Re: Intruder in my wireless network? / intrusion detection programs

In article <0Jn8g.75798$eR6.11895@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>, John Navas <spamfilter0@xxxxxxxxxxxxxx> wrote:
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <Wdl8g.68788$_S7.37333@xxxxxxxxxxxxxxxxxxxxxxxxxx> on Wed, 10 May 2006
12:43:34 GMT, "moncho" <moncho990009@xxxxxxxxxxxxxxxxxx> wrote:

"John Navas" <spamfilter0@xxxxxxxxxxxxxx> wrote in message
news:uKO7g.39891$Fs1.33748@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

5. Set a strong wireless pass-phrase, at least 20 characters worth of
random
words (e.g., "highway soothe location bard great furry" [but NOT this
one]).

I am a little naive on password cracking algorithms so I figured I would ask
this question.
I have noticed many individuals and companies have started using
passwords like "highway soothe location bard great furry". Is this type of
password any less secure than say "jdieJKndk&ksjjs2$djJOEksl@" since the
previous
passwords has dictionary words?

Password/phrase strength is defined in terms of entropy, which can be
calculated. The advantage of a passphrase of random real words is that it's
easier for people to work with, reducing the chance of error and of people
writing it down in an insecure way. The drawback is that it takes more
characters to achieve the same level of entropy as a password of random
characters. But if sufficient extra characters are used a passphrase of
random real words can have just as much entropy (strength) as a password of
random characters.

A good way to generate a strong passphrase is with "diceware words" -- see
<http://world.std.com/~reinhold/diceware.html>, and the Diceware FAQ
<http://world.std.com/~reinhold/dicewarefaq.html>:

How long should my passphrase be?
...
In their February 1996 report, "Minimal Key Lengths for Symmetric
Ciphers to Provide Adequate Commercial Security" a group of
cryptography and computer security experts -- Matt Blaze, Whitfield
Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric
Thompson, and Michael Weiner -- stated:

"To provide adequate protection against the most serious threats...
keys used to protect data today should be at least 75 bits long. To
protect information adequately for the next 20 years ... keys in
newly-deployed systems should be at least 90 bits long."

A five-word Diceware passphrase has an entropy of at least 64.6 bits;
six words have 77.5 bits, seven words 90.4 bits, eight words 103
bits, four words 51.6 bits. Inserting an extra letter at random adds
about 10 bits of entropy. Here is a rough idea of how much protection
various lengths provide, based on updated estimates by A.K. Lenstra
(See www.kelength.com). Needless to say, projections for the far
future have the most uncertainty.

* Four words are breakable with a hundred or so PCs.
* Five words are only breakable by an organization with a large budget.
* Six words appear unbreakable for the near future, but may be within the
range of large organizations by around 2014.
* Seven words and longer are unbreakable with any known technology, but
may be within the range of large organizations by around 2030.
* Eight words should be completely secure through 2050.

Entropy of random passwords can be estimated from NIST guidelines (Special
Publication 800-63, Electronic Authentication Guideline). For random
passwords of all printable characters the entropy is about 6.6 bits per
character. *Thus 12 random characters from the entire printable set would be
needed for 79.2 bits of entropy, roughly the same as six diceware words.*

A narrower range of characters decreases entropy bits per character, and would
thus have to be longer for the same level of entropy. Non-randomness likewise
decreases entropy bits per character.


I am and remain utterly amazed at how many people think James Bond (or M)
are trying to break into their home networks. It is just mind numbing. I
guess preaching fear has worked really well, the terrorists are coming, the
commies are under your bed and the boogie man is behind that tree.
Reality check:
Even the simplest passphrase is more then enough to secure your home
network. James Bond and the NSA ARE NOT trying to hack your network. In an
office environment this might be different, but if you have that large a
concern at the office, stick to a wired network.

Diceware phrases and the Beale list, give me a break and try to return to
reality. The dog's name is more then enough for a passphrase for your home
network. You can even be secure behind WEP encryption. NONE of your
neighbors is installing Linux on his laptop so he can sit outside your
house and break into your network and anyone who tells you otherwise is
just plain nuts. It isn't happening and has never happened on a home
network. John, you are the security 'expert' please provide a single
documented instance of a home network being violated that was employing
even the simplest of passphrases for either WEP or WPA. Come on I dare you.
(not some it can be done crap, a case where it HAS been done in the real
world and not the CS lab at Dumb Ass U.)

Never happened, all this stuff above is just so much fodder for the scare
mongers. Concerned about your bank accounts, this data is sent using secure
sockets, the security of your network is not your exposure.

Boo the boogie man is out to hack your internet connection... What a joke.

fundamentalism, fundamentally wrong.
.

Relevant Pages

  • Re: Intruder in my wireless network? / intrusion detection programs
    ... Password/phrase strength is defined in terms of entropy, ... The advantage of a passphrase of random real words is that it's ... characters to achieve the same level of entropy as a password of random ... "To provide adequate protection against the most serious threats... ...
    (alt.internet.wireless)
  • Re: Intruder in my wireless network? / intrusion detection programs
    ... Password/phrase strength is defined in terms of entropy, ... characters to achieve the same level of entropy as a password of random ... But if sufficient extra characters are used a passphrase of ... "To provide adequate protection against the most serious threats... ...
    (alt.internet.wireless)
  • Re: Hashing methods for giant keys
    ... >> How many unique output hash results can there be in the digest of SHA ... >characters that are written down which means you are anyway in trouble. ... I am using the passphrase to protect a key file. ... digits worth of entropy in them. ...
    (sci.crypt)
  • Re: Secure passwords?
    ... > characters and has misspelled words. ... entropy decreases dramatically; I have heard it say that ... word, and simple misspellings with about 4 bits of entropy per word, we ... How likely is my "weak" passphrase below will be entered in three ...
    (alt.computer.security)
  • USA Network New Shows
    ... CHARACTERS WELCOME AS USA NETWORK ANNOUNCES DEVELOPMENT SLATE ... president, original programming, announced today an aggressive development ...
    (rec.sport.pro-wrestling)