easy randomiser

Step 1: something you remember easily, but few know/not public knowledge.
Take the location of the pub/hotel/restaurant where you celibrated your marriage or location (restaurant, the name of a theater or the title of the movie/play you watched) you first had a date with your partner etc. Anything which can't be related to existing address, public data available, or names of pets/family members/transportation you own.

Step2 making it fit the key length
Add street or date to fill it up to longest charachter set your encrypion allows, or likewise truncate from the right).
e.g. white chapel rock cafe are 18 characters whitechapelrockcafe

Step3 Hashing your mnemonic literal into a base key
Next take your cellphone and press the touch keys representing numbers or letters. This is your base key
whitechapelrockcafe becomes 9448324273576252233

Step 4 Priming your hashed key
Devide the above through 11. Now you are one digit short when you use the numbers until the decimal
858938570325113839.36363636363636 skip the numbers behind the decimal then you will get 858938570325113839 multiply this by 11 now you get 9448324273576252229 subtract this from the base key 9448324273576252233 gives 4, subtract this remainder from 11 and you will get 7, use this digit. So the final key is 94483242735762522297

You can also devide it by 13 using the above method (subtracting the correction from 13)

Cheers Kees.

 

For the lazy amongst us.
https://www.grc.com/passwords.htm

 

Anything more than 12-15 characters for a home computer is overkill to the extreme. I mean, you aren't protecting a CIA mainframe, so what's the point. No one's going to be stupid enough to sit outside your home for weeks trying to crack your budget plastic box router just to get into your home pc. There's far bigger fish in the sea to challenge, after all. Even if they want to crack into a home pc, there's more than enough people ignorant enough running their wireless setups without any pass phrase at all, so why would they waste their time on even a moderately secured setup?

 

For a challenge. Theres plenty of script kiddies out there looking for the next challenge.

 

whats the difference between wpa2 and wpa2 psk? on my router i use wpa2 only/AES only with a pre shared key aka password

 

My security rules of thumb based on the principle there is no software compensation for user stupidity

Rule one: balance between paronoid and sanity
When being hunted by a lion, you do not need to out run the lion, you need to out run one of the others in the herd.

Rule two: reducing the attack surface is far more effective than increasing the defense
That is why I am a promotor of policy based restrictions (OS freebies like UAC, SRP or ACL) or defense (e.g. DefenseWall V3, Online Armor's ability to run unknown programs as SAFER, Comodo's V4 Sandboxing of unkown programs) or alternatives (prefer Chromium with its sandbox over other browsers, prefere IE8's protected mode over FireFox its medium level integrity, etc.)

Rule three: contingency ensures continuity
Have a backup plan (in my case an image and data backup on a off line external harddrive)

Rule four: set and forget prevails over think and decide
So a strong encryption key on WPA2-PSK AES is a one time job, same applies to defense mechanismes which get around the problem like Keyscrambler does for instance with keylogger threats.

Rule Five: staying out of risky places is a also a defense mechanism
Meaning I do not waist CPU with IP blocklists, use the server capacity of the DNS service you use (Open DNS), preferably configured in your router. When using Wot or Linkscanner or Smartscreen in combination with Google search, you effectively have three blacklisting mechansmes: Open DNS, Google and Wot/Linkscanner/Smartscreen. This will reduce risk chance with at least 70% is my guestimate. Same applies with Trusteer Rapport, you browser checks certificates and Trusteer Rapport is able to check certificate and IP addres as well.



Regards Kees

 

Awesome quote, love it

Yes, but strong (especially when we're talking about a home router) can be a 10-15 character key as long as, of course, it follows the rules of creating a strong password. I'm just trying to differentiate between technically possible and realistically "no-chance-of-happening" scenario. Case in point: where I live I can pick up 5-7 wireless at any given time. 4 of them are using wpa/wpa2, two are wep, and the other is no security at all. If I was interested and criminally inclined to do so, I would certainly not waste my valuable time on the secured setups

 

Agree, but the sample was from someone using a 18 character key.

 

Yup thats me.

