The End of WPA2?
October 16, 2017 3:23 AM   Subscribe

Apparently there is a new, valid nonce reuse attack for WPA2... Well, it looks like one of the last reasonable bastions of IT security is breached. It appears you can bypass WPA2 using an attack forcing key reinstallation by manipulating modding and replaying crypto packets to get WPA2 to reset keys.

They haven't made the formal announcement yet, but the site is currently up and the paper is here.
posted by Samizdata (73 comments total) 24 users marked this as a favorite
 
What is a 'nonce'?
posted by thelonius at 3:53 AM on October 16, 2017 [3 favorites]


Thanks for that link. Especially good in light of the word's other common meaning.
posted by Dysk at 3:58 AM on October 16, 2017 [1 favorite]


You got it in one, thelonius. Sorry, I get so used to both MeFi's being brilliant AND staring blankly at current pop culture references with little or no supporting info, I just didn't run any farther with that and I should have.

Luckily the fix is reverse compatible, so patched clients will be able to talk to both patched and non-patched APs. Unluckily, changing the key/password or the name/SSID of the access point will fix nothing.
posted by Samizdata at 3:59 AM on October 16, 2017 [2 favorites]


Plus, you know, I figured a post about crypto would make the context of the word nonce pretty clear, just like a post about the Linux cat command would be pretty clear it was not about felines.
posted by Samizdata at 4:01 AM on October 16, 2017 [7 favorites]


the article about the linux pipe command is still about bongs though, right?
posted by quonsar II: smock fishpants and the temple of foon at 4:04 AM on October 16, 2017 [26 favorites]


the article about the linux pipe command is still about bongs though, right?

Only if your favorite distro is Chong...
posted by Samizdata at 4:05 AM on October 16, 2017 [2 favorites]


Eh, there's so many 'poetic' or over-the-top evocative names given to bugs and exploits these days (heartbleed, badlock, etc) that it's not outside the realms of possibility unless you already know what a cryptographic nonce is.
posted by Dysk at 4:05 AM on October 16, 2017 [2 favorites]


I had no idea what it meant, and thought others might be in the same position - didn't mean to make a big deal of it, sorry
posted by thelonius at 4:09 AM on October 16, 2017 [6 favorites]


I had no idea what it meant, and thought others might be in the same position - didn't mean to make a big deal of it, sorry

No apologies necessary from you. As I said, I am sorry for making assumptions.
posted by Samizdata at 4:16 AM on October 16, 2017 [2 favorites]


the good news:

Do we now need WPA3?

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

posted by thelonius at 4:20 AM on October 16, 2017


The bad news: millions of devices have been virtually abandoned by vendors and will never be patched.
posted by runcifex at 4:23 AM on October 16, 2017 [37 favorites]


The bad news: millions of devices have been virtually abandoned by vendors and will remain unpatched.

Wait. I thought news was something you DIDN'T know as a fact of life.

And I mentioned the reverse compatibility above, thelonius, but a good call out.
posted by Samizdata at 4:25 AM on October 16, 2017 [2 favorites]


Metafilter: Something you DIDN'T know as a fact of life.
posted by runcifex at 4:26 AM on October 16, 2017 [7 favorites]


Krack attack paper live (it got leaked) (PDF)

I'm just going to leave this here with the intermediate reddit link in case anyone else can't sleep.
posted by loquacious at 4:34 AM on October 16, 2017 [1 favorite]


And in other crypto news this morning there's this.
posted by noneuclidean at 4:43 AM on October 16, 2017 [4 favorites]


And in other crypto news this morning there's this.

The first thing that went through my mind was "Security through obscurity."

Then I read the article...
posted by Samizdata at 5:05 AM on October 16, 2017


The bad news: millions of devices have been virtually abandoned by vendors and will never be patched.

ArubaOS has been patched, so I get to spend my day updating APs, but at least there was a patch to be had, unlike with most vendors.
posted by briank at 5:22 AM on October 16, 2017 [3 favorites]


OMFG, being able to calculate a Private Key from the corresponding Public Key is “Ghostbusters”-level Bad.
posted by wenestvedt at 5:38 AM on October 16, 2017 [11 favorites]


For ordinary home users, your priority should be updating clients such as laptops and smartphones. - from the official FAQ on the home page. If you're not using your AP as a wifi client, you probably don't need to worry about the AP.

