Friday, March 24, 2006

Ultra-Secure Passwords are just a URL away...

Steve Gibson at grc.com has written a great high-security password generation utility at http://grc.com/passwords. Listen to the Security Now podcast (episode #11) to see how really secure *and* thorough Steve has been creating this utility. Each page refresh produces a fresh password set. Just make sure you keep a record of the password, because there is no way you can remember these ones.
I have used them for setting up Hamachi VPN networks and encrypting data using WinZip. Eventually I'll use them for a WPA wireless setup, when I can find one. From Security Now episode #13:
The last thing that is important, and this is critical, is passphrase quality. The reason it's critical is WPA is subject to what's called an "offline attack," meaning that someone could sniff your traffic and only needs a little bit of traffic to sniff. They don't need a lot. They then take that home to a big computer and run an offline cracking utility, which basically it does a brute force, or dictionary, attack against your passphrase. So because it's possible to do this, to put as much time or energy as necessary, you know, since you're bothering to do WPA anyway, you know, it absolutely makes sense to choose a good passphrase. And what that means is somehow come up with just a jumble of arbitrary special characters. You're able to, with WPA passphrases, you can use anything printable, you know, asterisks, dollar signs, you can look like a comic book swearing person - upper, lowercase, numbers, you name it. And use the full length. A passphrase can be 63 characters. And that's what I'm saying. This is not somewhere where you want to type in a sentence that you like to use. That can get cracked offline. You want just a nightmare jumble of junk. And then you just use copy and pasting in order to paste the same thing into each of your machines at access point. And when a friend does come over, you paste this jumble in, they can't memorize it.

Leo: Right.

Steve: So, you know, before they leave, you delete that from their wireless adapter, and it's safe just by obscurity. There's no way anyone is going to - even you are going to - be able to memorize this 63-character hodgepodge of just static.

Leo: Now, let me ask another question. And this, I think, is really where the criticism comes from on what we were talking about last time with MAC address filtering and so forth. People say, how real is this threat, anyway? Aren't we kind of spreading a lot of fear unnecessarily? How many people are getting hacked?

Steve: I don't know how to respond to that because, again, our goal is just to explain the technology. So it's important for people to know that WPA is subject to offline cracking. So that if they were in a situation where they thought they were secure using a few English words strung together as their passphrase, maybe it's useful for them to know how that can be broken, and that it really can be broken.

...

Steve: Believe me, I do have an extremely strong WPA passphrase that I can't remember. It's in a file on my computer. And when I need to set up a new device, I copy and paste it into the device. There's no way I could even type it again. But it's absolutely never going to get cracked. The reason is that passphrase ends up getting hashed 4,096 times into a 256-bit master key. 256 bits is way long for a master key. So my point is, while you're doing WPA security, if it's okay with your lifestyle to have a key that you can't remember, but because you can't remember it, that demonstrates how strong it is, then take the time to do it once, and you never, never need to worry about it again.

Security Now podcasts | GRC Password Page | digg story

No comments: