CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

Researcher warns Wi-Fi users of bad passwords

A security expert warns users of the latest wireless network security standard, Wi-Fi Protected Access, to pick good passwords or risk being compromised.

A security expert has warned users of the latest wireless network security standard, Wi-Fi Protected Access, to pick good passwords or risk being compromised.

The Wi-Fi Protected Access (WPA) security specification sported by the latest wireless hardware includes a way for administrators--whether in a small business or home--to lock down their network using a single pass phrase. However, a poorly chosen code can still be attacked with brute force methods, such as a "dictionary attack," in which an attacker guesses at the password using a list of common words. That makes long random codes a key to security, Robert Moskowitz, senior technical director with ICSA Labs, said in a paper.

"The weakness is in poorly chosen keys and that's warned of in the standard," he said. "Most people use passphrases like RosesAreRed. But those things are in the dictionaries (used by attackers)."

While not a flaw in the standard, Moskowitz worries that users will not understand that their security entirely rests on the randomness of the password they chose for their network.

The WPA specification uses passwords to act as the keys that encrypt a network's communications. The specification allows for two types of key management: pre-shared keys, where everyone uses the same pass phrase, and managed keys, which use a server to assign a different key to each user.

Moskowitz's concerns are for home users and small offices that use the pre-shared key model. The choice of a simple key can lead to easily broken security.

Basically, an attacker could capture the initial data, or "handshake," between the wireless base station and a user's computer. The data can then be analyzed and attacked, by trying different passwords, at a later time. Such a brute-force method can be very effective when the network uses an easily guessable password, Moskowitz said.

However, if the network uses a long random code to secure the network, brute force attacks are almost impossible, he said.