Unless you have business-grade APs with "fast roaming" enabled. I think it's expected not to be enabled for the average home AP though. I don't think they're telling people not to worry just because 95% or whatever of APs are outside of security support and there's nothing you can do anyway.
posted by sourcejedi at 5:39 AM on October 16, 2017


How long did it take for WEP to go away?
posted by 1970s Antihero at 5:46 AM on October 16, 2017


So...For those of us for whom this all sounds a bit like Martian...If all I have at home is a simple wireless router (like an Apple Airport Extreme, for instance), I don't really have much to worry about other than hoping Apple pushes-out some form of update for the various iPhones, laptops and desktops in the house?
posted by Thorzdad at 5:59 AM on October 16, 2017


So...For those of us for whom this all sounds a bit like Martian...If all I have at home is a simple wireless router (like an Apple Airport Extreme, for instance), I don't really have much to worry about other than hoping Apple pushes-out some form of update for the various iPhones, laptops and desktops in the house?

Yup. Exactly.
posted by Samizdata at 6:04 AM on October 16, 2017 [3 favorites]


You should also be on the lookout for a firmware update on the router itself, but yea. This is very bad, but not "buy a new router or the Russians win" bad. Update everything, and if you're using a 5 year old Android phone with no support anymore, maybe it's time for a new one finally.
posted by T.D. Strange at 6:11 AM on October 16, 2017 [1 favorite]


> I figured a post about crypto would make the context of the word nonce pretty clear, just like a post about the Linux cat command would be pretty clear it was not about felines.

The rule of thumb I try to use: if it’s any kind of subcultural or specialist’s jargon, no matter how familiar I think it is, it’s going to be useful to somebody to provide a definition either explicitly or through context.

The people who don’t understand a term will appreciate it, the people who already knew the term will either skip over the extra words or do a better job of explaining it in a comment.
posted by ardgedee at 6:19 AM on October 16, 2017 [10 favorites]


I want to point out that the author's first name is "Mathy". Their last name is not "McMatherson", but they should consider changing it.

(Also want to repeat what was said upthread in case anyone missed it: it's a client attack, and your AP/router is fine and will not require updating. Which is good, because the chance of your vendor issuing a firmware update for your shitty internet-provider-mandated router is usually nil)
posted by phooky at 6:23 AM on October 16, 2017 [7 favorites]


[There's a Metatalk discussion currently active for folks who want to talk how to handle unfamiliar or technical terminology in posts.]
posted by taz (staff) at 6:26 AM on October 16, 2017 [2 favorites]


A typical attack on a typical credit card transaction would have to break both WPA2 and HTTPS, right? Does that make it more challenging for the attacker?
posted by clawsoon at 6:39 AM on October 16, 2017 [1 favorite]


Update everything, and if you're using a 5 year old Android phone with no support anymore, maybe it's time for a new one finally.

I do, though have an 8-year-old iMac on the wifi network that's running 10.9.5 and can't really go any newer because of some necessary (but old and no longer updated) software. I kind of doubt Apple's going to roll-out an update for that. Or, is the iMac's lack of portability (i.e. It isn't going to be on any other network but mine) a plus in this case?
posted by Thorzdad at 6:45 AM on October 16, 2017


My understanding is updating either the server (your router) or the client should fix it. Both would be better, but unless you're carting an imac around outside your house, updating the router firmware is sufficient. Or plug it in with an ethernet cable, it's only the wifi encryption protocol that's affected.
posted by T.D. Strange at 6:51 AM on October 16, 2017


it's a client attack, and your AP/router is fine and will not require updating.

Could you please explain what a "client" is in this context?

There should really be an area of Metafilter where, whenever the latest "the Internet's about to screw you over" news breaks, someone is able to break down exactly what happened in layman's terms and explain exactly what the layman needs to do to protect themselves.

