From owner-freebsd-questions@FreeBSD.ORG Wed Apr 24 22:45:58 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3373D146 for ; Wed, 24 Apr 2013 22:45:58 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) by mx1.freebsd.org (Postfix) with ESMTP id BFBAF120A for ; Wed, 24 Apr 2013 22:45:57 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id l13so8448426wie.1 for ; Wed, 24 Apr 2013 15:45:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=x-received:date:from:to:subject:message-id:in-reply-to:references :x-mailer:mime-version:content-type:content-transfer-encoding; bh=tLK772gtj5AU/RBWC7yHXp+pLuydvvDkr9qR87aRqD8=; b=zmDYSIR5ICswi87ZktX3QyUvUfwrfu4yWFVplbolpufNiTGaOe2c2Q6BcvzaqIa/Sm QeT7mz6i1Chfe1YBylMeWaxjlc632ajamHfBkjtFQ4k77EAdOPrTMRQe6sMMqjvm5M6S HqKUrYjwxSvQqJoVNAaEQttg1dS5jaML5GRbOPlk7KdqH00p9EYQbNwYzooiPJyq+OKp D9tyw6JVbikBCqibm1U27pOVsDTnGtzhqebju7TXdIKU09vhzFDbp9qisCCQ+mqkCR54 /8jPgdI8kn3ULtlF0ke3OucHD7zuxAoVta89Gxbq3eSRZGcgi2YP+HRMdsYYi0uS7MOV CCOA== X-Received: by 10.194.88.138 with SMTP id bg10mr71889080wjb.13.1366843556883; Wed, 24 Apr 2013 15:45:56 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPSA id dj7sm5466285wib.6.2013.04.24.15.45.55 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Wed, 24 Apr 2013 15:45:56 -0700 (PDT) Date: Wed, 24 Apr 2013 23:45:52 +0100 From: RW To: freebsd-questions@freebsd.org Subject: Re: Home WiFi Router with pfSense or m0n0wall? Message-ID: <20130424234552.420e116d@gumby.homeunix.com> In-Reply-To: References: <20130423010407.25a73c92@gumby.homeunix.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 22:45:58 -0000 On Wed, 24 Apr 2013 16:16:32 -0400 Michael Powell wrote: > Alejandro Imass wrote: > > [snip] > >>> Most consider the answer to use WPA2, which I do use too. Many > >>> think it is 'virtually' unbreakable, but this really is not true; > >>> it just takes longer. I've done WPA2 keys in as little as 2-3 > >>> hours before. > >> > >> Are you saying that any WPA2 key can be cracked or or you simply > >> referring to weak keys? > > > > I would also like to specifically if it's for weak keys or are all > > WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise > > as weak also. Could anyone expand on how weak is WPA2 and WPA2 > > Enterprise or is this related to weak PSKs only?? > > > > I'm just a lowly sysadmin and not any kind of crypto expert. The > problem is time and horsepower. While a ridiculously easy key of say > 4 characters that is not salted may be doable on a PC, once you start > to get to 8-9 characters or more the time it takes begins to get huge > fast. It's a matter of can you tie up the resource long enough to > wait it out. Right, but if you were to strip-mine the earth's crust and turn all the silicon into GPU cores you still wouldn't even come close to brute-forcing AES256 before the sun turns into a red-giant. If you're saying that WPA is inadequate because weak keys can be bruteforced then the answer is don't use a weak key. If someone breaks such a key then that's pilot error, not an inherent weakness in WPA. Use a key with 100-256 bits of entropy. > What I do at home is concatenate 2 ham radio call signs of friends > that I can remember. Then I sha256 that and select from the end > backwards 15 characters. 60 bits tops - assuming that there was 60 bit of entropy in the hashed data. My key is only twice as long, but about 40,000,000,000,000,000,000,000,000,000 times better at resisting a brute force attack. > This won't actually defeat the inherent > weakness of using a pre- shared key, but it will take longer for a > simple brute force. You should also throw in additional characters > from your character set beyond just alpha/numerics. That's good advice for natural language pass phrases where there is only about 1 bit of entropy per character. IMO it's easier to type a high entropy password using only characters that wont need shifting on any device i.e. random lower-case letters.