WPA Weakness Discovered, but Easily Solved -- Following last week's article about the implementation of WPA (Wi-Fi Protected Access) in AirPort Extreme cards and base stations (see "AirPort 3.2 Update Adds New Security Options" in TidBITS-704), a security expert alerted me to a weakness in choosing keys for the WPA system. The weakness applies to the AirPort 3.2 update as well as to all other consumer WPA-enabled Wi-Fi systems. Basically, choosing a key comprised entirely of real words that are 20 characters or fewer leaves you open to that key being broken rather easily. The solution? Choose a longer key or invent 20 characters of gibberish. If you're particularly security-conscious, use the option Apple provides to enter 256 bits of encryption, which is 32 hexadecimal bytes or 64 hexadecimal digits! That's overkill, however. In last week's article, it wasn't clear why Apple even offers the hexadecimal option when other devices from Buffalo and Linksys don't; now it appears that Apple provides all of the options for entering WPA keys, where the other manufacturers don't. I've written more about this issue and posted my colleague's paper on the subject at Wi-Fi Networking News. [GF]

<http://wifinetnews.com/archives/002453.html>

Permanent article URL: http://db.tidbits.com/article/7426
This is a specially formatted version of this TidBITS article that removes colors, and optionally removes images; it's designed to minimize the use of ink and paper.
Unless otherwise noted, this article is copyright © 2003 TidBITS Publishing, Inc.. TidBITS is copyright © 2008 TidBITS Publishing Inc. Reuse governed by this Creative Commons License: http://www.tidbits.com/terms/.