Y'all giving us a heart attack with this high-tech mumbo jumbo.
posted by Hey Dean Yeager! at 6:57 AM on October 16, 2017 [6 favorites]


it's a client attack, and your AP/router is fine and will not require updating

Welp I guess I read the Ars article wrong too, you're saying I should've waited before pouring gasoline on my router? Damnit.
posted by T.D. Strange at 6:59 AM on October 16, 2017 [1 favorite]


My understanding is updating either the server (your router) or the client should fix it.

updating your AP is not sufficient. you must update your client to close this vulnerability.
posted by indubitable at 7:10 AM on October 16, 2017 [2 favorites]


Your reading skills are probably fine. The Ars Technica article is confused; it doesn't read as if the author understood these details. (The official website kind of buries the distinction, and doesn't explain it in detail).
posted by sourcejedi at 7:12 AM on October 16, 2017


WPA2-PSK, as it is usually deployed, is not very secure even with this bug fixed.

If someone can determine the password they can derive the key. Once they have the key they can decrypt everything, including previously captured traffic.

The password can be cracked offline. All it takes is passive interception of a few packets, some modest hardware, and a bit of time. PBKDF2 is used with 4096 iterations, which is better than nothing but unless you use a really long and random passphrase you should expect it to be easily broken. Doing so does not require the attacker to make even a single attempt at connecting to the network and so cannot be rate-limited by that.

Public wifi like you find at coffee shops is even worse, because the password is given to anyone who asks.

These problems could all have been avoided by using a PAKE. Those are only vulnerable to active man-in-the-middle attacks, and only by people who already know the password, and the password cannot be cracked offline.
posted by swr at 7:14 AM on October 16, 2017 [5 favorites]


From this helpful Engadget article:

"Here's how it works. Attackers find a vulnerable WPA2 network, then make a carbon copy of it and impersonate the MAC address, then change the WiFi channel. This new, fake network acts as a "man in the middle," so when a device attempts to connect to the original network, it can be forced to bypass it and connect to the rogue one."

So updating your router will do nothing. The issue is that the client implementation of WPA2, particularly Linux/Android, have a bug which bypasses the security of the nonce, allowing the same nonce to be used multiple times. Update your phone, your laptop, your tablet.
posted by grumpybear69 at 7:17 AM on October 16, 2017


WPA2-PSK, as it is usually deployed, is not very secure even with this bug fixed.

If someone can determine the password they can derive the key. Once they have the key they can decrypt everything, including previously captured traffic.


uhh yeah, gonna need a citation on that.
posted by indubitable at 7:18 AM on October 16, 2017 [1 favorite]


Wow, I always (mentally) pronounced it "N once" when reading about cryptography due to its definition.
posted by lefty lucky cat at 7:24 AM on October 16, 2017 [4 favorites]


The Engadget article says:
In some cases, a script can also force a connection to bypass HTTPS, exposing usernames, passwords and other critical data.

That seems to make this vastly more serious, but I can't find any reference to that in the paper and might not understand it if I did. Can anyone explain?
posted by Busy Old Fool at 7:32 AM on October 16, 2017


Ah, so 'bypassing https' is not part of this specific attack, but refers to other attacks that this could be combined with?

From Krakattacks:
For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
posted by Busy Old Fool at 7:36 AM on October 16, 2017


uhh yeah, gonna need a citation on that.
Here's a how-to. You'll need a wifi device capable of monitor mode to do packet captures. You'll also need to capture the initial handshake that negotiates the per-session key.

Obviously don't do this when anyone else is using the network or you may be violating their privacy and probably the law.
posted by swr at 7:38 AM on October 16, 2017 [2 favorites]


In case anyone else (like me) didn't fully understand what this post was about without additional reading:

* Your Password-Protected Wi-Fi Isn't Safe From Snooping. Researchers have discovered vulnerabilities that allow eavesdropping on networked with WPA 2 security.

* 41 percent of Android phones are vulnerable to 'devastating' Wi-Fi attack. Every Wi-Fi device affected by some variant of attack

* Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping. KRACK attack allows other nasties, including connection hijacking and malicious injection.
The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices. The site warned attackers can exploit it to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

posted by zarq at 7:39 AM on October 16, 2017 [2 favorites]


Everything is broken!
Everything isn't cool when they can derive the key!
Everything is broken!
When we're wire free!
posted by Talez at 7:46 AM on October 16, 2017 [4 favorites]


Obviously don't do this when anyone else is using the network or you may be violating their privacy and probably the law.

