WPA-PSK Cracking As a Service

An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"

Build a dictionary!

[Anonymous Coward]

So for $34 you can make sure your password is part of their dictionary?

Re:One problem

[ctmurray]

I think the tool is not being sold to people wanting to crack into a WiFi network, rather selling to people so that they can test their WiFi network.

And Slashdot is promoting this

[ClosedSource]

because?

Well at least you can say Moxie has Moxie.

[al0ha]

$34 to see if your password can survive a dictionary attack? Hell pay me $20 and I'll gladly save you some money and provide you with a password guaranteed to be unbreakable by brute force. I'll even sign an NDA to ensure I don't disclose it to anyone but rest assured even I won't be able to remember it!

Re:One problem

[vivian]

Alternatively you could actually not be an asshat, get on with your neighbour and negotiate with them (over a 6 pack of beer) to allow legal access in the event of an outage.

Re:One problem

[Gothmolly]

Isn't it cheaper, easier, and less douchebaggy to just get an aircard?

Re:One problem

[cbiltcliffe]

Because I really find value in testing my OWN network.

If you don't, then you don't really understand security.
The point is, these dictionaries are already available to the people with their evil bit set.
If you're going "nobody's going to figure out this password," especially if you're running a business, you really should be _making sure_ that nobody's going to figure it out, rather than going on faith.

Unless you have a multi-tens-of-millions word dictionary yourself, so you can make sure that your WPA passphrase isn't in it, you're not properly protecting your network.

Re:Well at least you can say Moxie has Moxie.

[VoidCrow]

But that's vulnerable to a statistical analysis of the preferred distribution of cat turds. Maybe you should randomise it by giving them catnip every time they take a dump?

Re:One problem

[GameboyRMH]

Well then it sounds like you have enough users connecting for plausible deniability. If it's only you and your neighbor sharing a private AP, you have the downsides of both the single-house private AP (no plausible deniability) and open AP (can't be sure what's passing over your network) approaches. The blame will fall on the owner of the connection that handled the offending traffic. If he downloads loli or pop culture warez over your connection and the authorities / the MAFIAA take notice, you're fucked, and all he has to do (assuming router logs are nonexistent / have been rotated out) to get off the hook is delete your AP password from his machine (which he can do when he sees the cops bust down your door / your name in the media). Once it's your word against his, you'll just seem like a guilty pedo / pirate trying to blame it on the neighbor.

Re:And Slashdot is promoting this

[geekmux]

And this matters because..

#1: It's IT-related

#2: It's Security IT-related

#3: Within IT, it has to do with one of the most prevalent technologies in use today.

#4: And finally, it's here, because it sure as hell ain't gonna show up on CNN or the nightly news "tech" corner. Well, at least not for another 6 months or so, when it's "breaking news" to them.