|
Last Summer, my family moved across town into a new home. This meant we would have to get a new internet service provider. After paying for the service, I was charged with setting up the new wireless router for the house(because my parents are cheap like that). In doing so, I learned a great deal about wireless security.
This began my interest in penetration testing my network's security. In my research I found an incredibly convenient OS called ---- (based off of Ubuntu making it very easy to run). It contained a vast suite of applications that can be used in pen testing. Almost immediately, I found that the WEP encryption was terrible and the WPA2 was considerably better.
Basically, the WEP encryption algorithm has been deciphered and can literally be cracked in under three minutes with remedial DOS-like commands. To do this, all that is required is a little bit of time to eat up some of the packets of information floating around and a program will decode it.
The WPA2 on the otherhand, has a considerably more complex algorithm. Only one out of the two types have been cracked(as far as I can recall; please correct me if otherwise). For this, a bruteforce attack is the most basic and simple; thus, the most probable attack on this kind of a network encryption. Using the ---- security applications it can be done with some success. The wordlists involved could potentially be hundreds of gigabytes longs and can take hours to compile(and that's just in .txt file... think about how many words that could be). That said, the casual penetration tester would simply look online to find a moderate pre-compiled list that might be 20 gigs or less to test with.
From my very basic knowledge of the technique, the wordlists are generally compiled around certain aspects or themes. For instance, I have seen a wordlist compiled that contained every single phone number to the corresponding region(4-5 gigs). In my opinion, knowing how these wordlists are compiled is essential to avoid getting cracked by the nefarious entities that roam our shared airspace.
Thus, after taking a shower, I had an epiphany that WPA2 passwords should involve a limited amount of 1337(leet) speak in them to add a small dust like layer of encryption. For instance the hypothetical password:
tasteless = 74ste13s5
Personally, I'm not a fan of a random password like jejn295d2i09i. As a password, it would be rather difficult to remember. Using 1337 speak is a basic encryption that can help make a simple, tangible password a stronger password.
I don't think any casual cracker script kiddie would compile such a password involving such a random, discombobulated assortment of characters. Some people actually say that 1337 speak was developed for avoiding word filters in IRC boards. Though that may not be the truth, I think it is a viable technique for password protection.
Essentially, I'm just trying to emphasize having strong password protection for wireless routers. If using the WEP encryption, I strongly recommend changing it to one of the WPA2's and then setting the password with something tangible and adding a layer of protection by implementing 1337 speak.
*note: I'm not a cracker. I have only pen tested on my own router at home so I may better understand the technology behind it. If I really wanted to get free wireless internet, I would drive five minutes away to my local McDonald's and get some lunch while I'm at it(I'm rather waif, I need the fat).
EDIT: fixed some grammar since Bush's No Child Left Behind program didn't work.
 
|
By writing this blog you just ruined the security of your method. Congrats.
|
All of my passwords are translated into 1337 speak. I would imagine that most dictionary attacks include some letters substituted with their corresponding numbers, but of course it's not tractable to account for all of them. The best passwords imo are esoteric phrases or abbreviations translated into 1337 speak so they are easy to remember. For example, getreaverdropped -> g37r3av3rdr0pp3d. No dictionary attack is going to get that.
|
I think it's very easy to generate a new dictionary from the old one just by substituting some letters. Of course it increases the entropy of your password, but I still think it's better to just use a random one.
|
I use hexadecimal. Also, lol, posting this at 13:37 KST.
Anyways, so Apa7HY for example becomes 4171616779, which is kind of a bad example because it's all numbers. Okay okay, fine, how about..."johnsmith"? 6a6f686e736d697368. Pretty secure password I think.
Edit: Baww spent too long typing. Should have posted and edited in what I wanted to say 
|
Interesting idea, but how do you remember 74ste13s5 instead of 7a573l35s? Seems like you'll end up memorizing more than just the text regardless.
|
I actually used the 1337 speak method to make my previous simple, dictionary word more secure. I took it one step further which you should also, have varying case of letters i.e. xXyYzZ. The easy way I went about this was I just made the first and last letters upper case and made the rest in the middle lower case.
|
i just use my dogs name lol 
|
I've always used something like "mykeyisso888simple", never have had security problems and stuff like that is easy to remember.
|
I just use some stupid meme or something very personal to me that I can remember, since that's the best type of entropy. I did put one as 1337 though, because they generally require you to have a number
|
I do use it in my passwords but with a completely made up word though. It kind of secures the password against vocabulary attack -.-
EDIT:
*note: I'm not a cracker.
props for using the right word! people get it confused so often..
|
I have always used simple combinations like 1234567890, qwertyuiop otherwise I forget them
Now I have to change my password on TL...
|
my main password and its spinoffs is actually some guy's name on useast i used to play with.. from a loong time ago (we played on proving grounds if thats any indication haha)
it was pretty stupid but i was like 12 luckily it actually turned out to be a nice combination of letters and numbers and i've added caps to it, so it's pretty good
for your idea: it works, you can also try replacing i's with !s as even a single symbol will boost the strength of your password significantly according to some random website which probably has no merit, but hey can't hurt =)
|
On June 21 2010 14:06 FiBsTeR wrote:
Interesting idea, but how do you remember 74ste13s5 instead of 7a573l35s? Seems like you'll end up memorizing more than just the text regardless.
If you've already got that memorized, my suggestion would be quite irrelevant. As I stressed in the OP, I prefer to have something tangible that relates to the password and it is strictly just a preference. I actually used to use passwords that could be typed in with only one hand like hi9jon or ugh0kmon or tearever234. I never really had any idea how vulnerable I was. So adding things like leet speak is just a small step up but a significant one.
Apa7HY, dude... whatever your password is, I'm sure it's intense. I'd hate to type that in without a numberpad.
Oh and I just remembered some news article I read some time back about CIA encryption. They would purposely misspell words to confuse cipher machines. I believed the technique was used on of the monuments in the lobby of some government building. It took well over fifty years to crack it. Just some food for thought.
|
|
|
|
|
|
EPT