As long as you don't transmit anything in an unauthorized fashion (e.g. associate with a network or perform attacks to provoke a WPA handshake) then it's perfectly legal to sniff any traffic you want. If you have no malicious intent then I don't believe it's illegal to decrypt either. Consult a lawyer if in doubt.
posted by vira at 7:51 AM on October 16, 2017 [1 favorite]


Here's a how-to. You'll need a wifi device capable of monitor mode to do packet captures. You'll also need to capture the initial handshake that negotiates the per-session key.

that is very interesting, thanks for the link!
posted by indubitable at 8:04 AM on October 16, 2017


Here's a how-to. You'll need a wifi device capable of monitor mode to do packet captures. You'll also need to capture the initial handshake that negotiates the per-session key.

Yup, I used those very same instructions so I could sniff traffic from a wireless laser printer/scanner to figure out why it couldn't talk to one particular email server. Now that I think of it, I'm putting the odds of that printer getting a firmware upgrade to protect itself against KRACK at zero.
posted by zsazsa at 8:23 AM on October 16, 2017


Information I could find on whether this has been patched for major OSes:

Windows: Fixed, make sure to run Windows Update if it is not set to run automatically.
Android: Not fixed, supposedly will be "in the coming weeks."
iOS & mac OS: Couldn't find information, presumably vulnerable.
Debian Linux: Fixed, be sure to update your systems.
posted by jcreigh at 8:52 AM on October 16, 2017 [2 favorites]


So, was this not released in a manner in which the vendors could respond with enough time for a patch? Microsoft seemed to have a patch ready, but Google and Apple don't? Has anyone found information on when the vendors were given a heads up?
posted by herda05 at 9:05 AM on October 16, 2017 [1 favorite]


From what I've seen on Twitter (here), at least iOS 10.3.1 was not, for the most part, vulnerable to these attacks, and neither were Windows 7 and 10.
posted by wotsac at 9:11 AM on October 16, 2017


So, was this not released in a manner in which the vendors could respond with enough time for a patch?

Articles I posted above note that many vendors were notified in August. Some companies, like Mikrotik, have released firmware or software updates in the interim which fix the vulnerability. Others haven't yet.
posted by zarq at 9:12 AM on October 16, 2017 [1 favorite]


How long did it take for WEP to go away?

Ha! Good one.
posted by Sys Rq at 9:14 AM on October 16, 2017 [3 favorites]


This site is being updated with device/router patch status.
posted by bluecore at 9:44 AM on October 16, 2017 [2 favorites]


This is irresponsible, fear-mongering reporting. Windows is already patched. Some versions are not even affected. iOS is not affected. old versions of android are fine, modern versions of android likely to be patched.
good deconstruction here: https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0
posted by evilmonk at 9:51 AM on October 16, 2017 [5 favorites]


modern versions of android likely to be patched.

According to bluecore's link, "Android devices running 6.0 and above are affected. Google has officially issued a fix and says devices with a security patch level of November 6 2017 or later are protected against these vulnerabilities."

This "November 6" patch is not yet available to end users. Presumably it will be in a few weeks.
posted by aubilenon at 10:27 AM on October 16, 2017 [1 favorite]


This is irresponsible, fear-mongering reporting. Windows is already patched. Some versions are not even affected. iOS is not affected. old versions of android are fine, modern versions of android likely to be patched.
good deconstruction here: https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0


Yeah, because people pay attention to news stories that just say "Hey, a thing happened."
posted by Samizdata at 12:10 PM on October 16, 2017 [1 favorite]


So I know how to run Windows Update and how to update my iPhone, but will something just appear on my screen that says "click here to update router"? I have looked at most of the links in this thread and none of them explain exactly what I need to do. Do I need to call AT&T? I feel like it's kind of rude to scare people without giving them some guidance.
posted by AFABulous at 12:36 PM on October 16, 2017


It's sort of unfortunate that this is unlikely to actually be the end of WPA2; it's not a great protocol. As others have pointed out, among its biggest flaws is the lack of Forward Secrecy — what it should do is a Diffie-Hellman key exchange as part of the initial handshake. This would ensure, or at least make it very difficult, for someone who is passively monitoring traffic to decrypt the stream given the network password. Each client's traffic would be isolated, in other words, from every other's.