 

"PSK" is "pre-shared key". The other option is to use a RADIUS server. It's more secure but you need to have a computer on the network you can devote to acting as a full time RADIUS authentication server.

As for general key length strength you might want to check this:
http://blogs.zdnet.com/Ou/?p=127

Then divide by 100:
http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/

That is for brute-forcing the passphrase. Of course if you use a common word for the key a dictionary attack is much, much faster.

 

Thanks, nice to know, even with PC power doubling every year to one and half year, it is safe to use a 8 key pass phrase as long there are others around

Typical in a densily populated area still one with no protection, simular to Wat0114, only no WEP around anymore, due to move to glassfibre connections and new modems installed (half year ago, WEP dominated).

Downside of so many wireless devices in the neighbourhood: you have to move to 300N and use small business class Routers to get a trouble free connection.

 

Or the oft-forgotten 802.11a

 

Kees I've got an question for you, since you are a promotor of using the options integrated in the OS.

What is your opinion about DEP? I have chosen to use it on all programs and services. But is it actually any effective against malware?

 

Why use wireless? Try out powerline ethernet.

 

I have worked in an office which was an old residence. It had ethernet cable trough powercable long before it was a consumer product. It worked well (and kept the design integrity of that majestic workplace intact).

Only reason for keeping wireless were the work laptops of my wife and me.

 

Well that is disputable, unless you set it through config editor.

Dep. ASDL SEHOP, is claimed to be broken on x86 (sorry wilders it is in Dutch) http://www.security.nl/artikel/32585/1/Nederlander_kraakt_Windows_DEP-beveiliging.html

Still combo of UAC, protected mode, etc raises the bar substantially

I personally have not met a malware or PoC being able to break the combo Chrome - Trusteer Rapport - ACL - LUA - DEP on an old XP Pro box. There will be stories of some sample breaking an element of this, I consider them as the normal risks of life (I am planning my next holiday, I will certainly intending to fly to Vietnam, although walking might be safer).

 

The WPA2-PSK part sounds good, but I gave up on the MAC address filter list. As the MAC address is passed in plain text and easily spoofed it really wasn't worth the effort to maintain. If you have a fixed set of machines it can't hurt though. With different devices showing up here on a daily basis it just took up too much time.

 

Just a few thoughts.

There is a product called WEP/WPA Random key Generator.

http://www.soroban.co.uk/wepkeygen.htm

I used it for my key to avoid using the generator that came with the router set up software. I wanted an independently generated code. Maximize it load it, save it you don't need to memorize it ever.

The router for WPA2-PSK also had a H/w FW in it among other settings for things like frequency of changing the code. Alter it to non default setting.

You do not have to broadcast your SSID. But if you do make it a random code as well.

Guy next door uses Peter for his SSID and his psw!

 

for router

step 1 WPA2-PSK AES preferred or at least WPA2-PSK



how to make it simple and strong way learn one poem simple poem or atleast 1st 2 paragraph of it trust me lot of grown up never ever remember that

Twinkle, twinkle, little star,
How I wonder what you are!

When the blazing sun is gone,
When he nothing shines upon,
Then you show your little light,
Twinkle, twinkle, all the night.

now make any combo like 1st and 4th then from *( 8 )start coming back then = or any sign then put cell number of some one you remember

TtlS*HiwW&YawT^BsiG%=9912345678 trust me to break that kinda its take a week and after that you get zero results

or

if that too hard for you then

let say

for example

i love maria sharapova very much i love to take her on date to Venice

again this time cell number then 1, 4 or 2,4 rule or any what you like then start from %(5) go backward or forward up to you i try here to make it simple and hard to crack

9912345678@iLmS%vMiL$tThO#dTv?


cell no then i put @ instead of = at end no place of 4th latter so i put ?

these are pretty easy to remember if you do 10-15 times you get the singing rhythm

step 2 i put access list of by mac address

step 3 i encrypt my hard-disk entirely even i got hacked the last thing which make you safe is encryption of your data thats what create the most pain in @$$ of any one try to be Mr smart

i remember my passwords like that hope it help other as well