No way. “password” protects me from the neighbor torrenting movies or Googling bomb recipes or whatever, which is the bulk of the threat model for residential Wi-Fi.
The author is worried about WiFi passwords? If you trust that your WiFi is secure in general, you're in trouble. WPS is horribly insecure, for example, and that's what most home users use. Most user-chosen passwords are incredibly easy to guess for another. The better thing to do is to assume that your network traffic is always under surveillance (since the NSA is tapping Tier1 network providers), and to encrypt everything, or use network protocols which encrypt everything.
The only thing WiFi passwords are good for is to prevent your neighbors from using your network and using up all of your bandwidth (which would slow down your network access) and preventing drive-by spammers/hackers from doing things which you might then get blamed for.
Aren't two issues being conflated here? (1) Securing access to your wi-fi with a password so that your neighbor can't free-ride on your ISP and (2) Encrypting your wi-fi traffic so that your neighbor (or Google) can't spy on you.
Are wireless network passwords really that important? What is the threat model here? I’m trying to figure out the downside risk. Someone finds out your wireless password, figures out your address via an AGPS lookup and then … drives to your house and what? Steals your internet? Projects something on your smart tv? Turns your insecure smart lights on and off?
I can imagine that being effective as part of a complex spear phishing attack against a celebrity or something. But if someone dumpster dives and ends up finding my wifi password, why should I care?
Why is google having my Wifi password a bad thing? I'd be happy to let EVERYONE have it, and the only thing I fear is neighbour teenagers overloading the connection with torrents so that it's not usable for me.
As long as I expect them not to overload my wifi too much, I'm perfectly happy with google or FBI or KGB or friends or random strangers to use have that wifi password.
If wifi routers were good at traffic shaping / quality of service tech, I'd put no passwords at all on wifi devices - if a neighbour wants to browse some web, then it's a good deed to make it easier.
If you're running an actual corporate network then a wifi password had better not be the sum total of the protection.
For home use - who cares? It would be a sizable mission to make use of the password...and that would get them what? A couple of lolcats and my skyrim saved games? Nice.
It's only been in the last few years that home wifi routers came with passwords by default. Before that, they defaulted to open access with no password.
How does that solve anything? Your WiFi should already be password protected anyway. It's other people's routers with open networks you need to worry about.
In this space, if you have WPA3 then there's no benefit to having a "password" for WiFi which actually is public knowledge.
In WPA and WPA2 the password means network use is encrypted, which means a completely passive adversary can't just snoop the network so long as there's a password.
But in WPA3 even without a password everything is encrypted anyway, your station says "Hey, I'm joining this network here's a number" and the AP says "Welcome aboard, here's a different number" and now you've got encrypted networking. Obviously with no password the AP could be an imposter, but passive snooping is impossible.
On the other hand, if you're dead set on identifying users, there's no substitute for the Enterprise WiFi behaviour all the way from WPA onwards where users have a username and password, doing this locally for your home WiFi is very annoying, but at scale it's convenient yet able to be responsible. The entire world's academic community have a single such network EduROAM, if you're an MIT student and you happen to be in the library of a Polish university, your WiFi just works, or if you're a Cambridge professor giving a talk at the University of Sydney in Australia, same deal. The institution where you're a guest knows your identity (often email address), but doesn't see your credentials (password in most cases), it's trusting your home institution to validate that identity.
Imagine if all wifi were open. Those TVs and other IoT appliances would happily upload whatever the hell they wanted without asking you anything.
I used to bemoan that more people don't maintain completely open wifi connections in the spirit of sharing (assuming you have unlimited Internet). But there's the upside to everyone putting a password: You can choke off all those household devices that demand Internet access!
Is your threat model really so severe that it includes someone driving to your house and connecting to your wifi network? Of all passwords, a wifi password is one you should _never_ reuse.
You could also inspect the source, it’s open source, or network requests.
It should be trivial to make the password write-only to the wifi electronics. For an attacker to get the wifi password, you'd have to remove the controller, and the controller could even be designed to mitigate against that attack too.
I wish! My wifi password at work is useful over a much larger area. It is also the login password for my email, the course management system I use when teaching, and pretty much everything else job related. I work at a university "powering silicon valley." You would think they might be a little more careful about things like that...
reply