But WPA2 doesn't do that, even when it's working properly (in other words, unrelated to the KRACK bug). If you're in a coffeeshop or hotel or whatever, and you have the network password, unless there's a sophisticated "enterprise" auth scheme in use (extremely uncommon, in my experience, because they're just a bastard to set up), you can passively monitor and record all the packets and then decrypt everything at your convenience. The only trick is that you need to get the initial handshake between the AP and the client. So if you walk in and start logging after someone has connected to the AP, you're SOL — but if you get there first, or have a logger running constantly, then they are.

Now that more and more websites are using HTTPS/SSL all the time it's somewhat less of a problem than it used to be, but a ton of sites still don't. And some of the more embarrassing and sensitive are also the least likely to use it (really niche web forums and porn both seem to have a high rate of non-use of HTTPS).

In terms of best practices, if you have an office with waiting-room WiFi, or even if you just have lots of guests over to your house, I would have a separate "guest" network and not give out the password to your main network, and I'd make the main network's password very high-entropy (if you can remember it, it's probably not high enough entropy to survive an offline attack, unless you're really good at that sort of thing).

TBH, I don't even bother using encryption on my home's "guest" network; it's more convenient to just leave it open so that I don't have to deal with people asking me for the password, devices can just connect automatically (recent versions of Android will connect and then bring up a VPN back to the Google mothership, end-running WiFi security issues), etc. WPA2 adds so little security when the password is widely known and unchanging that I'd rather people just know and get the warnings that it's unsecured. (The whole but-my-neighbor-leeching-my-Internets is better solved by ratelimiting the guest network or per-client, if you have an AP with reasonably decent software. Using WPA for this is not the tool for the job, IMO.)
posted by Kadin2048 at 12:38 PM on October 16, 2017 [9 favorites]


AFABulous, from what I've read about the attack here and elsewhere, patching this issue on the router is irrelevant to nearly all users. The attack is against Wi-Fi clients: the computers, smartphones, and other devices that connect to your router. It's only important to patch your router for this issue if it's set up in a "range extender" or "bridge" mode, where your router is itself connected to another Wi-Fi network in order to extend the range of the wireless signal.

That's the good news. The bad news is that routers are terrible about updates. Most routers I see are set up to automatically download and install new updates, but manufacturers often don't bother to patch older models. And routers supplied by ISPs often have customized software, so any updates would need to wind their way through the ISP's release process. If you want to make sure your router is running the latest available software, the process typically involves connecting to the router's web interface from a browser on a device connected to the router, logging in with the admin username and password, finding the updates page, and clicking a 'check for updates' button. All the details can vary from router to router, and they should be documented in the manual. A few recent high-end routers are managed from a smartphone app, so with those you would just check for updates from the app.
posted by skymt at 1:09 PM on October 16, 2017


So I know how to run Windows Update and how to update my iPhone, but will something just appear on my screen that says "click here to update router"? I have looked at most of the links in this thread and none of them explain exactly what I need to do. Do I need to call AT&T? I feel like it's kind of rude to scare people without giving them some guidance.

If you have one of the Motorola Mobility/Arris gateways, AT&T can push updates automatically.
posted by Samizdata at 1:12 PM on October 16, 2017


iOS & mac OS: Couldn't find information, presumably vulnerable.

Via Rene Ritchie's Twitter, "Apple has confirmed to me that #wpa2 #KRACK exploit has already been patched in iOS, tvOS, watchOS, macOS betas."

https://twitter.com/reneritchie/status/919988216501030914

No word about patches for Apple's now discontinued Airport and Time Capsule APs.
posted by nathan_teske at 1:38 PM on October 16, 2017


that is a frustratingly ambiguous tweet. so only beta versions are patched? did Apple not get the 90 days notice that everyone else did, is that why they've said nothing about it?
posted by indubitable at 1:47 PM on October 16, 2017


No word about patches for Apple's now discontinued Airport and Time Capsule APs.

