The solution I came up with is to use groups of lower case letters and numbers, or just a long random number. The key needed to be fairly easy to enter on both a keyboard and a mobile device, and not be unnecessarily large or insecurely small. One of the requirements I imposed was the key had approx 64-bits of entropy, which for a password is quite a bit, but was designed to eliminate brute force attacks within the key rotation schedule. With a key rotation requirement in place, entering a wifi key into every device was pretty time consuming. The bottom line is that if you limit your pool of unique characters (IE just use lowercase letters or digits) then you would need to increase the minimum password length.įor one of the business I work with, they need to allow employee access to their network, as well as various devices that report data back to a central server. So what this means for you is that out of x number of possible password combinations, how long would it take an attacker to 'guess' the correct one? The answer is a function of how many guesses the attacker can possibly make and how many guesses the attacker does actually make.įor instance, if you have a 4 digit long password and allow only digits 0-9, you would have 4^10 possible password combinations, this may seem like a high number but consider that an attacker could potentially 'guess' really quickly (depends on the resources thrown at the guessing algorithm). The basic point of password security (I'm oversimplifying here) lies in the concept of entropy which in this context means the difficulty in guessing. If you want security with ease of use, it may be easiest to just randomly generate a long password of nothing but lowercase letters (or numbers if you are using flip phones). 5-8 words should be plenty, and much easier to tell somebody one word at a time than painstakingly typing one character at a time while switching keyboards back and forth for the usual type of password. Since it's a WiFi password you're probably going to write it down somewhere so generate as many words as you need for the level of security you want. This should let you choose a WiFi password that's easy to type in since it is all common words which you probably know how to spell, with no punctuation, yet is completely random. Instead use something like the 5000-word sample list from the Corpus of Contemporary American English or the New General Service List (2000-3000 words) for your source of words. This set of words is your password.įor WiFi passwords I recommend you don't use the standard Diceware list, because it includes a bunch of punctuation and the like which you want to avoid on smartphone keyboards or other places this is hard to enter. using dice or numbers from or a high-quality PRNG) choose some words from the list. That is, get a word list of a few thousand words, and randomly (i.e. I suggest using the concept used by diceware and made popular by a certain ubiquitous XKCD comic. This was suggested in a comment but isn't an answer yet for some reason. It also helps network performance for the device you're hard-wiring (giving it higher speed & reliability), as well as the devices you're leaving on WiFi (freeing up airtime for them). Again, this saves the headache of punching in the PSK when you really don't have to. If something doesn't need to move around, it doesn't really need to be wireless. Troy Hunt has a blog post on the subject that's worth a read. This saves you the headache of having to enter in the password (or talk someone through it) more often than you really need to, and reduces the attack surface of the network as well. Be very selective of who and what you allow onto your WiFi network.You'll generally only have to enter it once per device, so you're getting solid protection for practically zero impact to your daily life. Pick a PSK as long and random as your router will allow.You can have a strong password, or you can have one that's easy to use and remember. Unfortunately, that's just the nature of the beast. The best passwords aren't even human- memorable. The really strong passwords aren't even fun to enter on a full QWERTY desktop keyboard, let alone any of the more limited UIs available on "smart" devices of any sort. The problem you have is one that cannot be worked around without weakening the strength of your password, because strong passwords will never be very human-usable regardless of what interface you're using to enter them. Soon enough, if not already, 12 will be too short too. Most good password advice (suggesting long passwords with characters randomly selected from a large character pool) will not ever go "out of date", except perhaps with regards to "minimum length" recommendations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |