Please, please, can we have the same for WiFi?! Trade a key with the AP when you first associate, and be done with it. The entire concept of a WiFi password is a *%^$ waste of time.
i'd like you to come and crack my WPA2 password. its not because wifi has had various bad issues, that current wifis with a proper configuration aren't secure.
Heck, in many countries, wifi routers actually use WPA2 with a pregenerated shared key, which is a good 24 chars long and fully random. Incredibly easy to guess or crack! (its very, very hard to crack.)
I imagine this can only possibly work with unencrypted WiFi.
Still boggles my mind that WiFi clients don't establish an encryption key with the AP and encrypted their traffic even without a shared secret. Yes, that means you can't authenticate the AP, but it would still protect against passive snooping.
I feel like there are easier ways to get someone's wifi credentials, particularly with the weak passwords folks tend to use (I am guilty of this as well).
The false sense of security is what WPA2 gives anyway. Coffee house has a password on their wifi? Great, then only someone with the password can impersonate the AP, which is only... everyone.
You can't tell everybody something and still use it as a secret.
What they should be doing is putting the public key of the AP on the wall as a QR code.
Or the real solution, which is for everything to be end-to-end encrypted regardless.
Yes: I still don't have an easy way to authenticate the network I'm joining. All I have is an SSID name but no public key or fingerprint thereof with which to authenticate the network. When I go to someone's home it'd be nice if they could post a QR code for their guest Wi-Fi network and all I'd have to do is scan it to join it. Plus a QR code could elide the need for a password.
Why is google having my Wifi password a bad thing? I'd be happy to let EVERYONE have it, and the only thing I fear is neighbour teenagers overloading the connection with torrents so that it's not usable for me.
As long as I expect them not to overload my wifi too much, I'm perfectly happy with google or FBI or KGB or friends or random strangers to use have that wifi password.
If wifi routers were good at traffic shaping / quality of service tech, I'd put no passwords at all on wifi devices - if a neighbour wants to browse some web, then it's a good deed to make it easier.
If you're running an actual corporate network then a wifi password had better not be the sum total of the protection.
For home use - who cares? It would be a sizable mission to make use of the password...and that would get them what? A couple of lolcats and my skyrim saved games? Nice.
For some reason I'm surprised we've had so many issues with Wi-Fi security.
I don't know if it was addressed in WPA3 (or if it would be addressed there), but my understanding is that a good chunk of the protocol isn't authenticated at all, such as the de-auth packets.
In a world with growing HTTPS support, OpenVPN, WireGuard, etc. and we can't secure a wifi network with a shared key?
Or i could just dump a Raspberry Pi Zero W attached to a 10000 mAh power bank in your garden, and wait for it to capture a 4 way handshake. Retrieve the data from the Pi, and throw some serious cloud computing power at it while bruteforcing the password.
Granted, it's going to take longer (perhaps), but chances are you'll never notice until it is too late. Of course, most users won't notice new devices on their Wifi anyway.
People keep forgetting that Wifi is per definition insecure. It's not a point to point technology, and every single packet you send is broadcast in a wide area around you.
Furthermore, all current authentication methods, WEP/WPA/WPA2 (excluding WPA3 for now, as it has yet to see wide adoption), have all been cracked in one way or another.
I don't think you understand how wpa works. It's not like the client just sends a password. A shared key is mutual authentication. If putting up a network with a target ssid leaked data, WiFi would be completely broken.
>We need WiFi that is open and encrypted at the same time!
There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist.
It boggled my mind, repeatedly, when I discovered that non-password-protected wireless networks don't generate a unique encryption key for each connection. Boggle, I say. Sure, public key cryptography used to be too computationally expensive, but not any more. And even if it were, Diffie-Hellman has been around for quite a while, go ahead and use symmetric keys.
What the hell is wrong with our standards groups? And hardware manufacturers? There are trivial solutions to this, why haven't they pushed them?
who says they need to use wifi. i expect a significant proportion of those passwords are shared with other systems, or may allow access to other corporate services - most likely VPN.
For a while I was hoping they meant wi-fi. We sure as hell need WPA3, with some decent security for a change (for example, preventing everyone who knows the key from snooping and injecting traffic or getting rid of this DEAUTH nonsense).
reply