They're still selling Airport devices. Which means they should be still providing updates. No idea whether they actually will or if so how fast they'll do it.
posted by aubilenon at 1:48 PM on October 16, 2017


I ran a firmware update for my Airport Extreme a few days ago
posted by thelonius at 1:49 PM on October 16, 2017


This is why it's nice to run a very nerdy OS like arch-linux! That link is dense but the patch came out really fast.
posted by sammyo at 2:45 PM on October 16, 2017


I am still trying to work out who is this overlap area in the venn diagram of "people who know wifi has crypto" and "people who trust it for anything at all ever".
posted by rum-soaked space hobo at 2:49 PM on October 16, 2017 [1 favorite]


From the link evilmonk posted:

Android is the issue, which is why the research paper concentrates on it. The issue with Android is people largely don’t patch.

This is technically true, but the implication here (or at least the way I read it) is that "lol lazy Android users, never patching their shit." As someone who had to spend weeks waiting for OnePlus to put out the September security patch with the Blueborne fix, I can tell you: it's not a user problem, it's a MANUFACTURER problem, and it will continue to be a manufacturer problem for the foreseeable future. I don't even know if Google themselves have the power to mandate timely security releases from other manufacturers because technically no one can restrict Android installs; the best Google can do is revoke licenses for Google-related apps like Google Play Store.

For a long time now, I've felt like Android was this promise of something amazing (an open smartphone operating system you can install yourself!) followed by harsh reality (splintered install base, updates left to the whim of manufacturers, can't install your own copy of the OS without voiding your warranty, etc.).
posted by chrominance at 4:51 PM on October 16, 2017 [6 favorites]


The original article explains why they focus on Android.
As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key [emphasis theirs] ... When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted
posted by aubilenon at 5:36 PM on October 16, 2017 [1 favorite]


evilmonk: old versions of android are fine

Do you have a source for that, please?
posted by Too-Ticky at 7:03 AM on October 17, 2017


> I ran a firmware update for my Airport Extreme a few days ago

The current firmware version for Airport Extreme and Time Capsule is 7.7.8, which was released in January. If you only installed an update a few days ago, it's that one. Apple hasn't issued a patch relevant to this exploit yet.
posted by ardgedee at 9:15 AM on October 17, 2017 [2 favorites]


swr: "The password can be cracked offline. All it takes is passive interception of a few packets, some modest hardware, and a bit of time. PBKDF2 is used with 4096 iterations, which is better than nothing but unless you use a really long and random passphrase you should expect it to be easily broken."

Is 60 bits enough entropy or should I change my AP password?
posted by Mitheral at 7:36 PM on October 17, 2017


Is 60 bits enough entropy

Maybe for now, but it's closer to the wind than I like, and given the low rate at which I enrol devices on wifi networks I can't see a good reason not to go longer.

For some years now I've been using five dot-separated groups of five randomly selected lowercase letters for wifi passwords, like this: ijzzm.wkjdb.kppio.qqgpi.boybl

Passwords in this format can be accurately transcribed by hand and don't require Shift keystrokes to enter on a touchscreen device's soft keyboard, making that process only mildly annoying.

Assuming that the attacker already knows that this is the format I'm using, it yields a keyspace of 2625 or about 117 bits, which is adequate: an offline cracker checking a billion trillion keys per second would still need over a million years to work through half that space. Neither Moore's Law nor quantum computing are likely to alter the practical consequences of those numbers before I die or WPA2 does.

By way of contrast, a cheap GPU rig capable of checking a billion keys per second could work through half your 60-bit key space in under 20 years. Whether that's enough of a margin against the pace of technological change for you is your call.
posted by flabdablet at 11:07 PM on October 17, 2017 [1 favorite]


I'm using diceware to generate passwords (nominally 12.9 bits per word, five words is actually 64 bits). Adding a couple words is easy peasy. And easier to share with other household members than random characters. Maybe I'll kick it to 8 words/100 bits.
posted by Mitheral at 9:18 AM on October 18, 2017


Sounds fine to me.

And it's 2017, so we might even be past the era of shitty WAPs that stop connecting after you save and then restore configurations including WPA2 passphrases containing spaces, which was my original motivation for using dot separators instead.

Don't get me started on Apple ID password rules.
posted by flabdablet at 11:44 AM on October 18, 2017


For a long time now, I've felt like Android Life was this promise of something amazing ... followed by harsh reality
posted by Greg_Ace at 6:49 PM on October 20, 2017 [1 favorite]


« Older They were just drug dealers in lab coats.   |   Roses are red, violets are blue, omae wa mou... Newer »


This thread has been archived and is closed to new comments